np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

690418:1638 Refactor Infra gitea
CI / CD Pipeline / build (push) Has been cancelled
Details
CI / CD Pipeline / deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
admin
2026-04-18 16:38:04 +07:00
parent 8b658e8530
commit 29a6509c58
36 changed files with 1824 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files
specs/04-Infrastructure-OPS/README.md
+27 -9
View File
@@ -1,8 +1,8 @@
# Infrastructure & Operations (OPS) Guide
**Project:** LCBP3-DMS
**Version:** 1.8.0
**Last Updated:** 2026-02-23
**Version:** 1.8.9 (Infrastructure Hardening)
**Last Updated:** 2026-04-18
---
@@ -12,12 +12,17 @@ This directory (`04-Infrastructure-OPS/`) serves as the single source of truth f
It consolidates what was previously split across multiple operations and specification folders into a cohesive set of manuals for DevOps, System Administrators, and On-Call Engineers.
> **🔒 v1.8.9 Infrastructure Hardening (Apr 2026):**
> Full Docker Compose security pass completed — 27 findings (C1C6, H1H7, M1M9, L1L5, S1S4) addressed.
> All secrets externalized, container hardening applied, auth enforced on Mongo + Registry. See `04-00-docker-compose/SECURITY-MIGRATION-v1.8.6.md` for the full runbook.
---
## 📂 Document Index
| File | Purpose | Key Contents |
| --------------------------------------------------------------------------------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| **[04-00-docker-compose/](./04-00-docker-compose/)** | 🔒 **Compose Stacks** | Production compose files for all QNAP + ASUSTOR stacks. See [04-00-docker-compose/README.md](./04-00-docker-compose/README.md) + `SECURITY-MIGRATION-v1.8.6.md` |
| **[04-01-docker-compose.md](./04-01-docker-compose.md)** | Core Environment Setup | `.env` configs, Blue/Green Docker Compose, MariaDB & Redis optimization, **Appendix A: Live QNAP configs** (MariaDB, Redis/ES, NPM, Gitea, n8n) |
| **[04-02-backup-recovery.md](./04-02-backup-recovery.md)** | Disaster Recovery | RTO/RPO strategies, QNAP to ASUSTOR backup scripts, Restic/Mysqldump config |
| **[04-03-monitoring.md](./04-03-monitoring.md)** | Observability | Prometheus metrics, AlertManager rules, Grafana alerts |
@@ -27,14 +32,25 @@ It consolidates what was previously split across multiple operations and specifi
| **[04-07-incident-response.md](./04-07-incident-response.md)** | Escalation | P0-P3 classifications, incident commander roles, Post-Incident Review |
| **[🚀 04-08-release-management-policy.md](./04-08-release-management-policy.md)** | Release Policy | SemVer, Git Flow, 5 Release Gates, Hotfix Process, Rollback Policy, CI/CD Pipeline |
### 🐳 Live Docker Compose Files (QNAP)
### 🐳 Live Docker Compose Files (v1.8.9)
| File | Application | Path on QNAP |
| ------------------------------------------------------ | ---------------------------------------------- | ----------------------------- |
| **[docker-compose-app.yml](./docker-compose-app.yml)** | `lcbp3-app` (backend + frontend) | `/share/np-dms/app/` |
| **[lcbp3-monitoring.yml](./lcbp3-monitoring.yml)** | `lcbp3-monitoring` (Prometheus, Grafana, etc.) | `/volume1/np-dms/monitoring/` |
| **[lcbp3-registry.yml](./lcbp3-registry.yml)** | `lcbp3-registry` (Docker Registry) | `/volume1/np-dms/registry/` |
| **[grafana/](./grafana/)** | Grafana dashboard JSON configs | Imported via Grafana UI |
ทั้งหมดย้ายมาอยู่ใต้ [`04-00-docker-compose/`](./04-00-docker-compose/) แล้ว พร้อม hardening (secrets ผ่าน `env_file`, `read_only`, `cap_drop`, healthchecks, resource limits, auth บน Mongo + Registry):
| Stack | File | Path on NAS |
| ----- | ---- | ----------- |
| **App** (backend + frontend + clamav) | `QNAP/app/docker-compose-app.yml` | `/share/np-dms/app/` |
| **Database** (mariadb + pma) | `QNAP/mariadb/docker-compose-lcbp3-db.yml` | `/share/np-dms/mariadb/` |
| **Services** (redis + elasticsearch) | `QNAP/service/docker-compose.yml` | `/share/np-dms/services/` |
| **Reverse Proxy** (npm + landing) | `QNAP/npm/docker-compose.yml` | `/share/np-dms/npm/` |
| **Git** (gitea) | `QNAP/gitea/docker-compose.yml` | `/share/np-dms/git/` |
| **Automation** (n8n + tika + docker-socket-proxy) | `QNAP/n8n/docker-compose.yml` | `/share/np-dms/n8n/` |
| **Chat** (mongodb + rocketchat) | `QNAP/rocketchat/docker-compose.yml` | `/share/np-dms/rocketchat/` |
| **Monitoring Exporters** (node-exporter + cadvisor) | `QNAP/monitoring/docker-compose.yml` | `/share/np-dms/monitoring/` |
| **Registry** (registry + registry-ui, htpasswd auth) | `ASUSTOR/registry/docker-compose.yml` | `/volume1/np-dms/registry/` |
| **Gitea Runner** (act_runner) | `ASUSTOR/gitea-runner/docker-compose.yml` | `/volume1/np-dms/gitea-runner/` |
| **Monitoring Stack** (prometheus + grafana + loki + promtail + uptime-kuma) | `ASUSTOR/monitoring/docker-compose.yml` | `/volume1/np-dms/monitoring/` |
ไฟล์เสริม: [`x-base.yml`](./04-00-docker-compose/x-base.yml) (shared YAML anchors), [`.env.template`](./04-00-docker-compose/.env.template) (ตัวแบบ secrets), per-stack `.env.example` ในแต่ละ folder.
---
@@ -44,3 +60,5 @@ It consolidates what was previously split across multiple operations and specifi
2. **Infrastructure as Code**: No manual unscripted changes. Modify the `docker-compose.yml` specs and `.env.production` templates directly.
3. **Automated Backups**: Backups must be validated automatically using the ASUSTOR pulling mechanism in `04-02`.
4. **Actionable Alerts**: No noisy monitoring. Prometheus alerts in `04-03` should route to Slack/PagerDuty only when action is required.
5. **🔒 Secret Hygiene (v1.8.9)**: No secrets in git — use `env_file: .env` (gitignored) per stack. Rotate any secret that appeared in history. Roadmap: Docker Swarm secrets → Infisical / Vault / SOPS (see `04-00-docker-compose/README.md` §S1).
6. **Container Hardening (ADR-016 + M4)**: All app containers must set `security_opt: [no-new-privileges:true]`, `cap_drop: [ALL]`, non-root `user:`, and `read_only: true` where compatible. Pin every image tag — no `:latest` in production.