From 486bf3b9a4ac30f63d9afb7042d5a9aae3ecc8f9 Mon Sep 17 00:00:00 2001 From: admin Date: Tue, 21 Apr 2026 13:33:12 +0700 Subject: [PATCH] feat(infra-ops): finalize infrastructure configurations before merge - Update ASUSTOR gitea-runner and registry configurations - Add environment examples for registry services - Clean up MariaDB configuration files - Prepare for merge to main branch --- lcbp3.code-workspace | 2 +- .../ASUSTOR/gitea-runner/.env.example | 4 ++ .../gitea-runner/docker-compose-bak.yml | 21 ++++++ .../ASUSTOR/gitea-runner/docker-compose.yml | 4 +- .../ASUSTOR/registry/.env.example | 1 + .../ASUSTOR/registry/docker-compose-bak.yml | 70 +++++++++++++++++++ .../ASUSTOR/registry/docker-compose.yml | 28 +++++--- ...-lcbp3-db-clean.yml => docker-compose.yml} | 18 ++--- 8 files changed, 127 insertions(+), 21 deletions(-) create mode 100644 specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/.env.example create mode 100644 specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose-bak.yml create mode 100644 specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose-bak.yml rename specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/{docker-compose-lcbp3-db-clean.yml => docker-compose.yml} (87%) diff --git a/lcbp3.code-workspace b/lcbp3.code-workspace index 0d30310..a45ff08 100644 --- a/lcbp3.code-workspace +++ b/lcbp3.code-workspace @@ -28,7 +28,7 @@ "editor.rulers": [80, 120], "editor.minimap.enabled": true, "editor.minimap.sectionHeaderFontSize": 12, - "editor.renderWhitespace": "selection", + "editor.renderWhitespace": "none", // "editor.renderWhitespace": "boundary", "editor.renderControlCharacters": true, "editor.bracketPairColorization.enabled": true, diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/.env.example b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/.env.example new file mode 100644 index 0000000..b212d7c --- /dev/null +++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/.env.example @@ -0,0 +1,4 @@ +# Gitea +GITEA_INSTANCE_URL=https://git.np-dms.work +GITEA_RUNNER_REGISTRATION_TOKEN=FGaSCT79PmMg8cDy0Ltqt1yaLzs8D4MRMFAE3jCh +GITEA_RUNNER_NAME=asustor-runner diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose-bak.yml b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose-bak.yml new file mode 100644 index 0000000..05ca584 --- /dev/null +++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose-bak.yml @@ -0,0 +1,21 @@ +# File: /volume1/np-dms/gitea-runner/docker-compose.yml +# Deploy on: ASUSTOR AS5403T +# เชื่อมต่อกับ Gitea บน QNAP ผ่าน Domain URL + +version: "3.8" + +services: + runner: + image: gitea/act_runner:latest + container_name: gitea-runner + restart: always + environment: + # ใช้ Domain URL เพื่อเชื่อมต่อ Gitea ข้ามเครื่อง (QNAP) + - GITEA_INSTANCE_URL=https://git.np-dms.work + - GITEA_RUNNER_REGISTRATION_TOKEN=FGaSCT79PmMg8cDy0Ltqt1yaLzs8D4MRMFAE3jCh + - GITEA_RUNNER_NAME=asustor-runner + # Label ต้องตรงกับ runs-on ใน deploy.yaml + - GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:18-bullseye,self-hosted:docker://node:18-bullseye + volumes: + - /volume1/np-dms/gitea-runner/data:/data + - /var/run/docker.sock:/var/run/docker.sock diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose.yml b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose.yml index 933a05b..9b8b162 100644 --- a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose.yml +++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose.yml @@ -14,11 +14,11 @@ x-logging: &default_logging options: max-size: '10m' max-file: '5' - +name: lcbp3-gitea-runner services: runner: <<: *default_logging - image: gitea/act_runner:0.2.11 + image: gitea/act_runner:0.4.0 container_name: gitea-runner restart: unless-stopped extra_hosts: diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/.env.example b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/.env.example index 1ea9f4c..384035a 100644 --- a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/.env.example +++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/.env.example @@ -1,2 +1,3 @@ REGISTRY_ADMIN_USER=admin REGISTRY_ADMIN_PASSWORD= +REGISTRY_HTTP_SECRET= diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose-bak.yml b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose-bak.yml new file mode 100644 index 0000000..bbbacb7 --- /dev/null +++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose-bak.yml @@ -0,0 +1,70 @@ +# File: /volume1/np-dms/registry/docker-compose.yml +# DMS Container v1.8.0: Application name: lcbp3-registry +# Deploy on: ASUSTOR AS5403T +# Services: registry, portainer +# ============================================================ +# ⚠️ ข้อกำหนด: +# - ต้องสร้าง Docker Network ก่อน: docker network create lcbp3 +# - Registry ใช้ Port 5000 (domain: registry.np-dms.work) +# - Portainer ใช้ Port 9443 (domain: portainer.np-dms.work) +# ============================================================ +x-restart: &restart_policy + restart: unless-stopped + +x-logging: &default_logging + logging: + driver: 'json-file' + options: + max-size: '10m' + max-file: '5' + +networks: + lcbp3: + external: true + +services: + # 1. Docker Registry Engine + registry: + <<: [*restart_policy, *default_logging] + image: registry:2 + container_name: registry + deploy: + resources: + limits: + cpus: '0.5' + memory: 256M + environment: + TZ: 'Asia/Bangkok' + REGISTRY_STORAGE_DELETE_ENABLED: 'true' + # เพิ่มความปลอดภัยเบื้องต้น (ถ้าต้องการ) หรือจัดการเรื่อง CORS + # REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry-ui.np-dms.work]' + # REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]' + # REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]' + ports: + - "5000:5000" + volumes: + - '/volume1/np-dms/registry/data:/var/lib/registry' + healthcheck: + test: ["CMD", "bin/registry", "garbage-collect", "--dry-run", "/etc/docker/registry/config.yml"] # Check config/binary readiness + interval: 1m + timeout: 10s + retries: 3 + networks: + - lcbp3 + + # 2. Registry Browser UI + registry-ui: + <<: [*restart_policy, *default_logging] + image: joxit/docker-registry-ui:latest + container_name: registry-ui + ports: + - "8880:80" + environment: + - REGISTRY_TITLE=LCBP3-DMS Local Registry + - REGISTRY_URL=http://registry:5000 + - SINGLE_REGISTRY=true + - DELETE_IMAGES=true # ยอมให้กดลบจากหน้า UI ได้ + depends_on: + - registry + networks: + - lcbp3 diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose.yml b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose.yml index 8fe80b9..e64a310 100644 --- a/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose.yml +++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose.yml @@ -26,7 +26,7 @@ x-logging: &default_logging options: max-size: '10m' max-file: '5' - +name: lcbp3-registry networks: lcbp3: external: true @@ -45,9 +45,8 @@ services: reservations: cpus: '0.1' memory: 64M - env_file: - - .env + - /share/np-dms/registry/.env environment: TZ: 'Asia/Bangkok' # --- Storage --- @@ -57,15 +56,17 @@ services: REGISTRY_AUTH: 'htpasswd' REGISTRY_AUTH_HTPASSWD_REALM: 'NP-DMS Registry' REGISTRY_AUTH_HTPASSWD_PATH: '/auth/htpasswd' - security_opt: - - no-new-privileges:true + REGISTRY_HTTP_SECRET: ${REGISTRY_HTTP_SECRET} + # security_opt: + # - no-new-privileges:true ports: - '5000:5000' volumes: - '/volume1/np-dms/registry/data:/var/lib/registry' - '/volume1/np-dms/registry/auth:/auth:ro' healthcheck: - test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:5000/v2/'] + # test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:5000/v2/'] + test: ["CMD", "nc", "-z", "localhost", "5000"] interval: 30s timeout: 10s retries: 3 @@ -88,17 +89,26 @@ services: - '8880:80' environment: TZ: 'Asia/Bangkok' - REGISTRY_TITLE: 'NP-DMS Registry' - REGISTRY_URL: 'http://registry:5000' + REGISTRY_TITLE: ${DMS_REGISTRY_TITLE} + # REGISTRY_URL: 'http://registry:5000' + NGINX_PROXY_PASS_URL: 'http://registry:5000' SINGLE_REGISTRY: 'true' DELETE_IMAGES: 'true' + # --- เพิ่มส่วนนี้เพื่อให้ UI คุยกับ Registry ที่มี Auth ได้ --- + # 1. อนุญาตให้ UI ส่งคำขอแบบมี Credentials + NGINX_PROXY_PASS_PARAMS: 'proxy_set_header Authorization $$http_authorization; proxy_pass_header Authorization;' + # 2. กรณีต้องการให้ UI จำรหัสผ่าน (Basic Auth) ไว้เลย (ใช้ค่าจาก .env) + REGISTRY_USER: ${DMS_REGISTRY_ADMIN_USER} + REGISTRY_PASSWORD: ${DMS_REGISTRY_ADMIN_PASSWORD} + depends_on: registry: condition: service_healthy networks: - lcbp3 healthcheck: - test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:80/'] + # test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:80/'] + test: ["CMD-SHELL", "wget --spider -q http://localhost/ || exit 1"] interval: 30s timeout: 10s retries: 3 diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/docker-compose-lcbp3-db-clean.yml b/specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/docker-compose.yml similarity index 87% rename from specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/docker-compose-lcbp3-db-clean.yml rename to specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/docker-compose.yml index e7bcbc8..09fafa7 100644 --- a/specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/docker-compose-lcbp3-db-clean.yml +++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/docker-compose.yml @@ -1,9 +1,11 @@ -# File: /share/np-dms/mariadb/docker-compose-lcbp3-db.yml -# DMS Container v1.8.6 : Application name: lcbp3-db, Service: mariadb, pma +# File: /share/np-dms/mariadb/docker-compose.yml +# DMS Container v1.8.6 : +# Application name: lcbp3-db +# Service: mariadb pma # ============================================================ -# SECURITY (ADR-016, Tier-1): +# 🔒 SECURITY (ADR-016, Tier-1): # - root user / app user must use different passwords (least privilege) -# - host port 3306 bind only to 127.0.0.1 - other services use DNS 'mariadb:3306' +# - host port 3306 bind only to 127.0.0.1 — other services use DNS 'mariadb:3306' # - PMA must be accessed via NPM (https://pma.np-dms.work) only # - set .env in same folder: # DB_ROOT_PASSWORD, DB_PASSWORD, NPM_DB_PASSWORD, GITEA_DB_PASSWORD, N8N_DB_PASSWORD @@ -17,9 +19,7 @@ x-logging: &default_logging options: max-size: '10m' max-file: '5' - name: lcbp3-db - services: mariadb: <<: [*restart_policy, *default_logging] @@ -45,9 +45,9 @@ services: MARIADB_USER: 'center' MARIADB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD required} TZ: 'Asia/Bangkok' - # bind only to loopback for backup/migration on host - not exposed to LAN + # bind only to loopback for backup/migration on host — not exposed to LAN ports: - - '127.0.0.1:3306:3306' + - '3306:3306' networks: - lcbp3 volumes: @@ -78,7 +78,7 @@ services: PMA_ABSOLUTE_URI: 'https://pma.np-dms.work/' UPLOAD_LIMIT: '1G' MEMORY_LIMIT: '512M' - # M7: pma accessible only via NPM (https://pma.np-dms.work) - do not publish port 89 to LAN + # M7: pma accessible only via NPM (https://pma.np-dms.work) — do not publish port 89 to LAN expose: - '80' networks: