feat(infra-ops): finalize infrastructure configurations before merge

- Update ASUSTOR gitea-runner and registry configurations
- Add environment examples for registry services
- Clean up MariaDB configuration files
- Prepare for merge to main branch

lcbp3.code-workspace

@@ -28,7 +28,7 @@
     "editor.rulers": [80, 120],
     "editor.minimap.enabled": true,
     "editor.minimap.sectionHeaderFontSize": 12,
-    "editor.renderWhitespace": "selection",
+    "editor.renderWhitespace": "none",
     // "editor.renderWhitespace": "boundary",
     "editor.renderControlCharacters": true,
     "editor.bracketPairColorization.enabled": true,

specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/.env.example

@@ -0,0 +1,4 @@
+# Gitea
+GITEA_INSTANCE_URL=https://git.np-dms.work
+GITEA_RUNNER_REGISTRATION_TOKEN=FGaSCT79PmMg8cDy0Ltqt1yaLzs8D4MRMFAE3jCh
+GITEA_RUNNER_NAME=asustor-runner

specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose-bak.yml

@@ -0,0 +1,21 @@
+# File: /volume1/np-dms/gitea-runner/docker-compose.yml
+# Deploy on: ASUSTOR AS5403T
+# เชื่อมต่อกับ Gitea บน QNAP ผ่าน Domain URL
+
+version: "3.8"
+
+services:
+  runner:
+    image: gitea/act_runner:latest
+    container_name: gitea-runner
+    restart: always
+    environment:
+      # ใช้ Domain URL เพื่อเชื่อมต่อ Gitea ข้ามเครื่อง (QNAP)
+      - GITEA_INSTANCE_URL=https://git.np-dms.work
+      - GITEA_RUNNER_REGISTRATION_TOKEN=FGaSCT79PmMg8cDy0Ltqt1yaLzs8D4MRMFAE3jCh
+      - GITEA_RUNNER_NAME=asustor-runner
+      # Label ต้องตรงกับ runs-on ใน deploy.yaml
+      - GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:18-bullseye,self-hosted:docker://node:18-bullseye
+    volumes:
+      - /volume1/np-dms/gitea-runner/data:/data
+      - /var/run/docker.sock:/var/run/docker.sock

specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/gitea-runner/docker-compose.yml

@@ -14,11 +14,11 @@ x-logging: &default_logging
     options:
       max-size: '10m'
       max-file: '5'
-
+name: lcbp3-gitea-runner
 services:
   runner:
     <<: *default_logging
-    image: gitea/act_runner:0.2.11
+    image: gitea/act_runner:0.4.0
     container_name: gitea-runner
     restart: unless-stopped
     extra_hosts:

specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/.env.example

@@ -1,2 +1,3 @@
 REGISTRY_ADMIN_USER=admin
 REGISTRY_ADMIN_PASSWORD=
+REGISTRY_HTTP_SECRET=

specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose-bak.yml

@@ -0,0 +1,70 @@
+# File: /volume1/np-dms/registry/docker-compose.yml
+# DMS Container v1.8.0: Application name: lcbp3-registry
+# Deploy on: ASUSTOR AS5403T
+# Services: registry, portainer
+# ============================================================
+# ⚠️  ข้อกำหนด:
+#     - ต้องสร้าง Docker Network ก่อน: docker network create lcbp3
+#     - Registry ใช้ Port 5000 (domain: registry.np-dms.work)
+#     - Portainer ใช้ Port 9443 (domain: portainer.np-dms.work)
+# ============================================================
+x-restart: &restart_policy
+  restart: unless-stopped
+
+x-logging: &default_logging
+  logging:
+    driver: 'json-file'
+    options:
+      max-size: '10m'
+      max-file: '5'
+
+networks:
+  lcbp3:
+    external: true
+
+services:
+  # 1. Docker Registry Engine
+  registry:
+    <<: [*restart_policy, *default_logging]
+    image: registry:2
+    container_name: registry
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 256M
+    environment:
+      TZ: 'Asia/Bangkok'
+      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
+      # เพิ่มความปลอดภัยเบื้องต้น (ถ้าต้องการ) หรือจัดการเรื่อง CORS
+      # REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry-ui.np-dms.work]'
+      # REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
+      # REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
+    ports:
+      - "5000:5000"
+    volumes:
+      - '/volume1/np-dms/registry/data:/var/lib/registry'
+    healthcheck:
+      test: ["CMD", "bin/registry", "garbage-collect", "--dry-run", "/etc/docker/registry/config.yml"] # Check config/binary readiness
+      interval: 1m
+      timeout: 10s
+      retries: 3
+    networks:
+      - lcbp3
+
+  # 2. Registry Browser UI
+  registry-ui:
+    <<: [*restart_policy, *default_logging]
+    image: joxit/docker-registry-ui:latest
+    container_name: registry-ui
+    ports:
+      - "8880:80"
+    environment:
+      - REGISTRY_TITLE=LCBP3-DMS Local Registry
+      - REGISTRY_URL=http://registry:5000
+      - SINGLE_REGISTRY=true
+      - DELETE_IMAGES=true # ยอมให้กดลบจากหน้า UI ได้
+    depends_on:
+      - registry
+    networks:
+      - lcbp3

specs/04-Infrastructure-OPS/04-00-docker-compose/ASUSTOR/registry/docker-compose.yml

@@ -26,7 +26,7 @@ x-logging: &default_logging
     options:
       max-size: '10m'
       max-file: '5'
-
+name: lcbp3-registry
 networks:
   lcbp3:
     external: true
@@ -45,9 +45,8 @@ services:
         reservations:
           cpus: '0.1'
           memory: 64M
-
     env_file:
-      - .env
+      - /share/np-dms/registry/.env
     environment:
       TZ: 'Asia/Bangkok'
       # --- Storage ---
@@ -57,15 +56,17 @@ services:
       REGISTRY_AUTH: 'htpasswd'
       REGISTRY_AUTH_HTPASSWD_REALM: 'NP-DMS Registry'
       REGISTRY_AUTH_HTPASSWD_PATH: '/auth/htpasswd'
-    security_opt:
+      REGISTRY_HTTP_SECRET: ${REGISTRY_HTTP_SECRET}
-      - no-new-privileges:true
+    # security_opt:
+    #   - no-new-privileges:true
     ports:
       - '5000:5000'
     volumes:
       - '/volume1/np-dms/registry/data:/var/lib/registry'
       - '/volume1/np-dms/registry/auth:/auth:ro'
     healthcheck:
-      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:5000/v2/']
+      # test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:5000/v2/']
+      test: ["CMD", "nc", "-z", "localhost", "5000"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -88,17 +89,26 @@ services:
       - '8880:80'
     environment:
       TZ: 'Asia/Bangkok'
-      REGISTRY_TITLE: 'NP-DMS Registry'
+      REGISTRY_TITLE: ${DMS_REGISTRY_TITLE}
-      REGISTRY_URL: 'http://registry:5000'
+      # REGISTRY_URL: 'http://registry:5000'
+      NGINX_PROXY_PASS_URL: 'http://registry:5000'
       SINGLE_REGISTRY: 'true'
       DELETE_IMAGES: 'true'
+      # --- เพิ่มส่วนนี้เพื่อให้ UI คุยกับ Registry ที่มี Auth ได้ ---
+      # 1. อนุญาตให้ UI ส่งคำขอแบบมี Credentials
+      NGINX_PROXY_PASS_PARAMS: 'proxy_set_header Authorization $$http_authorization; proxy_pass_header  Authorization;'
+      # 2. กรณีต้องการให้ UI จำรหัสผ่าน (Basic Auth) ไว้เลย (ใช้ค่าจาก .env)
+      REGISTRY_USER: ${DMS_REGISTRY_ADMIN_USER}
+      REGISTRY_PASSWORD: ${DMS_REGISTRY_ADMIN_PASSWORD}
+
     depends_on:
       registry:
         condition: service_healthy
     networks:
       - lcbp3
     healthcheck:
-      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:80/']
+      # test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:80/']
+      test: ["CMD-SHELL", "wget --spider -q http://localhost/ || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3

specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/mariadb/docker-compose.yml

@@ -1,9 +1,11 @@
-# File: /share/np-dms/mariadb/docker-compose-lcbp3-db.yml
+# File: /share/np-dms/mariadb/docker-compose.yml
-# DMS Container v1.8.6 : Application name: lcbp3-db, Service: mariadb, pma
+# DMS Container v1.8.6 :
+# Application name: lcbp3-db
+# Service: mariadb pma
 # ============================================================
-# SECURITY (ADR-016, Tier-1):
+# 🔒 SECURITY (ADR-016, Tier-1):
 #   - root user / app user must use different passwords (least privilege)
-#   - host port 3306 bind only to 127.0.0.1 - other services use DNS 'mariadb:3306'
+#   - host port 3306 bind only to 127.0.0.1 — other services use DNS 'mariadb:3306'
 #   - PMA must be accessed via NPM (https://pma.np-dms.work) only
 #   - set .env in same folder:
 #     DB_ROOT_PASSWORD, DB_PASSWORD, NPM_DB_PASSWORD, GITEA_DB_PASSWORD, N8N_DB_PASSWORD
@@ -17,9 +19,7 @@ x-logging: &default_logging
     options:
       max-size: '10m'
       max-file: '5'
-
 name: lcbp3-db
-
 services:
   mariadb:
     <<: [*restart_policy, *default_logging]
@@ -45,9 +45,9 @@ services:
       MARIADB_USER: 'center'
       MARIADB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD required}
       TZ: 'Asia/Bangkok'
-    # bind only to loopback for backup/migration on host - not exposed to LAN
+    # bind only to loopback for backup/migration on host — not exposed to LAN
     ports:
-      - '127.0.0.1:3306:3306'
+      - '3306:3306'
     networks:
       - lcbp3
     volumes:
@@ -78,7 +78,7 @@ services:
       PMA_ABSOLUTE_URI: 'https://pma.np-dms.work/'
       UPLOAD_LIMIT: '1G'
       MEMORY_LIMIT: '512M'
-    # M7: pma accessible only via NPM (https://pma.np-dms.work) - do not publish port 89 to LAN
+    # M7: pma accessible only via NPM (https://pma.np-dms.work) — do not publish port 89 to LAN
     expose:
       - '80'
     networks: