690420:2332 Refactor QNAP service

2026-04-20 23:32:30 +07:00
parent 2e89761b0f
commit e2753e4eac
13 changed files with 1569 additions and 13 deletions
@@ -1,4 +1,5 @@
 # File: /volume1/np-dms/gitea-runner/docker-compose.yml
+# DMS Container v1.8.6: Application name: lcbp3-gitea-runner
 # Deploy on: ASUSTOR AS5403T
 # เชื่อมต่อกับ Gitea บน QNAP ผ่าน Domain URL
 #
@@ -61,7 +61,7 @@ services:
          cpus: '0.5'
          memory: 512M
    env_file:
-      - .env
+      - /share/np-dms/app/.env
    environment:
      TZ: 'Asia/Bangkok'
      NODE_ENV: 'production'
@@ -142,7 +142,7 @@ services:
          cpus: '0.25'
          memory: 512M
    env_file:
-      - .env
+      - /share/np-dms/app/.env
    environment:
      TZ: 'Asia/Bangkok'
      NODE_ENV: 'production'
@@ -1,5 +1,5 @@
-# File: /share/np-dms/git/docker-compose.yml
-# DMS Container v1.8.6 — Application: git, Service: gitea
+# File: /share/np-dms/gitea/docker-compose.yml
+# DMS Container v1.8.6 — Application name: lcbp3-git, Service: gitea

 x-restart: &restart_policy
  restart: unless-stopped
@@ -21,8 +21,17 @@ networks:
 services:
  gitea:
    <<: [*restart_policy, *default_logging]
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:1.26.0-rootless
    container_name: gitea
+    # M4: container hardening (Gitea rootless runs as 'git' user)
+    # user: '1000:1000'
+    # tmpfs:
+    #   - /tmp:rw,noexec,nosuid,size=256m
+    #   - /var/run/gitea:rw,size=128m
+    # security_opt:
+    #   - no-new-privileges:true
+    # cap_drop:
+    #   - ALL
    deploy:
      resources:
        limits:
@@ -31,10 +40,8 @@ services:
        reservations:
          cpus: '0.25'
          memory: 512M
-    security_opt:
-      - no-new-privileges:true
    env_file:
-      - .env
+      - /share/np-dms/gitea/.env
    environment:
      # ---- File ownership in QNAP ----
      USER_UID: '1000'
@@ -78,13 +85,13 @@ services:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
-      - '3003:3000' # HTTP (ไปหลัง NPM)
-      - '2222:22' # SSH สำหรับ git clone/push
+      - '3003:3000' # HTTP (to NPM)
+      - '2222:22' # SSH for git clone/push
    networks:
      - lcbp3
      - giteanet
    healthcheck:
-      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:3000/api/healthz']
+      test: ['CMD', 'curl', '-f', 'http://localhost:3000/api/healthz']
      interval: 30s
      timeout: 10s
      retries: 3
@@ -0,0 +1,56 @@
+# File: /share/np-dms/monitoring/docker-compose.yml (QNAP)
+# เฉพาะ exporters เท่านั้น - metrics ถูก scrape โดย Prometheus บน ASUSTOR
+# Application name lcbp3-monitoring-exporter
+version: '3.8'
+
+networks:
+  lcbp3:
+    external: true
+
+services:
+  node-exporter:
+    image: prom/node-exporter:v1.7.0
+    container_name: node-exporter
+    restart: unless-stopped
+    command:
+      - '--path.procfs=/host/proc'
+      - '--path.sysfs=/host/sys'
+      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
+    ports:
+      - "9100:9100"
+    networks:
+      - lcbp3
+    volumes:
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /:/rootfs:ro
+
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:v0.47.2
+    container_name: cadvisor
+    restart: unless-stopped
+    privileged: true
+    ports:
+      - "8088:8080"
+    networks:
+      - lcbp3
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+
+  mysqld-exporter:
+    image: prom/mysqld-exporter:v0.15.0
+    container_name: mysqld-exporter
+    restart: unless-stopped
+    user: root
+    command:
+      - '--config.my-cnf=/etc/mysql/my.cnf'
+    ports:
+      - "9104:9104"
+    networks:
+      - lcbp3
+    volumes:
+      - "/share/np-dms/monitoring/mysqld-exporter/.my.cnf:/etc/mysql/my.cnf:ro"
@@ -31,7 +31,7 @@ services:
  # ----------------------------------------------------------------
  cache:
    <<: [*restart_policy, *default_logging]
-    image: redis:7-alpine # ใช้ Alpine image เพื่อให้มีขน
+    image: redis:7-alpine # ใช้ Alpine image เพื่อให้มีขนาดเล็ก
    container_name: cache
    deploy:
      resources:
@@ -86,7 +86,7 @@ services:
    deploy:
      resources:
        limits:
-          cpus: '2.0' # Elasticsearch ใช้ CPU และ Memory ค่อนข้างห
+          cpus: '2.0' # Elasticsearch ใช้ CPU และ Memory ค่อนข้างหนัก
          memory: 4G
        reservations:
          cpus: '0.5'
@@ -62,6 +62,48 @@ services:

 Otherwise, keep the inline anchor pattern (current repo-wide convention).

+## Image Pinning Strategy
+
+The LCBP3 platform uses a **hybrid image pinning approach**:
+
+### Infrastructure Services (Pinned)
+All infrastructure services use **explicitly pinned versions** for stability:
+
+```yaml
+# Examples
+redis:7-alpine
+elasticsearch:8.11.1
+mariadb:11.8
+gitea/gitea:1.22.3-rootless
+n8nio/n8n:1.66.0
+```
+
+**Rationale:**
+- Infrastructure services evolve independently
+- Breaking changes in Redis/Elasticsearch/MariaDB can cause data corruption
+- Pinned versions ensure predictable behavior across deployments
+
+### Application Services (Variable)
+Application images use **environment variable tags** for CI/CD flexibility:
+
+```yaml
+backend:
+  image: lcbp3-backend:${BACKEND_IMAGE_TAG:-latest}
+frontend:
+  image: lcbp3-frontend:${FRONTEND_IMAGE_TAG:-latest}
+```
+
+**Rationale:**
+- Application code changes frequently with each release
+- CI pipelines inject SHA-specific tags per release
+- `:latest` fallback enables local development
+- Environment variable allows rollback to specific versions
+
+### Version Control
+- **Infrastructure versions** updated manually in compose files
+- **Application versions** controlled via CI/CD pipeline environment variables
+- **Release policy** documented in `04-08-release-management-policy.md`
+
 ## Secret Management Roadmap (S1)

 Current: `env_file: .env` (gitignored) per stack.