feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8 - Fail closed on missing SSH known_hosts in terminal proxy - Add Navidrome reverse proxy headers for Authelia SSO - Add Gitea docker-compose definition - Add Caddy configs for NAS and VPS edge proxies - Add dnsmasq split-horizon DNS config - Add security execution plan document
This commit is contained in:
Executable
+77
@@ -0,0 +1,77 @@
|
||||
version: "3"
|
||||
|
||||
services:
|
||||
gitea:
|
||||
image: gitea/gitea:latest
|
||||
container_name: gitea
|
||||
environment:
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
- GITEA__database__DB_TYPE=postgres
|
||||
- GITEA__database__HOST=db:5432
|
||||
- GITEA__database__NAME=gitea
|
||||
- GITEA__database__USER=gitea
|
||||
- GITEA__database__PASSWD=${GITEA_DB_PASSWORD}
|
||||
- GITEA__server__ROOT_URL=https://git.jimmygan.com:8443/
|
||||
- GITEA__server__SSH_DOMAIN=100.78.131.124
|
||||
- GITEA__server__SSH_PORT=2222
|
||||
- GITEA__actions__ENABLED=true
|
||||
- GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION=true
|
||||
- GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=false
|
||||
- GITEA__service__ENABLE_REVERSE_PROXY_EMAIL=true
|
||||
- GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME=true
|
||||
- GITEA__reverse_proxy__TRUSTED_PROXIES=127.0.0.1/32,::1/128,172.16.0.0/12
|
||||
- GITEA__reverse_proxy__AUTHENTICATION_USER=Remote-User
|
||||
- GITEA__reverse_proxy__AUTHENTICATION_EMAIL=Remote-Email
|
||||
- GITEA__reverse_proxy__AUTHENTICATION_FULL_NAME=Remote-Name
|
||||
restart: always
|
||||
volumes:
|
||||
- ./gitea-data:/data
|
||||
- /etc/TZ:/etc/TZ:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
ports:
|
||||
- "3300:3000"
|
||||
- "2222:22"
|
||||
depends_on:
|
||||
- db
|
||||
networks:
|
||||
- gitea
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
|
||||
db:
|
||||
image: postgres:16-alpine
|
||||
container_name: gitea-db
|
||||
restart: always
|
||||
environment:
|
||||
- POSTGRES_USER=gitea
|
||||
- POSTGRES_PASSWORD=${GITEA_DB_PASSWORD}
|
||||
- POSTGRES_DB=gitea
|
||||
volumes:
|
||||
- ./postgres-data:/var/lib/postgresql/data
|
||||
networks:
|
||||
- gitea
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
|
||||
runner:
|
||||
image: gitea/act_runner:latest
|
||||
container_name: gitea-runner
|
||||
restart: always
|
||||
depends_on:
|
||||
- gitea
|
||||
volumes:
|
||||
- ./runner-data:/data
|
||||
- ./runner-config.yaml:/config.yaml
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- /var/packages/ContainerManager/target/usr/bin/docker:/usr/bin/docker
|
||||
environment:
|
||||
- CONFIG_FILE=/config.yaml
|
||||
- GITEA_INSTANCE_URL=http://gitea:3000
|
||||
- GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
|
||||
networks:
|
||||
- gitea
|
||||
|
||||
networks:
|
||||
gitea:
|
||||
driver: bridge
|
||||
Reference in New Issue
Block a user