diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6aa12d9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +# Omijamy ciężkie dane, żeby nie wrzucać do Gita baz danych, logów i plików wynikowych +*/data/ +*/logs/ +*/volumes/ +*/certs/ +*/letsencrypt/ +*/media/ +**/*.db +**/*.db.old +**/*.tar.gz +**/*.tar.gz.sig diff --git a/authentik/.env b/authentik/.env new file mode 100644 index 0000000..1d8c21d --- /dev/null +++ b/authentik/.env @@ -0,0 +1,8 @@ +PG_PASS=KmIN0VBVvwALVUh7q5ZsMSsi2Y8Cj3Kv +AUTHENTIK_SECRET_KEY=ffk6hAoOwp6VEFW2xWFcErP83Ch4uchm +COMPOSE_PORT_HTTP=9000 +COMPOSE_PORT_HTTPS=9443 +AUTHENTIK_ERROR_REPORTING__ENABLED=true + +AUTHENTIK_POSTGRES__HOST=postgresql +AUTHENTIK_REDIS__HOST=redis diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml new file mode 100644 index 0000000..7c74814 --- /dev/null +++ b/authentik/docker-compose.yml @@ -0,0 +1,117 @@ +name: authentik + +services: + postgresql: + image: postgres:16-alpine + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + volumes: + - database:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: ${PG_PASS} + POSTGRES_USER: authentik + POSTGRES_DB: authentik + env_file: + - .env + networks: + - default + + redis: + image: redis:alpine + command: --save 60 1 --loglevel warning + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + volumes: + - redis:/data + networks: + - default + + server: + image: ghcr.io/goauthentik/server:2024.12 + restart: unless-stopped + command: server + environment: + # WERSJA 1 (Standardowa) + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRES__HOST: postgresql + AUTHENTIK_POSTGRES__USER: authentik + AUTHENTIK_POSTGRES__NAME: authentik + AUTHENTIK_POSTGRES__PASSWORD: ${PG_PASS} + + # WERSJA 2 (Alternatywna - z 'L' na końcu) + # Jeśli aplikacja ignoruje wersję wyżej, to ta zadziała + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: authentik + AUTHENTIK_POSTGRESQL__NAME: authentik + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + AUTHENTIK_POSTGRESQL__PORT: 5432 + volumes: + - ./media:/media + - ./custom-templates:/templates + env_file: + - .env + ports: + - "${COMPOSE_PORT_HTTP:-9000}:9000" + - "${COMPOSE_PORT_HTTPS:-9443}:9443" + depends_on: + postgresql: + condition: service_healthy + redis: + condition: service_healthy + networks: + - central_dogma + - default + + worker: + image: ghcr.io/goauthentik/server:2024.12 + restart: unless-stopped + command: worker + environment: + # Podajemy oba warianty dla pewności + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRES__HOST: postgresql + AUTHENTIK_POSTGRES__USER: authentik + AUTHENTIK_POSTGRES__NAME: authentik + AUTHENTIK_POSTGRES__PASSWORD: ${PG_PASS} + + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: authentik + AUTHENTIK_POSTGRESQL__NAME: authentik + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + AUTHENTIK_POSTGRESQL__PORT: 5432 + user: root + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./media:/media + - ./certs:/certs + - ./custom-templates:/templates + env_file: + - .env + depends_on: + postgresql: + condition: service_healthy + redis: + condition: service_healthy + networks: + - central_dogma + - default + +volumes: + database: + driver: local + redis: + driver: local + +networks: + central_dogma: + external: true diff --git a/filebrowser/compose.yaml b/filebrowser/compose.yaml new file mode 100644 index 0000000..a6c53bb --- /dev/null +++ b/filebrowser/compose.yaml @@ -0,0 +1,18 @@ +services: + filebrowser: + image: filebrowser/filebrowser + container_name: filebrowser + user: 0:0 + ports: + - "1234:80" + volumes: + - /mnt/second_disk:/srv + - ./filebrowser.db:/database.db + restart: unless-stopped + security_opt: + - no-new-privileges:true + networks: + - central_dogma +networks: + central_dogma: + external: true diff --git a/gitea/.env b/gitea/.env new file mode 100644 index 0000000..02b6c3c --- /dev/null +++ b/gitea/.env @@ -0,0 +1,4 @@ +DB_PASSWORD=899fa3aa3cf344b6659b256b1f16be8b +GITEA_DOMAIN=gitea.example.com +GITEA_URL=https://gitea.example.com/ +RUNNER_TOKEN=4fLWQRGyi2Pv2VCrzFLWz6TFgElbrslz0hMjg4p5 diff --git a/gitea/compose-db.yml b/gitea/compose-db.yml new file mode 100644 index 0000000..7de26e9 --- /dev/null +++ b/gitea/compose-db.yml @@ -0,0 +1,25 @@ +networks: + central_dogma: + external: true + +volumes: + postgres-data: + +services: + postgres: + image: postgres:15-alpine + container_name: gitea-db + restart: always + environment: + POSTGRES_USER: gitea + POSTGRES_PASSWORD: ${DB_PASSWORD} + POSTGRES_DB: gitea + networks: + - central_dogma + volumes: + - postgres-data:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U gitea"] + interval: 10s + timeout: 5s + retries: 5 diff --git a/gitea/compose-gitea.yml b/gitea/compose-gitea.yml new file mode 100644 index 0000000..86cfdd1 --- /dev/null +++ b/gitea/compose-gitea.yml @@ -0,0 +1,40 @@ +networks: + central_dogma: + external: true + runner_net: + name: runner_net + +volumes: + gitea-data: + +services: + gitea: + image: gitea/gitea:latest + container_name: gitea + restart: always + environment: + GITEA__database__DB_TYPE: postgres + GITEA__database__HOST: gitea-db:5432 + GITEA__database__USER: gitea + GITEA__database__PASSWD: ${DB_PASSWORD} + GITEA__database__NAME: gitea + GITEA__database__SSL_MODE: disable + GITEA__security__INSTALL_LOCK: "false" + GITEA__actions__ENABLED: "true" + GITEA__server__DOMAIN: ${GITEA_DOMAIN} + GITEA__server__ROOT_URL: ${GITEA_URL} + GITEA__server__SSH_PORT: 22 + GITEA__server__SSH_DOMAIN: ${GITEA_DOMAIN} + GITEA__repository__DEFAULT_BRANCH: main + GITEA__service__DISABLE_REGISTRATION: "false" + GITEA__service__REGISTER_EMAIL_CONFIRM_REQUIRED: "false" + networks: + - central_dogma + - runner_net + ports: + - "3000:3000" + - "222:22" + volumes: + - gitea-data:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro diff --git a/gitea/compose-runner.yml b/gitea/compose-runner.yml new file mode 100644 index 0000000..ca41217 --- /dev/null +++ b/gitea/compose-runner.yml @@ -0,0 +1,22 @@ +networks: + runner_net: + external: true + +volumes: + runner-data: + +services: + runner: + image: gitea/act_runner:latest + container_name: gitea-runner + restart: always + environment: + GITEA_INSTANCE_URL: http://gitea:3000 + GITEA_RUNNER_REGISTRATION_TOKEN: ${RUNNER_TOKEN} + GITEA_RUNNER_NAME: docker-runner + GITEA_RUNNER_LABELS: "docker:docker,ubuntu-latest:docker://gitea/runner-images:ubuntu-latest" + networks: + - runner_net + volumes: + - runner-data:/data + - /var/run/docker.sock:/var/run/docker.sock diff --git a/gitea/init-env.sh b/gitea/init-env.sh new file mode 100644 index 0000000..03b8814 --- /dev/null +++ b/gitea/init-env.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +if [ ! -f .env ]; then + DB_PASS=$(openssl rand -hex 16) + echo "Creating .env..." + echo "DB_PASSWORD=$DB_PASS" > .env + echo "GITEA_DOMAIN=gitea.example.com" >> .env + echo "GITEA_URL=https://gitea.example.com/" >> .env + echo "RUNNER_TOKEN=" >> .env + echo "Update GITEA_DOMAIN and GITEA_URL in .env" +fi diff --git a/gitea/init-runner-token.sh b/gitea/init-runner-token.sh new file mode 100644 index 0000000..d4667c1 --- /dev/null +++ b/gitea/init-runner-token.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +echo "Generating runner token..." +TOKEN=$(openssl rand -hex 32) + +if grep -q "RUNNER_TOKEN=" .env; then + sed -i "s/RUNNER_TOKEN=.*/RUNNER_TOKEN=$TOKEN/" .env +else + echo "RUNNER_TOKEN=$TOKEN" >> .env +fi + +echo "Token: $TOKEN" +echo "Restarting runner..." +docker compose -f compose-runner.yml restart + diff --git a/gitea/justfile b/gitea/justfile new file mode 100644 index 0000000..b98b81a --- /dev/null +++ b/gitea/justfile @@ -0,0 +1,75 @@ +set shell := ["bash", "-c"] + +default: + @just --list + +init-env: + @bash init-env.sh + +init-network: + @docker network inspect central_dogma >/dev/null 2>&1 || \ + (docker network create central_dogma && echo "Network central_dogma created") + + +up: init-env init-network + @echo "Starting Gitea infrastructure..." + docker compose -f compose-db.yml up -d + @echo "Waiting for database..." + @for i in 1 2 3 4 5; do \ + if docker exec gitea-db pg_isready -U gitea >/dev/null 2>&1; then \ + break; \ + fi; \ + echo "Attempt $$i/5..."; \ + sleep 2; \ + done + docker compose -f compose-gitea.yml up -d + @echo "Waiting for Gitea to be ready..." + @until curl -sf http://localhost:3000 > /dev/null 2>&1; do \ + echo "Waiting..."; \ + sleep 5; \ + done + @echo "Gitea is ready!" + @if ! grep -q "RUNNER_TOKEN=.\+" .env; then \ + echo "RUNNER_TOKEN not set. Run: just init-runner-token"; \ + else \ + docker compose -f compose-runner.yml up -d; \ + echo "Runner started"; \ + fi + @echo "" + @echo "SETUP COMPLETE" + @echo "Gitea: http://localhost:3000" + @echo "SSH: localhost:222" + +down: + docker compose -f compose-runner.yml down || true + docker compose -f compose-gitea.yml down || true + docker compose -f compose-db.yml down || true + +stop: + docker compose -f compose-runner.yml stop || true + docker compose -f compose-gitea.yml stop || true + docker compose -f compose-db.yml stop || true + +start: + docker compose -f compose-db.yml start + docker compose -f compose-gitea.yml start + docker compose -f compose-runner.yml start + +logs-gitea: + docker compose -f compose-gitea.yml logs -f --tail=100 gitea + +logs-runner: + docker compose -f compose-runner.yml logs -f --tail=100 runner + +logs-db: + docker compose -f compose-db.yml logs -f --tail=100 postgres + +init-runner-token: + @bash init-runner-token.sh + +clean: + docker compose -f compose-runner.yml down -v || true + docker compose -f compose-gitea.yml down -v || true + docker compose -f compose-db.yml down -v || true + rm -f .env + echo "Cleaned up" diff --git a/gitlab/docker-compose.yml b/gitlab/docker-compose.yml new file mode 100644 index 0000000..f31b4ad --- /dev/null +++ b/gitlab/docker-compose.yml @@ -0,0 +1,26 @@ +version: '3.8' + +services: + gitlab: + image: gitlab/gitlab-ce:latest + container_name: gitlab + restart: unless-stopped + hostname: gitlab.archvium.eu + environment: + GITLAB_OMNIBUS_CONFIG: | + external_url 'http://gitlab.archvium.eu:30230' # HTTP, SSL będzie przez NPM + gitlab_rails['gitlab_shell_ssh_port'] = 2224 # opcjonalny port SSH, jeśli chcesz + nginx['listen_port'] = 80 + nginx['listen_https'] = false + networks: + - central_dogma + volumes: + - /srv/gitlab/config:/etc/gitlab + - /srv/gitlab/logs:/var/log/gitlab + - /srv/gitlab/data:/var/opt/gitlab + ports: + - '8929:80' + - '2224:22' +networks: + central_dogma: + external: true diff --git a/mattermost/docker-compose.yml b/mattermost/docker-compose.yml new file mode 100644 index 0000000..8e30167 --- /dev/null +++ b/mattermost/docker-compose.yml @@ -0,0 +1,45 @@ +version: '3.8' + +services: + # Baza danych dla Mattermosta + mattermost-db: + image: postgres:16-alpine + container_name: mattermost-db + restart: unless-stopped + volumes: + - ./volumes/db/var/lib/postgresql/data:/var/lib/postgresql/data + environment: + - POSTGRES_USER=mmuser + - POSTGRES_PASSWORD=mmuser_password + - POSTGRES_DB=mattermost + networks: + - central_dogma + + # Aplikacja Mattermost + mattermost-app: + image: mattermost/mattermost-team-edition:latest + container_name: mattermost-app + restart: unless-stopped + depends_on: + - mattermost-db + volumes: + - ./volumes/app/config:/mattermost/config + - ./volumes/app/data:/mattermost/data + - ./volumes/app/logs:/mattermost/logs + - ./volumes/app/plugins:/mattermost/plugins + - ./volumes/app/client/plugins:/mattermost/client/plugins + - /etc/localtime:/etc/localtime:ro + environment: + # Ustawienia połączenia z bazą (zwróć uwagę na hasło i nazwę hosta 'mattermost-db') + - MM_SQLSETTINGS_DRIVERNAME=postgres + - MM_SQLSETTINGS_DATASOURCE=postgres://mmuser:mmuser_password@mattermost-db:5432/mattermost?sslmode=disable&connect_timeout=10 + + # Adres strony (ważne dla linków w mailach/zaproszeniach) + - MM_SERVICESETTINGS_SITEURL=https://mattermost.archvium.eu + networks: + - central_dogma + +# Używamy tej samej sieci co GitLab i Nginx Proxy Manager +networks: + central_dogma: + external: true diff --git a/nginx/compose.yaml b/nginx/compose.yaml new file mode 100644 index 0000000..60fb7f6 --- /dev/null +++ b/nginx/compose.yaml @@ -0,0 +1,20 @@ +name: nginx-vpn +services: + app: + image: 'jc21/nginx-proxy-manager:latest' + restart: unless-stopped + ports: + # --- Wszystko dostępne TYLKO przez VPN --- + - '80:80' + - '443:443' + - '81:81' + - '30230:80' + volumes: + - ./data:/data + - ./letsencrypt:/etc/letsencrypt + networks: + - central_dogma + +networks: + central_dogma: + external: true diff --git a/planka/Add b/planka/Add new file mode 100644 index 0000000..e69de29 diff --git a/planka/docker-compose.yml b/planka/docker-compose.yml new file mode 100644 index 0000000..85f8c2e --- /dev/null +++ b/planka/docker-compose.yml @@ -0,0 +1,84 @@ +name: planka-v2 +services: + planka: + image: ghcr.io/plankanban/planka:2.0.0-rc.4 + restart: on-failure + volumes: + - favicons:/app/public/favicons + - user-avatars:/app/public/user-avatars + - background-images:/app/public/background-images + - attachments:/app/private/attachments +# ports: +# - 30230:1337 + networks: + - central_dogma + - default + + # TO JEST KLUCZ DO ROZWIĄZANIA PROBLEMU "ENOTFOUND" + extra_hosts: + - "auth.archvium.eu:host-gateway" + + environment: + - BASE_URL=http://planka.archvium.eu:30230 + - DATABASE_URL=postgresql://postgres@postgres/planka + - SECRET_KEY=secret + - TRUST_PROXY=true + + # Wyłączenie sprawdzania certyfikatu (ważne przy self-hosted) + - NODE_TLS_REJECT_UNAUTHORIZED=0 + + # KONFIGURACJA AUTHENTIK OIDC + - OIDC_ISSUER=http://auth.archvium.eu:30230/application/o/planka/ + - OIDC_CLIENT_ID=bSZdVk9TuhMXlpp5uy08zyZ0eUEfYP4M6p2yIXjC + - OIDC_CLIENT_SECRET=HqjwnU2oURfUo2VXFSZk9moPqRjYrxDjU2XnM8L4gH9NxpO82VUbtomg4vMGyAOPHrKbdGl5ARA2xPddCIYeSaaTkqhUpwVsvs26KktIxv9Y6PjQRClPMpKM6RryrmXL + + # Standardowe ustawienia mapowania + - OIDC_SCOPES=openid email profile + - OIDC_ADMIN_ROLES=admin + - OIDC_EMAIL_ATTRIBUTE=email + - OIDC_NAME_ATTRIBUTE=name + - OIDC_USERNAME_ATTRIBUTE=preferred_username + - OIDC_ROLES_ATTRIBUTE=groups + - OIDC_IGNORE_USERNAME=true + + # Na razie false, żebyś mógł się zalogować jak coś nie zadziała + - OIDC_ENFORCED=false + + depends_on: + postgres: + condition: service_healthy + + postgres: + image: postgres:16-alpine + restart: on-failure + volumes: + - db-data:/var/lib/postgresql/data + environment: + - POSTGRES_DB=planka + - POSTGRES_HOST_AUTH_METHOD=scram-sha-256 + healthcheck: + test: ["CMD-SHELL", "pg_isready -U postgres -d planka"] + interval: 10s + timeout: 5s + retries: 5 + +volumes: + favicons: + external: true + name: planka_favicons + user-avatars: + external: true + name: planka_user-avatars + background-images: + external: true + name: planka_background-images + attachments: + external: true + name: planka_attachments + db-data: + external: true + name: planka_db-data + +networks: + central_dogma: + external: true diff --git a/planka/secret b/planka/secret new file mode 100644 index 0000000..e9b63cd --- /dev/null +++ b/planka/secret @@ -0,0 +1 @@ +d8d0f51904d21f9a2bd988d62bdc4eadf3f72a5a482c65f8a83b707a5491644c646ba15bf715f52e51a857c10f61380c41c0bc43d6d27211e2f5c4329fafd9aa diff --git a/redmine/.env b/redmine/.env new file mode 100644 index 0000000..6f328ae --- /dev/null +++ b/redmine/.env @@ -0,0 +1,3 @@ +POSTGRES_PASSWORD=QmIY3kfvtUqodNtg +REDMINE_DB_PASSWORD=sB2wux8NAw6s5f1G +REDMINE_SECRET_KEY_BASE=biFeoX50LbQ4861rW8dPvfFzmsMRya1W diff --git a/redmine/docker-compose.yml b/redmine/docker-compose.yml new file mode 100644 index 0000000..7dd4070 --- /dev/null +++ b/redmine/docker-compose.yml @@ -0,0 +1,57 @@ +name: redmine-v1 +services: + redmine: + image: redmine:5-alpine + restart: on-failure + volumes: + - files:/usr/src/redmine/files + - plugins:/usr/src/redmine/plugins + - themes:/usr/src/redmine/public/themes + ports: + - 8080:3000 + networks: + - central_dogma + - default + environment: + - REDMINE_DB_POSTGRES=postgres + - REDMINE_DB_USERNAME=redmine + - REDMINE_DB_DATABASE=redmine + - REDMINE_DB_PASSWORD=${REDMINE_DB_PASSWORD} + - REDMINE_SECRET_KEY_BASE=${REDMINE_SECRET_KEY_BASE} + depends_on: + postgres: + condition: service_healthy + + postgres: + image: postgres:16-alpine + restart: on-failure + volumes: + - db-data:/var/lib/postgresql/data + environment: + - POSTGRES_DB=redmine + - POSTGRES_USER=redmine + - POSTGRES_HOST_AUTH_METHOD=trust + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + healthcheck: + test: ["CMD-SHELL", "pg_isready -U redmine -d redmine"] + interval: 10s + timeout: 5s + retries: 5 + +volumes: + files: + external: true + name: redmine_files + plugins: + external: true + name: redmine_plugins + themes: + external: true + name: redmine_themes + db-data: + external: true + name: redmine_db-data + +networks: + central_dogma: + external: true diff --git a/runners/config/.runner_system_id b/runners/config/.runner_system_id new file mode 100644 index 0000000..2cb2917 --- /dev/null +++ b/runners/config/.runner_system_id @@ -0,0 +1 @@ +r_rRFD45yY68Dv \ No newline at end of file diff --git a/runners/config/config.toml b/runners/config/config.toml new file mode 100644 index 0000000..54cf8aa --- /dev/null +++ b/runners/config/config.toml @@ -0,0 +1,32 @@ +concurrent = 1 +check_interval = 0 +shutdown_timeout = 0 + +[session_server] + session_timeout = 1800 + +[[runners]] + name = "local-debian" + url = "http://gitlab" + clone_url = "http://gitlab" + id = 1 + token = "glrt-vshOpu3mA-hlD4fjG_8ay286MQp0OjEKdTp5Cw.01.121vgqu56" + token_obtained_at = 2025-12-16T00:10:11Z + token_expires_at = 0001-01-01T00:00:00Z + executor = "docker" + [runners.cache] + MaxUploadedArchiveSize = 0 + [runners.cache.s3] + [runners.cache.gcs] + [runners.cache.azure] + [runners.docker] + tls_verify = false + image = "alpine:latest" + privileged = false + disable_entrypoint_overwrite = false + oom_kill_disable = false + disable_cache = false + volumes = ["/cache"] + shm_size = 0 + network_mtu = 0 + network_mode = "central_dogma" diff --git a/runners/docker-compose.yml b/runners/docker-compose.yml new file mode 100644 index 0000000..78fd920 --- /dev/null +++ b/runners/docker-compose.yml @@ -0,0 +1,16 @@ +version: '3.8' + +services: + gitlab-runner: + image: gitlab/gitlab-runner:alpine + container_name: gitlab-runner + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./config:/etc/gitlab-runner + networks: + - central_dogma + +networks: + central_dogma: + external: true # <--- To mówi: "nie twórz nowej sieci, podepnij się pod tę, którą stworzył GitLab"