Aktualizacja konfiguracji Gitea i Redmine po wdrożeniu logowania SSO OIDC

.gitignore

@@ -0,0 +1,11 @@
+# Omijamy ciężkie dane, żeby nie wrzucać do Gita baz danych, logów i plików wynikowych
+*/data/
+*/logs/
+*/volumes/
+*/certs/
+*/letsencrypt/
+*/media/
+**/*.db
+**/*.db.old
+**/*.tar.gz
+**/*.tar.gz.sig

filebrowser/compose.yaml

@@ -0,0 +1,18 @@
+services:
+  filebrowser:
+    image: filebrowser/filebrowser
+    container_name: filebrowser
+    user: 0:0
+    ports:
+      - "1234:80"
+    volumes:
+      - /mnt/second_disk:/srv
+      - ./filebrowser.db:/database.db
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    networks:
+     - central_dogma
+networks:
+  central_dogma:
+    external: true

gitea/.env

@@ -0,0 +1,4 @@
+DB_PASSWORD=899fa3aa3cf344b6659b256b1f16be8b
+GITEA_DOMAIN=gitea.example.com
+GITEA_URL=http://gitea.archvium.eu:30230/
+RUNNER_TOKEN=4fLWQRGyi2Pv2VCrzFLWz6TFgElbrslz0hMjg4p5

gitea/compose-db.yml

@@ -0,0 +1,25 @@
+networks:
+  central_dogma:
+    external: true
+
+volumes:
+  postgres-data:
+
+services:
+  postgres:
+    image: postgres:15-alpine
+    container_name: gitea-db
+    restart: always
+    environment:
+      POSTGRES_USER: gitea
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_DB: gitea
+    networks:
+      - central_dogma
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U gitea"]
+      interval: 10s
+      timeout: 5s
+      retries: 5

gitea/compose-gitea.yml

@@ -0,0 +1,40 @@
+networks:
+  central_dogma:
+    external: true
+  runner_net:
+    name: runner_net
+
+volumes:
+  gitea-data:
+
+services:
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: always
+    environment:
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: gitea-db:5432
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: ${DB_PASSWORD}
+      GITEA__database__NAME: gitea
+      GITEA__database__SSL_MODE: disable
+      GITEA__security__INSTALL_LOCK: "true"
+      GITEA__actions__ENABLED: "true"
+      GITEA__server__DOMAIN: ${GITEA_DOMAIN}
+      GITEA__server__ROOT_URL: ${GITEA_URL}
+      GITEA__server__SSH_PORT: 22
+      GITEA__server__SSH_DOMAIN: ${GITEA_DOMAIN}
+      GITEA__repository__DEFAULT_BRANCH: main
+      GITEA__service__DISABLE_REGISTRATION: "false"
+      GITEA__service__REGISTER_EMAIL_CONFIRM_REQUIRED: "false"
+    networks:
+      - central_dogma
+      - runner_net
+    ports:
+      - "3000:3000"
+      - "222:22"
+    volumes:
+      - gitea-data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro

gitea/compose-runner.yml

@@ -0,0 +1,22 @@
+networks:
+  runner_net:
+    external: true
+
+volumes:
+  runner-data:
+
+services:
+  runner:
+    image: gitea/act_runner:latest
+    container_name: gitea-runner
+    restart: always
+    environment:
+      GITEA_INSTANCE_URL: http://gitea:3000
+      GITEA_RUNNER_REGISTRATION_TOKEN: ${RUNNER_TOKEN}
+      GITEA_RUNNER_NAME: docker-runner
+      GITEA_RUNNER_LABELS: "docker:docker,ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    networks:
+      - runner_net
+    volumes:
+      - runner-data:/data
+      - /var/run/docker.sock:/var/run/docker.sock

gitea/init-env.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ ! -f .env ]; then
+    DB_PASS=$(openssl rand -hex 16)
+    echo "Creating .env..."
+    echo "DB_PASSWORD=$DB_PASS" > .env
+    echo "GITEA_DOMAIN=gitea.example.com" >> .env
+    echo "GITEA_URL=https://gitea.example.com/" >> .env
+    echo "RUNNER_TOKEN=" >> .env
+    echo "Update GITEA_DOMAIN and GITEA_URL in .env"
+fi

gitea/init-runner-token.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+echo "Generating runner token..."
+TOKEN=$(openssl rand -hex 32)
+
+if grep -q "RUNNER_TOKEN=" .env; then
+    sed -i "s/RUNNER_TOKEN=.*/RUNNER_TOKEN=$TOKEN/" .env
+else
+    echo "RUNNER_TOKEN=$TOKEN" >> .env
+fi
+
+echo "Token: $TOKEN"
+echo "Restarting runner..."
+docker compose -f compose-runner.yml restart
+

gitea/justfile

@@ -0,0 +1,75 @@
+set shell := ["bash", "-c"]
+
+default:
+    @just --list
+
+init-env:
+    @bash init-env.sh
+
+init-network:
+    @docker network inspect central_dogma >/dev/null 2>&1 || \
+        (docker network create central_dogma && echo "Network central_dogma created")
+
+
+up: init-env init-network
+    @echo "Starting Gitea infrastructure..."
+    docker compose -f compose-db.yml up -d
+    @echo "Waiting for database..."
+    @for i in 1 2 3 4 5; do \
+        if docker exec gitea-db pg_isready -U gitea >/dev/null 2>&1; then \
+            break; \
+        fi; \
+        echo "Attempt $$i/5..."; \
+        sleep 2; \
+    done
+    docker compose -f compose-gitea.yml up -d
+    @echo "Waiting for Gitea to be ready..."
+    @until curl -sf http://localhost:3000 > /dev/null 2>&1; do \
+        echo "Waiting..."; \
+        sleep 5; \
+    done
+    @echo "Gitea is ready!"
+    @if ! grep -q "RUNNER_TOKEN=.\+" .env; then \
+        echo "RUNNER_TOKEN not set. Run: just init-runner-token"; \
+    else \
+        docker compose -f compose-runner.yml up -d; \
+        echo "Runner started"; \
+    fi
+    @echo ""
+    @echo "SETUP COMPLETE"
+    @echo "Gitea: http://localhost:3000"
+    @echo "SSH: localhost:222"
+
+down:
+    docker compose -f compose-runner.yml down || true
+    docker compose -f compose-gitea.yml down || true
+    docker compose -f compose-db.yml down || true
+
+stop:
+    docker compose -f compose-runner.yml stop || true
+    docker compose -f compose-gitea.yml stop || true
+    docker compose -f compose-db.yml stop || true
+
+start:
+    docker compose -f compose-db.yml start
+    docker compose -f compose-gitea.yml start
+    docker compose -f compose-runner.yml start
+
+logs-gitea:
+    docker compose -f compose-gitea.yml logs -f --tail=100 gitea
+
+logs-runner:
+    docker compose -f compose-runner.yml logs -f --tail=100 runner
+
+logs-db:
+    docker compose -f compose-db.yml logs -f --tail=100 postgres
+
+init-runner-token:
+    @bash init-runner-token.sh
+
+clean:
+    docker compose -f compose-runner.yml down -v || true
+    docker compose -f compose-gitea.yml down -v || true
+    docker compose -f compose-db.yml down -v || true
+    rm -f .env
+    echo "Cleaned up"

gitlab/docker-compose.yml

@@ -0,0 +1,26 @@
+version: '3.8'
+
+services:
+  gitlab:
+    image: gitlab/gitlab-ce:latest
+    container_name: gitlab
+    restart: unless-stopped
+    hostname: gitlab.archvium.eu
+    environment:
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url 'http://gitlab.archvium.eu:30230'  # HTTP, SSL będzie przez NPM
+        gitlab_rails['gitlab_shell_ssh_port'] = 2224       # opcjonalny port SSH, jeśli chcesz
+         nginx['listen_port'] = 80
+         nginx['listen_https'] = false
+    networks:
+      - central_dogma
+    volumes:
+      - /srv/gitlab/config:/etc/gitlab
+      - /srv/gitlab/logs:/var/log/gitlab
+      - /srv/gitlab/data:/var/opt/gitlab
+    ports:
+      - '8929:80'
+      - '2224:22'
+networks:
+  central_dogma:
+    external: true

nginx/compose.yaml

@@ -0,0 +1,20 @@
+name: nginx-vpn
+services:
+  app:
+    image: 'jc21/nginx-proxy-manager:latest'
+    restart: unless-stopped
+    ports:
+      # --- Wszystko dostępne TYLKO przez VPN ---
+      - '80:80'
+      - '443:443'
+      - '81:81'
+      - '30230:80'
+    volumes:
+      - ./data:/data
+      - ./letsencrypt:/etc/letsencrypt
+    networks:
+      - central_dogma
+
+networks:
+  central_dogma:
+    external: true

planka/docker-compose.yml

@@ -0,0 +1,88 @@
+name: planka-v2
+services:
+  planka:
+    image: ghcr.io/plankanban/planka:2.0.0-rc.4
+    restart: on-failure
+    volumes:
+      - favicons:/app/public/favicons
+      - user-avatars:/app/public/user-avatars
+      - background-images:/app/public/background-images
+      - attachments:/app/private/attachments
+#    ports:
+#      - 30230:1337
+    networks:
+      - central_dogma
+      - db_net
+
+    # TO JEST KLUCZ DO ROZWIĄZANIA PROBLEMU "ENOTFOUND"
+    extra_hosts:
+      - "gitea.archvium.eu:host-gateway"
+
+    environment:
+      - BASE_URL=http://planka.archvium.eu:30230
+      - DATABASE_URL=postgresql://postgres:postgres@planka-db/planka
+      - SECRET_KEY=secret
+      - TRUST_PROXY=true
+      
+      # Wyłączenie sprawdzania certyfikatu (ważne przy self-hosted)
+      - NODE_TLS_REJECT_UNAUTHORIZED=0 
+
+      # KONFIGURACJA AUTHENTIK OIDC
+      - OIDC_ISSUER=http://gitea.archvium.eu:30230
+      - OIDC_CLIENT_ID=4e3ab488-5442-4f9e-ac1f-27e901c40030
+      - OIDC_CLIENT_SECRET=gto_3a2ekdczuxq2osprxnc77pdf7rpbjdjspilbkebawiwmwhq7qpeq
+      
+      # Standardowe ustawienia mapowania
+      - OIDC_SCOPES=openid email profile
+      - OIDC_ADMIN_ROLES=admin
+      - OIDC_EMAIL_ATTRIBUTE=email
+      - OIDC_NAME_ATTRIBUTE=name
+      - OIDC_USERNAME_ATTRIBUTE=preferred_username
+      - OIDC_ROLES_ATTRIBUTE=groups
+      - OIDC_IGNORE_USERNAME=true
+      
+      # Na razie false, żebyś mógł się zalogować jak coś nie zadziała
+      - OIDC_ENFORCED=false
+
+    depends_on:
+      planka-db:
+        condition: service_healthy
+
+  planka-db:
+    image: postgres:16-alpine
+    restart: on-failure
+    networks:
+      - db_net
+    volumes:
+      - db-data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=planka
+      - POSTGRES_HOST_AUTH_METHOD=scram-sha-256
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres -d planka"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  favicons:
+    external: true
+    name: planka_favicons
+  user-avatars:
+    external: true
+    name: planka_user-avatars
+  background-images:
+    external: true
+    name: planka_background-images
+  attachments:
+    external: true
+    name: planka_attachments
+  db-data:
+    external: true
+    name: planka_db-data
+
+networks:
+  central_dogma:
+    external: true
+  db_net:
+    internal: true

planka/secret

@@ -0,0 +1 @@
+d8d0f51904d21f9a2bd988d62bdc4eadf3f72a5a482c65f8a83b707a5491644c646ba15bf715f52e51a857c10f61380c41c0bc43d6d27211e2f5c4329fafd9aa

redmine/.env

@@ -0,0 +1,3 @@
+POSTGRES_PASSWORD=QmIY3kfvtUqodNtg
+REDMINE_DB_PASSWORD=sB2wux8NAw6s5f1G
+REDMINE_SECRET_KEY_BASE=biFeoX50LbQ4861rW8dPvfFzmsMRya1W

redmine/docker-compose.yml

@@ -0,0 +1,58 @@
+name: redmine-v1
+services:
+  redmine:
+    image: redmine:5-alpine
+    container_name: redmine
+    restart: on-failure
+    volumes:
+      - files:/usr/src/redmine/files
+      - plugins:/usr/src/redmine/plugins
+      - themes:/usr/src/redmine/public/themes
+    ports:
+      - 8080:3000
+    networks:
+      - central_dogma
+      - default
+    environment:
+      - REDMINE_DB_POSTGRES=redmine-db
+      - REDMINE_DB_USERNAME=redmine
+      - REDMINE_DB_DATABASE=redmine
+      - REDMINE_DB_PASSWORD=${REDMINE_DB_PASSWORD}
+      - REDMINE_SECRET_KEY_BASE=${REDMINE_SECRET_KEY_BASE}
+    depends_on:
+      redmine-db:
+        condition: service_healthy
+
+  redmine-db:
+    image: postgres:16-alpine
+    restart: on-failure
+    volumes:
+     - db-data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=redmine
+      - POSTGRES_USER=redmine
+      - POSTGRES_HOST_AUTH_METHOD=trust
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U redmine -d redmine"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  files:
+    external: true
+    name: redmine_files
+  plugins:
+    external: true
+    name: redmine_plugins
+  themes:
+    external: true
+    name: redmine_themes
+  db-data:
+    external: true
+    name: redmine_db-data
+
+networks:
+  central_dogma:
+    external: true

runners/config/.runner_system_id

@@ -0,0 +1 @@
+r_rRFD45yY68Dv

runners/config/config.toml

@@ -0,0 +1,32 @@
+concurrent = 1
+check_interval = 0
+shutdown_timeout = 0
+
+[session_server]
+  session_timeout = 1800
+
+[[runners]]
+  name = "local-debian"
+  url = "http://gitlab"
+  clone_url = "http://gitlab"
+  id = 1
+  token = "glrt-vshOpu3mA-hlD4fjG_8ay286MQp0OjEKdTp5Cw.01.121vgqu56"
+  token_obtained_at = 2025-12-16T00:10:11Z
+  token_expires_at = 0001-01-01T00:00:00Z
+  executor = "docker"
+  [runners.cache]
+    MaxUploadedArchiveSize = 0
+    [runners.cache.s3]
+    [runners.cache.gcs]
+    [runners.cache.azure]
+  [runners.docker]
+    tls_verify = false
+    image = "alpine:latest"
+    privileged = false
+    disable_entrypoint_overwrite = false
+    oom_kill_disable = false
+    disable_cache = false
+    volumes = ["/cache"]
+    shm_size = 0
+    network_mtu = 0
+    network_mode = "central_dogma"

runners/docker-compose.yml

@@ -0,0 +1,16 @@
+version: '3.8'
+
+services:
+  gitlab-runner:
+    image: gitlab/gitlab-runner:alpine
+    container_name: gitlab-runner
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./config:/etc/gitlab-runner
+    networks:
+      - central_dogma
+
+networks:
+  central_dogma:
+    external: true  # <--- To mówi: "nie twórz nowej sieci, podepnij się pod tę, którą stworzył GitLab"