diff --git a/dockerfiles/dkregistry/docker-compose.yml b/dockerfiles/dkregistry/docker-compose.yml new file mode 100644 index 0000000..01b6e01 --- /dev/null +++ b/dockerfiles/dkregistry/docker-compose.yml @@ -0,0 +1,41 @@ +--- +# docker-compose file for logstash +# - see https://www.elastic.co/guide/en/logstash/current/_pulling_the_image.html +# +# DOCKER_HOST=dkhost03:2376 docker-compose up -d +# DOCKER_HOST=dkhost03:2376 docker stack deploy -c docker-compose.yml services + +version: '3' +services: + + registry: + image: registry:2 + ports: + - 5000:5000 + environment: + REGISTRY_HTTP_SECRET: aabuioqlwlcpp2 + REGISTRY_HTTP_TLS_CERTIFICATE: /certs/live/dkregistry.xai-corp.net/fullchain.pem + REGISTRY_HTTP_TLS_KEY: /certs/live/dkregistry.xai-corp.net/privkey.pem +# REGISTRY_HTTP_LETSENCRYPT_CACHEFILE: /var/run/letsencrypt.cache +# REGISTRY_HTTP_LETSENCRYPT_EMAIL: r_morgan@sympatico.ca + REGISTRY_HTTP_HOST: https://dkregistry.xai-corp.net:5000 +# REGISTRY_HTTP_ADDR: dkregistry.xai-corp.net:5000 + REGISTRY_AUTH: htpasswd + REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd + REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm + volumes: + - /opt/shared/dkregistry/data:/var/lib/registry + - /etc/letsencrypt:/certs + - /opt/shared/dkregistry/auth:/auth + + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: "1s" + max_attempts: 1 + resources: + limits: + cpus: '0.1' + memory: 256M diff --git a/dockerfiles/gitea/docker-compose.yml b/dockerfiles/gitea/docker-compose.yml index 3d52706..3419ce5 100644 --- a/dockerfiles/gitea/docker-compose.yml +++ b/dockerfiles/gitea/docker-compose.yml @@ -19,6 +19,6 @@ services: restart_policy: condition: any delay: "5s" - max_attempts: 10 + max_attempts: 3 labels: net.xai-corp.sslproxy.description: proxy ssl calls to non ssl containers diff --git a/dockerfiles/graylog/docker-compose-elasticsearch.yml b/dockerfiles/graylog/docker-compose-elasticsearch.yml index 9bcbb5a..ed350e0 100644 --- a/dockerfiles/graylog/docker-compose-elasticsearch.yml +++ b/dockerfiles/graylog/docker-compose-elasticsearch.yml @@ -11,7 +11,8 @@ services: # image: docker.elastic.co/elasticsearch/elasticsearch:5.4.1 command: "elasticsearch -Des.cluster.name='es.xai-corp.net'" volumes: - - /opt/shared/graylog/data/elasticsearch:/usr/share/elasticsearch/data + - /opt/shared/elasticsearch/data:/usr/share/elasticsearch/data + - /opt/shared/elasticsearch/confg:/usr/share/elasticsearch/config ports: # - "9350:9350" # - "9300:9300" @@ -26,9 +27,22 @@ services: max_attempts: 3 resources: limits: - cpus: '0.5' + cpus: '1' memory: 512M + ui: + image: appbaseio/dejavu + ports: + - "1358:1358" + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: "1s" + max_attempts: 3 + + networks: default: external: diff --git a/dockerfiles/logstash/Dockerfile b/dockerfiles/logstash/Dockerfile new file mode 100644 index 0000000..3816c17 --- /dev/null +++ b/dockerfiles/logstash/Dockerfile @@ -0,0 +1,5 @@ +FROM docker.elastic.co/logstash/logstash:5.4.1 + +RUN rm -f /usr/share/logstash/pipeline/logstash.conf +ADD ./pipeline /usr/share/logstash/pipeline/ +ADD ./config /usr/share/logstash/config/ diff --git a/dockerfiles/logstash/config/logstash.yml b/dockerfiles/logstash/config/logstash.yml new file mode 100644 index 0000000..e69de29 diff --git a/dockerfiles/logstash/docker-compose.yml b/dockerfiles/logstash/docker-compose.yml new file mode 100644 index 0000000..e6a7f56 --- /dev/null +++ b/dockerfiles/logstash/docker-compose.yml @@ -0,0 +1,33 @@ +--- +# docker-compose file for logstash +# - see https://www.elastic.co/guide/en/logstash/current/_pulling_the_image.html +# +# DOCKER_HOST=dkhost03:2376 docker-compose up -d +# DOCKER_HOST=dkhost03:2376 docker stack deploy -c docker-compose.yml services + +version: '3' +services: + + logstash: + build: + context: . + image: "dkregistry.xai-corp.net/services/logstash" +# command: "elasticsearch -Des.cluster.name='es.xai-corp.net'" +# volumes: +# - /opt/shared/logstash/pipeline/:/usr/share/logstash/pipeline/ + ports: +# - "9350:9350" +# - "9300:9300" + - "9200:9200" +# - "10091:80" + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: "1s" + max_attempts: 3 + resources: + limits: + cpus: '1' + memory: 512M diff --git a/dockerfiles/sslproxy/docker-compose.yml b/dockerfiles/sslproxy/docker-compose.yml index a5be845..bd73d58 100644 --- a/dockerfiles/sslproxy/docker-compose.yml +++ b/dockerfiles/sslproxy/docker-compose.yml @@ -5,8 +5,8 @@ version: '3' services: app: - restart: always - image: "sslproxy:latest" +# restart: always + image: "dkregistry.xai-corp.net:5000/sslproxy:latest" build: context: . dockerfile: Dockerfile @@ -14,7 +14,12 @@ services: volumes: - /etc/letsencrypt:/etc/letsencrypt:ro ports: - - "443:443" + - "443:443" + +# logging: +# driver: gelf +# options: +# gelf-address: "udp://logs.xai-corp.net:12201" deploy: mode: replicated diff --git a/dockerfiles/sslproxy/host.conf b/dockerfiles/sslproxy/host.conf index f17e872..28f438e 100644 --- a/dockerfiles/sslproxy/host.conf +++ b/dockerfiles/sslproxy/host.conf @@ -78,6 +78,64 @@ server { } +# dkregistry.xai-corp.net +## Set a variable to help us decide if we need to add the +## 'Docker-Distribution-Api-Version' header. +## The registry always sets this header. +## In the case of nginx performing auth, the header will be unset +## since nginx is auth-ing before proxying. +map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { +'' 'registry/2.0'; +} + +server { + listen 443 ssl; + server_name dkregistry.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + + # To add basic authentication to v2 use auth_basic setting. + auth_basic "Registry realm"; + auth_basic_user_file /opt/shared/dkregistry/auth/htpasswd; + + ## If $docker_distribution_api_version is empty, the header will not be added. + ## See the map directive above where this variable is defined. + add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; + + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection $http_connection; + + proxy_pass http://dkhost.xai-corp.net:5000; + proxy_read_timeout 900; + } + +} + # logs.xai-corp.net server { listen 443 ssl; @@ -85,7 +143,7 @@ server { ssl_certificate /etc/letsencrypt/live/logs.xai-corp.net/cert.pem; ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem; #Strict-Transport-Security: max-age=15768000 - #add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; location / { proxy_set_header Connection $http_connection; diff --git a/roles/dockerhost/tasks/main.yml b/roles/dockerhost/tasks/main.yml index 24f536b..2da320f 100644 --- a/roles/dockerhost/tasks/main.yml +++ b/roles/dockerhost/tasks/main.yml @@ -6,3 +6,12 @@ become: true - include: "fstab.yml" + +- name: symlinks + file: + state: link + src: "{{ item.src }}" + path: "{{ item.path }}" + force: yes + with_items: + - { src: "/opt/shared/letsencrypt", path: "/etc/letsencrypt" } diff --git a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 index 66b5e2e..69d8021 100644 --- a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 +++ b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 @@ -35,7 +35,6 @@ dkhost IN A 192.168.2.53 dkhost IN A 192.168.2.54 dkhost01 IN A 192.168.2.41 -dkregistry IN A 192.168.2.41 sql IN A 192.168.2.41 tripbuilder IN A 192.168.2.41 @@ -45,6 +44,7 @@ git IN A 192.168.2.43 dkui IN A 192.168.2.43 jenkins IN A 192.168.2.43 logs IN A 192.168.2.43 +dkregistry IN CNAME dkhost dkhost03 IN A 192.168.2.53 dkhost04 IN A 192.168.2.54