Move Caddy into its own docker-compose config

TODO.md

@@ -2,7 +2,10 @@
 
 - [ ] Update Readme (CI, Git, plantuml, etc.)
 - [ ] Split `docker/web/docker-compose.yaml` into different configs (e.g. `web`, `gitlab`, `drone`) using the same network
-- [ ] Use `/var/lib/pbri/docker/...` instead of Docker volumes (makes backups easier)
+- [x] Use `/var/lib/pbri/docker/...` instead of Docker volumes (makes backups easier)
     - [x] Make it inaccessible to anyone but root (`-rw------`)
 - [x] Add [Drone runner](https://docs.drone.io/runner/docker/installation/linux/)
 - [ ] Figure out how to dependably store `.env` files (Ansible vault? Something else?)
+- [ ] Check out docker swarm and current best practices for Ansible
+- [ ] Use Gitea instead of GitLab
+- [ ] Add drone exec runner for Nix builds with shared `/nix`

ansible/README.md

@@ -20,12 +20,13 @@ Sets up:
 
 ## `misc-docker.yaml`
 
-- Deploys Docker configurations from `../docker`
+Deploys Docker configurations from `../docker`:
+
+- Sets up the docker network `caddy-network` for services that are reverse proxied by caddy
+- Copies configuration into `/etc/pbri/docker`
+- Creates folder `/var/lib/pbri/docker` for storing application files
+- Creates users with `42xxx` UIDs for running containers
 
 ## `misc-sites.yaml`
 
 Checks out static sites into `/home/paul/Sites` which is mounted into `/srv` in the Caddy container.
-
-## `misc-backup.yaml`
-
-Backs up relevant Docker volumes.

ansible/misc-backup.yaml

@@ -1,50 +0,0 @@
----
-- hosts: misc
-  vars:
-    start_time: "{{ ansible_date_time.iso8601_basic_short }}"
-  tasks:
-    - name: Stop docker stuff
-      become: yes
-      docker_compose:
-        project_src: /etc/pbri/docker/web
-        state: present
-        stopped: yes
-    - name: Create backups in /etc/pbri/backups
-      become: yes
-      docker_container:
-        container_default_behavior: no_defaults
-        name: bacman
-        image: busybox
-        volumes:
-          - "{{ item }}:/data"
-          - "/etc/pbri/backups/{{ start_time }}:/backup"
-        command: "cp -r /data /backup/{{ item }}"
-        detach: no
-        cleanup: yes
-      loop:
-        - codi_database
-        - codi_uploads
-        - gitlab_data
-        - gitlab_logs
-        - gitlab_config
-    - name: Make tar
-      become: yes
-      shell:
-        cmd: "tar -czvf ../{{ start_time }}.tar.gz *"
-        chdir: "/etc/pbri/backups/{{ start_time }}"
-    - name: Download tar
-      become: yes
-      fetch:
-        src: /etc/pbri/backups/{{ start_time }}.tar.gz
-        dest: ../backups
-    - name: Remove backups folder
-      become: yes
-      file:
-        path: /etc/pbri/backups
-        state: absent
-    - name: Restart docker stuff
-      become: yes
-      docker_compose:
-        project_src: /etc/pbri/docker/web
-        state: present
-        restarted: yes

ansible/misc-docker.yaml

@@ -1,6 +1,12 @@
 ---
 - hosts: misc
   tasks:
+    # All services that are behind Caddy need to be in this network
+    - name: Create Caddy network
+      become: yes
+      docker_network:
+        name: caddy-network
+        state: present
     - name: Upload docker configuration
       become: yes
       copy:
@@ -10,35 +16,13 @@
         mode: u=rw,g=,o=
         # Directories should be listable
         directory_mode: u=rwx,g=rx,o=rx
-    - name: Create global docker volumes (/var/lib)
+    - name: Create directory for docker volumes
       become: yes
       file:
-        path: "/var/lib/pbri/docker/{{ item.name }}"
+        path: /var/lib/pbri/docker
         state: directory
         # Hide contents from non-root users
-        mode: u=rw,g=,o=
+        mode: u=rwx,g=,o=
-      loop:
-        - name: drone
-    - name: Create global docker volumes (docker_volume)
-      become: yes
-      docker_volume:
-        name: "{{ item.name }}"
-        state: "{{ item.state }}"
-      loop:
-        - name: codi_database
-          state: present
-        - name: codi_uploads
-          state: present
-        - name: gitlab_data
-          state: present
-        - name: gitlab_logs
-          state: present
-        - name: gitlab_config
-          state: present
-        - name: gitlab_runner_config
-          state: present
-        - name: gitlab_runner_cache
-          state: present
     - name: Set up docker stuff
       become: yes
       docker_compose:
@@ -48,15 +32,27 @@
         debug: yes
       loop:
         - name: web
-          state: present
+          state: absent
         - name: runner
           state: absent
-    - name: Add jupyter user with UID 42000
+        - name: gitea
+          state: present
+        - name: caddy
+          state: present
+    - name: Add users for running containers
       become: yes
       ansible.builtin.user:
-        name: jupyter
+        name: "{{ item.name }}"
+        uid: "{{ item.uid }}"
+        create_home: no
+        state: present
+      loop:
+        - name: jupyter
           uid: 42000
           state: present
+        - name: gitea
+          uid: 42001
+          state: present
     - name: Add Notebooks folder
       become: yes
       ansible.builtin.file:

docker/caddy/Caddyfile

@@ -15,7 +15,7 @@ codi.pbrinkmeier.de {
 }
 
 git.pbrinkmeier.de {
-    reverse_proxy gitlab:80
+    reverse_proxy gitea:3000
 }
 
 ci.pbrinkmeier.de {

docker/caddy/docker-compose.yaml

@@ -0,0 +1,20 @@
+version: "3"
+
+services:
+  # Webserver for static files and reverse proxy
+  web:
+    image: pbrinkmeier/web
+    build: .
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /var/lib/pbri/docker/caddy_data:/data
+      - /var/lib/pbri/docker/caddy_config:/config
+      - /home/paul/Sites:/srv:ro
+    restart: always
+
+networks:
+  default:
+    name: caddy-network
+    external: true

docker/gitea/docker-compose.yaml

@@ -0,0 +1,61 @@
+version: "3"
+
+services:
+  gitea:
+    image: gitea/gitea:1.17.1
+    restart: always
+    environment:
+      USER: gitea
+      USER_UID: 42001
+      USER_GID: 42001
+      GITEA__server__DOMAIN: pbrinkmeier.de
+      GITEA__server__HTTP_PORT: 3000
+      GITEA__server__ROOT_URL: https://git.pbrinkmeier.de/
+      GITEA__server__SSH_DOMAIN: pbrinkmeier.de
+      GITEA__server__SSH_LISTEN_PORT: 22
+      GITEA__server__SSH_PORT: 22
+      GITEA__server__OFFLINE_MODE: "true"
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: gitea_db:5432
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: "${GITEA_DB_PASSWORD}"
+      GITEA__picture__DISABLE_GRAVATAR: "true"
+      GITEA__picture__FEDERATED_AVATAR: "false"
+      GITEA__service__DISABLE_REGISTRATION: "true"
+      GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
+      GITEA__service__ENABLE_NOTIFY_MAIL: "true"
+      GITEA__service__NOREPLY_ADDRESS: noreply.pbrinkmeier.de
+      GITEA__service__ENABLE_TIMETRACKING: "false"
+      GITEA__service__DEFAULT_ENABLE_TIMETRACKING: "false"
+      GITEA__service__DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME: "false"
+      GITEA__mailer__ENABLED: "true"
+      GITEA__mailer__HOST: smtp.mailbox.org:465
+      GITEA__mailer__FROM: git@pbrinkmeier.de
+      GITEA__mailer__USER: hallo@pbrinkmeier.de
+      GITEA__mailer__PASSWD: "${GITEA_SMTP_PASSWORD}"
+      GITEA__openid__ENABLE_OPENID_SIGNIN: "false"
+      GITEA__openid__ENABLE_OPENID_SIGNUP: "false"
+    volumes:
+      - /var/lib/pbri/docker/gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 22:22
+    depends_on:
+      - gitea_db
+
+  gitea_db:
+    image: postgres:14.5-alpine
+    restart: always
+    environment:
+      POSTGRES_DB: gitea
+      POSTGRES_USER: gitea
+      POSTGRES_PASSWORD: "${GITEA_DB_PASSWORD}"
+    volumes:
+      - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data
+
+networks:
+  default:
+    name: caddy-network
+    external: true

docker/web/README.md

@@ -1,6 +1,6 @@
 # web
 
-Contains stuff exposed via HTTP(S) to the Internet, e.g. personal website, Wiki, etc.
+Old god project.
 
 ## Jupyter
 

docker/web/docker-compose.yaml

@@ -1,19 +1,6 @@
 version: "3"
 
 services:
-  # Webserver for static files and reverse proxy
-  web:
-    image: pbrinkmeier/web
-    build: .
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - caddy_data:/data
-      - caddy_config:/config
-      - /home/paul/Sites:/srv:ro
-    restart: always
-
   codi:
     image: hackmdio/hackmd:2.4.2
     # CMD_DB_{URL,CMD_SESSION_SECRET}
@@ -30,7 +17,7 @@ services:
       - codi_db
       - codi_plantuml
     volumes:
-      - codi_uploads:/home/hackmd/app/public/uploads
+      - /var/lib/pbri/docker/codi_uploads:/home/hackmd/app/public/uploads
     restart: always
     
   codi_db:
@@ -39,7 +26,7 @@ services:
     # Must match CMD_DB_URL in codi.env
     env_file: codi_db.env
     volumes:
-      - codi_database:/var/lib/postgresql/data
+      - /var/lib/pbri/docker/codi_database:/var/lib/postgresql/data
     restart: always
   
   codi_plantuml:
@@ -51,9 +38,9 @@ services:
     ports:
       - "22:22"
     volumes:
-      - gitlab_data:/var/opt/gitlab
+      - /var/lib/pbri/docker/gitlab_data:/var/opt/gitlab
-      - gitlab_logs:/var/log/gitlab
+      - /var/lib/pbri/docker/gitlab_logs:/var/log/gitlab
-      - gitlab_config:/etc/gitlab
+      - /var/lib/pbri/docker/gitlab_config:/etc/gitlab
     restart: always
     # GITLAB_SMTP_PASSWORD
     env_file: gitlab.env
@@ -79,11 +66,17 @@ services:
         # https://docs.gitlab.com/omnibus/settings/rpi.html
         puma['worker_processes'] = 2
         sidekiq['concurrency'] = 9
-        prometheus_monitoring['enable'] = false
 
         nginx['listen_port'] = 80
         nginx['listen_https'] = false
 
+        # https://forum.gitlab.com/t/clear-up-postges-prometheus-data/38216/3
+        prometheus_monitoring['enable'] = false
+        prometheus['enable'] = false
+        prometheus['flags'] = {
+          'storage.tsdb.retention.time' => "12h"
+        }
+
   jupyter:
     image: ihaskell-docker:1.0
     # ports:
@@ -119,17 +112,3 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     restart: always
-
-volumes:
-  caddy_data:
-  caddy_config:
-  codi_uploads:
-    external: yes
-  codi_database:
-    external: yes
-  gitlab_data:
-    external: yes
-  gitlab_logs:
-    external: yes
-  gitlab_config:
-    external: yes