153bd11b05
- Diun monitors Docker images - Automated updates for nginx, manual approval for gitea/postgres - Weekly cert renewal automation via cron - Health checks with automatic rollback on failure - AWS SES email notifications on update failures - Daily S3 backups + pre-update snapshots - Integration tests with Gitea Actions quality gate Deployment + optional PoC complete.
123 lines
3.3 KiB
YAML
123 lines
3.3 KiB
YAML
services:
|
|
postgres:
|
|
image: postgres:18.4
|
|
container_name: gitea-postgres
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_USER: ${DB_USER}
|
|
POSTGRES_PASSWORD: ${DB_PASSWORD}
|
|
POSTGRES_DB: ${DB_NAME}
|
|
volumes:
|
|
- postgres-data:/var/lib/postgresql
|
|
networks:
|
|
- gitea-network
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${DB_USER}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
labels:
|
|
- "diun.enable=true"
|
|
- "update.policy=manual" # Requires operator approval
|
|
|
|
gitea:
|
|
image: gitea/gitea:1.22.6
|
|
container_name: gitea
|
|
restart: unless-stopped
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
environment:
|
|
- USER_UID=1000
|
|
- USER_GID=1000
|
|
- GITEA__database__DB_TYPE=postgres
|
|
- GITEA__database__HOST=postgres:5432
|
|
- GITEA__database__NAME=${DB_NAME}
|
|
- GITEA__database__USER=${DB_USER}
|
|
- GITEA__database__PASSWD=${DB_PASSWORD}
|
|
- GITEA__server__DOMAIN=gitea.poll-streams.com
|
|
- GITEA__server__SSH_DOMAIN=gitea.poll-streams.com
|
|
- GITEA__server__ROOT_URL=https://gitea.poll-streams.com
|
|
volumes:
|
|
- gitea-data:/data
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
ports:
|
|
- "3000:3000"
|
|
- "2222:22"
|
|
networks:
|
|
- gitea-network
|
|
labels:
|
|
- "diun.enable=true"
|
|
- "update.policy=manual" # Requires operator approval
|
|
|
|
nginx:
|
|
image: nginx:1.27-alpine
|
|
container_name: gitea-nginx
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- gitea
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
- ./nginx/conf.d:/etc/nginx/conf.d:ro
|
|
- certbot-etc:/etc/letsencrypt
|
|
- certbot-var:/var/lib/letsencrypt
|
|
- web-root:/var/www/html
|
|
networks:
|
|
- gitea-network
|
|
labels:
|
|
- "diun.enable=true"
|
|
- "update.policy=automatic" # Safe to auto-update
|
|
|
|
certbot:
|
|
image: certbot/certbot:v5.6.0
|
|
container_name: gitea-certbot
|
|
volumes:
|
|
- certbot-etc:/etc/letsencrypt
|
|
- certbot-var:/var/lib/letsencrypt
|
|
- web-root:/var/www/html
|
|
command: certonly --webroot --webroot-path=/var/www/html --email admin@poll-streams.com --agree-tos --no-eff-email --force-renewal -d gitea.poll-streams.com
|
|
depends_on:
|
|
- nginx
|
|
|
|
diun:
|
|
image: crazymax/diun:4.33
|
|
container_name: gitea-diun
|
|
restart: unless-stopped
|
|
command: serve
|
|
volumes:
|
|
- ./diun:/data
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
- TZ=Europe/Berlin
|
|
- LOG_LEVEL=info
|
|
- DIUN_WATCH_WORKERS=20
|
|
- DIUN_WATCH_SCHEDULE=0 3 * * 0 # Weekly on Sunday at 3 AM
|
|
- DIUN_PROVIDERS_DOCKER=true
|
|
- DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true
|
|
# Email notifications via AWS SES
|
|
- DIUN_NOTIF_MAIL_HOST=${SMTP_HOST}
|
|
- DIUN_NOTIF_MAIL_PORT=${SMTP_PORT}
|
|
- DIUN_NOTIF_MAIL_SSL=true
|
|
- DIUN_NOTIF_MAIL_INSECURESKIPVERIFY=false
|
|
- DIUN_NOTIF_MAIL_USERNAME=${SMTP_USERNAME}
|
|
- DIUN_NOTIF_MAIL_PASSWORD=${SMTP_PASSWORD}
|
|
- DIUN_NOTIF_MAIL_FROM=${ALERT_EMAIL}
|
|
- DIUN_NOTIF_MAIL_TO=${ALERT_EMAIL}
|
|
labels:
|
|
- "diun.enable=true"
|
|
|
|
volumes:
|
|
postgres-data:
|
|
gitea-data:
|
|
certbot-etc:
|
|
certbot-var:
|
|
web-root:
|
|
|
|
networks:
|
|
gitea-network:
|
|
driver: bridge
|