890a23e8d5
Some checks failed
Update Automation Tests / Integration Tests (pull_request) Failing after 40s
Infrastructure & Permissions: - Set recovery_window_in_days=0 on secrets for immediate deletion on destroy - Add secretsmanager:UpdateSecret permission to EC2 IAM role - Move SES secret definition from ses.tf to secrets.tf for better organization - Create scripts/empty-s3-bucket.sh to handle versioned S3 object deletion - Update Makefile to use S3 cleanup script in full-destroy target Gitea Admin User Automation: - Remove non-functional GITEA_ADMIN_* environment variables from docker-compose.yml - Add CLI-based admin user creation via docker exec in deploy-gitea.yml - Add database update to disable must_change_password requirement - Fix runner token API call to use GET instead of POST Runner Setup Fixes: - Change runner gitea_instance to http://localhost:3000 (was failing with public URL) - Fix registration to work from same host as Gitea Domain Migration: - Change domain from gitea.poll-streams.com to git.poll-streams.com - Update DNS, docker-compose, nginx configs, ansible inventory, and SSL setup - Enables fresh SSL certificate (avoids Let's Encrypt rate limit) All changes enable zero-to-one deployment: make full-destroy && make full-deploy
126 lines
3.4 KiB
YAML
126 lines
3.4 KiB
YAML
services:
|
|
postgres:
|
|
image: postgres:18.4
|
|
container_name: gitea-postgres
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_USER: ${DB_USER}
|
|
POSTGRES_PASSWORD: ${DB_PASSWORD}
|
|
POSTGRES_DB: ${DB_NAME}
|
|
volumes:
|
|
- postgres-data:/var/lib/postgresql
|
|
networks:
|
|
- gitea-network
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${DB_USER}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
labels:
|
|
- "diun.enable=true"
|
|
- "update.policy=manual" # Requires operator approval
|
|
|
|
gitea:
|
|
image: gitea/gitea:1.22.6
|
|
container_name: gitea
|
|
restart: unless-stopped
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
environment:
|
|
- USER_UID=1000
|
|
- USER_GID=1000
|
|
- GITEA__database__DB_TYPE=postgres
|
|
- GITEA__database__HOST=postgres:5432
|
|
- GITEA__database__NAME=${DB_NAME}
|
|
- GITEA__database__USER=${DB_USER}
|
|
- GITEA__database__PASSWD=${DB_PASSWORD}
|
|
- GITEA__server__DOMAIN=git.poll-streams.com
|
|
- GITEA__server__SSH_DOMAIN=git.poll-streams.com
|
|
- GITEA__server__ROOT_URL=https://git.poll-streams.com
|
|
- GITEA__security__INSTALL_LOCK=true
|
|
- GITEA__service__DISABLE_REGISTRATION=true
|
|
- GITEA__actions__ENABLED=true
|
|
volumes:
|
|
- gitea-data:/data
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
ports:
|
|
- "3000:3000"
|
|
- "2222:22"
|
|
networks:
|
|
- gitea-network
|
|
labels:
|
|
- "diun.enable=true"
|
|
- "update.policy=manual" # Requires operator approval
|
|
|
|
nginx:
|
|
image: nginx:1.27-alpine
|
|
container_name: gitea-nginx
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- gitea
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
- ./nginx/conf.d:/etc/nginx/conf.d:ro
|
|
- certbot-etc:/etc/letsencrypt
|
|
- certbot-var:/var/lib/letsencrypt
|
|
- web-root:/var/www/html
|
|
networks:
|
|
- gitea-network
|
|
labels:
|
|
- "diun.enable=true"
|
|
- "update.policy=automatic" # Safe to auto-update
|
|
|
|
certbot:
|
|
image: certbot/certbot:v5.6.0
|
|
container_name: gitea-certbot
|
|
volumes:
|
|
- certbot-etc:/etc/letsencrypt
|
|
- certbot-var:/var/lib/letsencrypt
|
|
- web-root:/var/www/html
|
|
command: certonly --webroot --webroot-path=/var/www/html --email admin@poll-streams.com --agree-tos --no-eff-email --force-renewal -d git.poll-streams.com
|
|
depends_on:
|
|
- nginx
|
|
|
|
diun:
|
|
image: crazymax/diun:4.33
|
|
container_name: gitea-diun
|
|
restart: unless-stopped
|
|
command: serve
|
|
volumes:
|
|
- ./diun:/data
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
- TZ=Europe/Berlin
|
|
- LOG_LEVEL=info
|
|
- DIUN_WATCH_WORKERS=20
|
|
- DIUN_WATCH_SCHEDULE=0 3 * * 0 # Weekly on Sunday at 3 AM
|
|
- DIUN_PROVIDERS_DOCKER=true
|
|
- DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true
|
|
# Email notifications via AWS SES
|
|
- DIUN_NOTIF_MAIL_HOST=${SMTP_HOST}
|
|
- DIUN_NOTIF_MAIL_PORT=${SMTP_PORT}
|
|
- DIUN_NOTIF_MAIL_SSL=true
|
|
- DIUN_NOTIF_MAIL_INSECURESKIPVERIFY=false
|
|
- DIUN_NOTIF_MAIL_USERNAME=${SMTP_USERNAME}
|
|
- DIUN_NOTIF_MAIL_PASSWORD=${SMTP_PASSWORD}
|
|
- DIUN_NOTIF_MAIL_FROM=${ALERT_EMAIL}
|
|
- DIUN_NOTIF_MAIL_TO=${ALERT_EMAIL}
|
|
labels:
|
|
- "diun.enable=true"
|
|
|
|
volumes:
|
|
postgres-data:
|
|
gitea-data:
|
|
certbot-etc:
|
|
certbot-var:
|
|
web-root:
|
|
|
|
networks:
|
|
gitea-network:
|
|
driver: bridge
|