Update traefik, introduce crowdsec, add hydra stack to infra.

Update kimai stack.
Use correct tag for erechnung steinle.
2026-03-27 19:36:37 +00:00 · 2025-11-20 11:30:02 +00:00 · 2025-05-12 12:03:40 +02:00 · 2025-05-12 12:01:28 +02:00 · 2025-05-12 11:59:45 +02:00 · 2025-05-12 11:52:39 +02:00
18 changed files with 432 additions and 46 deletions
--- a/arbeitsschutz/docker-compose.yaml
+++ b/arbeitsschutz/docker-compose.yaml
@@ -1,12 +1,10 @@
-version: "3.9"
-
 networks:
  proxy:
    external: true

 services:
  arbeitsschutz:
-    image: cs-git.ddnss.de/arbeitsschutz-ulm/website:latest
+    image: gitea.steinle-computer.de/arbeitsschutz-ulm/website:latest
    container_name: arbeitsschutz
    hostname: arbeitsschutz
    restart: always
@@ -14,11 +12,11 @@ services:
      - proxy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.arbeitsschutz.rule=Host(`arbeitsschutz-ulm.de`, `www.arbeitsschutz-ulm.de`, `ulmer-arbeitsschutz.de`, `www.ulmer-arbeitsschutz.de`)"
+      - "traefik.http.routers.arbeitsschutz.rule=Host(`arbeitsschutz-ulm.de`) || Host(`www.arbeitsschutz-ulm.de`) || Host(`ulmer-arbeitsschutz.de`) || Host(`www.ulmer-arbeitsschutz.de`)"
      - "traefik.http.routers.arbeitsschutz.entrypoints=web"
      - "traefik.http.routers.arbeitsschutz.middlewares=arbeitsschutz"
      - "traefik.http.middlewares.arbeitsschutz.redirectscheme.scheme=https"
-      - "traefik.http.routers.arbeitsschutz-secure.rule=Host(`arbeitsschutz-ulm.de`, `www.arbeitsschutz-ulm.de`, `ulmer-arbeitsschutz.de`, `www.ulmer-arbeitsschutz.de`)"
+      - "traefik.http.routers.arbeitsschutz-secure.rule=Host(`arbeitsschutz-ulm.de`) || Host(`www.arbeitsschutz-ulm.de`) || Host(`ulmer-arbeitsschutz.de`) || Host(`www.ulmer-arbeitsschutz.de`)"
      - "traefik.http.routers.arbeitsschutz-secure.entrypoints=websecure"
      - "traefik.http.routers.arbeitsschutz-secure.tls=true"
      - "traefik.http.routers.arbeitsschutz-secure.tls.certresolver=cs"
--- a/buehler-tmp/docker-compose.yaml
+++ b/buehler-tmp/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: "3.9"
-
 networks:
  proxy:
    external: true
--- a/common/docker-compose.yaml
+++ b/common/docker-compose.yaml
@@ -1,30 +1,41 @@
-version: "3.9"
-
 networks:
  proxy:
    external: false
    name: proxy
+    enable_ipv6: true

 volumes:
  letsencrypt:
    name: letsencrypt
  portainer:
    name: portainer
+  traefik_log:
+    name: traefik_log
+  crowdsec_data:
+    name: crowdsec_data
+  crowdsec_etc:
+    name: crowdsec_etc

 services:
  traefik:
-    image: traefik:v2.9
+    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command:
+      - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+      - --experimental.plugins.bouncer.version=v1.5.0
      - --global.sendAnonymousUsage=false
      - --api.dashboard=true
+      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
-      - --providers.docker.swarmMode=false
      - --entryPoints.web.address=:80
+      - --entryPoints.web.forwardedHeaders.insecure=true
      - --entryPoints.websecure.address=:443
+      - --entryPoints.websecure.http3.advertisedPort=443
+      - --entryPoints.websecure.forwardedHeaders.insecure=true
+      - --entryPoints.ssh.address=:222/tcp
      - --entryPoints.smtp.address=:25
      - --entryPoints.smtp-ssl.address=:465
      - --entryPoints.imap-ssl.address=:993
@@ -33,7 +44,13 @@ services:
      - --certificatesresolvers.cs.acme.email=christiansteinle@arcor.de
      - --certificatesresolvers.cs.acme.storage=/letsencrypt/acme.json
      - --log=true
+      - --log.level=INFO
      - --accessLog=true
+      - --accessLog.filePath=/logs/traefik.log
+      - --accessLog.format=json
+      - --accessLog.bufferingSize=0
+      - --accessLog.fields.headers.defaultMode=drop
+      - --accessLog.fields.headers.names.User-Agent=keep
      - --metrics.prometheus=true
      - --metrics.prometheus.manualRouting=true
      - --metrics.prometheus.addRoutersLabels=true
@@ -41,14 +58,25 @@ services:
      - INFOMANIAK_ACCESS_TOKEN=5IraYq8HK9qur57Mj_TnHQ9pS9G79NPvjF8ID17n-EvfYO7TU6Fi0ZmDKSX6mIhTQJbyYegRd1hfmM-t
    ports:
      - "25:25"
-      - "80:80"
-      - "443:443"
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: udp
+        mode: host
      - "465:465"
      - "993:993"
      - "4190:4190"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
+      - traefik_log:/logs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
@@ -70,6 +98,19 @@ services:
      - "traefik.http.routers.metrics-secure.tls.certresolver=cs"
      - "traefik.http.routers.metrics-secure.middlewares=auth"
      - "traefik.http.routers.metrics-secure.service=prometheus@internal"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.defaultDecisionSeconds=60"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecMode=live"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecEnabled=false"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecHost=crowdsec:7422"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecFailureBlock=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecUnreachableBlock=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiKey=Q6aU8YIY5zr2c/gNg9WTvm2PPMu+jyEhVKIftcZSBSE"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiHost=crowdsec:8080"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiScheme=http"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSInsecureVerify=false"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedHeadersTrustedIPs=91.108.113.212,192.168.0.0/16,172.17.0.0/16"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.clientTrustedIPs=91.108.113.212,192.168.0.0/16,172.17.0.0/16"
    networks:
      - proxy

@@ -98,4 +139,28 @@ services:
      - "traefik.http.routers.portainer-secure.tls.certresolver=cs"
      - "traefik.http.services.portainer-secure.loadbalancer.server.port=9000"

+  crowdsec:
+    image: crowdsecurity/crowdsec
+    container_name: crowdsec
+    restart: unless-stopped
+    ports:
+      - 127.0.0.1:9876:8080 # port mapping for local firewall bouncers
+    expose:
+      - 8080 # http api for bouncers
+      - 6060 # metrics endpoint for prometheus
+      - 7422 # appsec waf endpoint
+    volumes:
+      # crowdsec container data
+      - crowdsec_data:/var/lib/crowdsec/data
+      - crowdsec_etc:/etc/crowdsec
+      # log bind mounts into crowdsec
+      - /var/log/auth.log:/var/log/auth.log:ro
+      - /var/log/syslog:/var/log/syslog:ro
+      - traefik_log:/var/log/traefik:ro
+    environment:
+      - GID=1000
+      - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/base-http-scenarios crowdsecurity/sshd crowdsecurity/linux crowdsecurity/appsec-generic-rules crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs
+      #- CUSTOM_HOSTNAME=my-crowdsec-host123
+    networks:
+      - proxy

--- a/erechnung-asu/docker-compose.yaml
+++ b/erechnung-asu/docker-compose.yaml
@@ -10,7 +10,7 @@ volumes:

 services:
  app:
-    image: cs-git.ddnss.de/ri-st/project:master
+    image: gitea.steinle-computer.de/ri-st/project:latest
    restart: always
    dns:
      - '8.8.8.8'
--- a/erechnung-steinle/.env
+++ b/erechnung-steinle/.env
@@ -0,0 +1,68 @@
+APP_NAME=eRechnung
+APP_ENV=production
+APP_KEY=base64:qSmM2c7YWgiFKS62S2m6w8pVslaBC8WBIHttObhDu1U=
+APP_DEBUG=true
+APP_TIMEZONE=UTC
+APP_URL=https://e-rechnung.steinle-computer.de
+
+APP_LOCALE=de
+APP_CURRENCY=EUR
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+
+APP_MAINTENANCE_DRIVER=file
+# APP_MAINTENANCE_STORE=database
+
+PHP_CLI_SERVER_WORKERS=4
+
+BCRYPT_ROUNDS=12
+
+LOG_CHANNEL=stack
+LOG_STACK=single
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+DB_CONNECTION=pgsql
+DB_HOST=pgsql
+DB_PORT=5432
+DB_DATABASE=steinle
+DB_USERNAME=steinle
+DB_PASSWORD=$*8D%!nnoiiu6w
+
+SESSION_DRIVER=database
+SESSION_LIFETIME=120
+SESSION_ENCRYPT=false
+SESSION_PATH=/
+SESSION_DOMAIN=null
+
+BROADCAST_CONNECTION=log
+FILESYSTEM_DISK=local
+QUEUE_CONNECTION=database
+
+CACHE_STORE=database
+CACHE_PREFIX=
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+MAIL_MAILER=smtp
+MAIL_HOST=mail
+MAIL_PORT=1025
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+MAIL_FROM_ADDRESS="hello@example.com"
+MAIL_FROM_NAME="${APP_NAME}"
+
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=us-east-1
+AWS_BUCKET=
+AWS_USE_PATH_STYLE_ENDPOINT=false
+
+VITE_APP_NAME="${APP_NAME}"
+VITE_APP_URL="${APP_URL}/api"
--- a/erechnung-steinle/docker-compose.yaml
+++ b/erechnung-steinle/docker-compose.yaml
@@ -0,0 +1,55 @@
+networks:
+  proxy:
+    external: true
+  invoice-steinle:
+
+volumes:
+  invoice-steinle-db:
+  invoice-steinle-storage:
+    name: invoice-steinle-storage
+
+services:
+  app:
+    image: gitea.steinle-computer.de/ri-st/project:latest
+    restart: always
+    dns:
+      - '8.8.8.8'
+    links:
+      - pgsql
+    depends_on:
+      pgsql:
+        condition: service_healthy
+    working_dir: /var/www
+    volumes:
+      - ./.env:/var/www/.env
+      - invoice-steinle-storage:/var/www/storage/app/public
+    networks:
+      - proxy
+      - invoice-steinle
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.invoice-steinle.rule=Host(`e-rechnung.steinle-computer.de`)"
+      - "traefik.http.routers.invoice-steinle.entrypoints=web"
+      - "traefik.http.routers.invoice-steinle.middlewares=invoice-steinle"
+      - "traefik.http.middlewares.invoice-steinle.redirectscheme.scheme=https"
+      - "traefik.http.routers.invoice-steinle-secure.rule=Host(`e-rechnung.steinle-computer.de`)"
+      - "traefik.http.routers.invoice-steinle-secure.entrypoints=websecure"
+      - "traefik.http.routers.invoice-steinle-secure.tls=true"
+      - "traefik.http.routers.invoice-steinle-secure.tls.certresolver=cs"
+      - "traefik.http.routers.invoice-steinle-secure.service=invoice-steinle-secure"
+      - "traefik.http.services.invoice-steinle-secure.loadbalancer.server.port=80"
+
+  pgsql:
+    image: postgres:17-alpine
+    restart: unless-stopped
+    volumes:
+      - invoice-steinle-db:/var/lib/postgresql/data
+    networks:
+      - invoice-steinle
+    environment:
+      PGPASSWORD: $*8D%!nnoiiu6w
+      POSTGRES_PASSWORD: $*8D%!nnoiiu6w
+      POSTGRES_USER: steinle
+      POSTGRES_DB: steinle
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U steinle"]
--- a/gitea/.env
+++ b/gitea/.env
@@ -0,0 +1,3 @@
+DB_USER=gitea
+DB_NAME=gitea
+DB_PASS=QseAwSwyq8^AeH#cMby9C7i4
--- a/gitea/docker-compose.yaml
+++ b/gitea/docker-compose.yaml
@@ -0,0 +1,88 @@
+networks:
+  proxy:
+    external: true
+  gitea:
+    name: gitea
+    external: false
+
+volumes:
+  gitea:
+    name: gitea
+  gitea-db:
+    name: gitea-db
+  gitea-runner:
+    name: gitea-runner
+
+services:
+  gitea:
+    image: gitea/gitea
+    container_name: gitea
+    hostname: gitea
+    environment:
+      USER_UID: 1000
+      USER_GID: 1000
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: gitea-db:5432
+      GITEA__database__NAME: ${DB_NAME}
+      GITEA__database__USER: ${DB_USER}
+      GITEA__database__PASSWD: ${DB_PASS}
+      GITEA__server__START_SSH_SERVER: true
+      GITEA__server__SSH_PORT: 22
+      GITEA__server__SSH_LISTEN_PORT: 222
+    restart: unless-stopped
+    depends_on:
+      - gitea-db
+    volumes:
+      - gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    networks:
+      - proxy
+      - gitea
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.git.entrypoints=web"
+      - "traefik.http.routers.git.rule=Host(`gitea.steinle-computer.de`)"
+      - "traefik.http.routers.git.middlewares=git"
+      - "traefik.http.middlewares.git.redirectscheme.scheme=https"
+      - "traefik.http.routers.git-secure.entrypoints=websecure"
+      - "traefik.http.routers.git-secure.rule=Host(`gitea.steinle-computer.de`)"
+      - "traefik.http.routers.git-secure.service=git-secure"
+      - "traefik.http.routers.git-secure.tls=true"
+      - "traefik.http.routers.git-secure.tls.certresolver=cs"
+      - "traefik.http.routers.git-secure.tls.domains[0].main=gitea.steinle-computer.de"
+      - "traefik.http.services.git-secure.loadbalancer.server.port=3000"
+      - "traefik.tcp.routers.git-ssh.entrypoints=ssh"
+      - "traefik.tcp.routers.git-ssh.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.git-ssh.service=git-ssh"
+      - "traefik.tcp.services.git-ssh.loadbalancer.server.port=222"
+
+  gitea-db:
+    image: postgres:17-alpine
+    container_name: gitea-db
+    hostname: gitea-db
+    restart: unless-stopped
+    volumes:
+      - gitea-db:/var/lib/postgresql/data
+    networks:
+      - gitea
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASS}
+      POSTGRES_USER: ${DB_USER}
+      POSTGRES_DB: ${DB_NAME}
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U $DB_USER" ]
+
+  runner:
+    image: gitea/act_runner
+    restart: always
+    depends_on:
+      - gitea
+    volumes:
+      - gitea-runner:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - GITEA_INSTANCE_URL=https://gitea.steinle-computer.de
+      - GITEA_RUNNER_REGISTRATION_TOKEN=jMMDhDpMzlmtN2pXzVj6qcAdlGEpDb8dmzbfmdm8
+    networks:
+      - gitea
--- a/huber-putz/docker-compose.yaml
+++ b/huber-putz/docker-compose.yaml
@@ -1,12 +1,10 @@
-version: "3.9"
-
 networks:
  proxy:
    external: true

 services:
  huber-putz:
-    image: cs-git.ddnss.de/huber/stuck-web
+    image: gitea.steinle-computer.de/huber/stuck-web
    container_name: huber-putz
    hostname: huber-putz
    restart: always
@@ -14,11 +12,11 @@ services:
      - proxy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.huber-putz.rule=Host(`huber-stuck.de`, `www.huber-stuck.de`, `huber-putz.com`, `www.huber-putz.com`)"
+      - "traefik.http.routers.huber-putz.rule=Host(`huber-stuck.de`) || Host(`www.huber-stuck.de`) || Host(`huber-putz.com`) || Host(`www.huber-putz.com`)"
      - "traefik.http.routers.huber-putz.entrypoints=web"
      - "traefik.http.routers.huber-putz.middlewares=huber-putz"
      - "traefik.http.middlewares.huber-putz.redirectscheme.scheme=https"
-      - "traefik.http.routers.huber-putz-secure.rule=Host(`huber-stuck.de`, `www.huber-stuck.de`, `huber-putz.com`, `www.huber-putz.com`)"
+      - "traefik.http.routers.huber-putz-secure.rule=Host(`huber-stuck.de`) || Host(`www.huber-stuck.de`) || Host(`huber-putz.com`) || Host(`www.huber-putz.com`)"
      - "traefik.http.routers.huber-putz-secure.entrypoints=websecure"
      - "traefik.http.routers.huber-putz-secure.tls=true"
      - "traefik.http.routers.huber-putz-secure.tls.certresolver=cs"
--- a/hydra/.env
+++ b/hydra/.env
@@ -0,0 +1,68 @@
+APP_NAME=Hydra
+APP_ENV=production
+APP_KEY=base64:qSmM2c7YWgiFKS62S2m6w8pVslaBC8WBIHttObhDu1U=
+APP_DEBUG=true
+APP_TIMEZONE=UTC
+APP_URL=https://hydras-revenge.ddnss.org
+
+APP_LOCALE=en
+APP_CURRENCY=EUR
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+
+APP_MAINTENANCE_DRIVER=file
+# APP_MAINTENANCE_STORE=database
+
+PHP_CLI_SERVER_WORKERS=4
+
+BCRYPT_ROUNDS=12
+
+LOG_CHANNEL=stack
+LOG_STACK=single
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+DB_CONNECTION=pgsql
+DB_HOST=pgsql
+DB_PORT=5432
+DB_DATABASE=hydra
+DB_USERNAME=hydra
+DB_PASSWORD=$*8D%!nnoiiu6w
+
+SESSION_DRIVER=database
+SESSION_LIFETIME=120
+SESSION_ENCRYPT=false
+SESSION_PATH=/
+SESSION_DOMAIN=null
+
+BROADCAST_CONNECTION=log
+FILESYSTEM_DISK=local
+QUEUE_CONNECTION=database
+
+CACHE_STORE=database
+CACHE_PREFIX=
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+MAIL_MAILER=log
+MAIL_HOST=mail
+MAIL_PORT=1025
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+MAIL_FROM_ADDRESS="hello@example.com"
+MAIL_FROM_NAME="${APP_NAME}"
+
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=us-east-1
+AWS_BUCKET=
+AWS_USE_PATH_STYLE_ENDPOINT=false
+
+VITE_APP_NAME="${APP_NAME}"
+VITE_APP_URL="${APP_URL}/api"
--- a/hydra/docker-compose.yaml
+++ b/hydra/docker-compose.yaml
@@ -0,0 +1,55 @@
+networks:
+  proxy:
+    external: true
+  hydra:
+
+volumes:
+  hydra-db:
+  hydra-storage:
+    name: hydra-storage
+
+services:
+  app:
+    image: gitea.fam-steinle.de/cs/hydra:latest
+    restart: always
+    dns:
+      - '8.8.8.8'
+    links:
+      - pgsql
+    depends_on:
+      pgsql:
+        condition: service_healthy
+    working_dir: /var/www
+    volumes:
+      - ./.env:/var/www/.env
+      - hydra-storage:/var/www/storage/app/private
+    networks:
+      - proxy
+      - hydra
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.hydra.rule=Host(`hydras-revenge.ddnss.org`) || Host(`hydra.steinle-computer.de`)"
+      - "traefik.http.routers.hydra.entrypoints=web"
+      - "traefik.http.routers.hydra.middlewares=hydra"
+      - "traefik.http.middlewares.hydra.redirectscheme.scheme=https"
+      - "traefik.http.routers.hydra-secure.rule=Host(`hydras-revenge.ddnss.org`) || Host(`hydra.steinle-computer.de`)"
+      - "traefik.http.routers.hydra-secure.entrypoints=websecure"
+      - "traefik.http.routers.hydra-secure.tls=true"
+      - "traefik.http.routers.hydra-secure.tls.certresolver=cs"
+      - "traefik.http.routers.hydra-secure.service=hydra-secure"
+      - "traefik.http.services.hydra-secure.loadbalancer.server.port=80"
+
+  pgsql:
+    image: postgres:17-alpine
+    restart: unless-stopped
+    volumes:
+      - hydra-db:/var/lib/postgresql/data
+    networks:
+      - hydra
+    environment:
+      PGPASSWORD: $*8D%!nnoiiu6w
+      POSTGRES_PASSWORD: $*8D%!nnoiiu6w
+      POSTGRES_USER: hydra
+      POSTGRES_DB: hydra
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U steinle"]
--- a/kimai-scheidle/docker-compose.yaml
+++ b/kimai-scheidle/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: "3.9"
-
 volumes:
  scheidle-app:
    name: scheidle-app
@@ -23,7 +21,6 @@ services:
      ADMINMAIL: ${ADMIN_USER}
      ADMINPASS: ${ADMIN_PASS}
      DATABASE_URL: mysql://${DB_USER}:${DB_PASS}@scheidle-db/${DB_NAME}?charset=utf8&serverVersion=8.1.0
-      TRUSTED_HOSTS: scheidle.ri-st.de,localhost,127.0.0.1
      APP_SECRET: ${APP_SECRET}
    depends_on:
      - scheidle-db
--- a/mail/docker-compose.yaml
+++ b/mail/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: "3.8"
-
 networks:
  proxy:
    external: true
@@ -55,7 +53,7 @@ services:
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
-      retries: 0
+      retries: 1
    networks:
       - proxy
       - mail
@@ -65,13 +63,13 @@ services:
      - "traefik.tcp.routers.smtp.entrypoints=smtp"
      - "traefik.tcp.routers.smtp.service=smtp"
      - "traefik.tcp.services.smtp.loadbalancer.server.port=25"
-      - "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1"
+      - "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=2"
      - "traefik.tcp.routers.smtp-ssl.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.smtp-ssl.tls=false"
      - "traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl"
      - "traefik.tcp.routers.smtp-ssl.service=smtp-ssl"
      - "traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465"
-      - "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1"
+      - "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=2"
      - "traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl"
      - "traefik.tcp.routers.imap-ssl.service=imap-ssl"
--- a/monitoring/docker-compose.yaml
+++ b/monitoring/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: "3.9"
-
 networks:
  proxy:
    external: true
@@ -15,7 +13,7 @@ volumes:

 services:
  prometheus:
-    image: cs-git.ddnss.de/production/prometheus
+    image: gitea.steinle-computer.de/production/prometheus
    container_name: prometheus
    hostname: prometheus
    restart: unless-stopped
@@ -32,7 +30,7 @@ services:
      - "traefik.http.services.prometheus.loadbalancer.server.port=9090"

  cadvisor:
-    image: gcr.io/cadvisor/cadvisor:v0.51.0
+    image: gcr.io/cadvisor/cadvisor:v0.52.1
    container_name: cadvisor
    hostname: cadvisor
    restart: unless-stopped
@@ -107,5 +105,8 @@ services:
    environment:
      TZ: Europe/Berlin
      WATCHTOWER_INCLUDE_STOPPED: true
-      WATCHTOWER_MONITOR_ONLY: true
+      WATCHTOWER_MONITOR_ONLY: false
+      WATCHTOWER_CLEANUP: true
+      WATCHTOWER_REMOVE_VOLUMES: true
+      WATCHTOWER_WARN_ON_HEAD_FAILURE: "never"
      WATCHTOWER_SCHEDULE: "0 0 2 * * *"
--- a/monitoring/watchtower-config.json
+++ b/monitoring/watchtower-config.json
@@ -1,7 +1,7 @@
 {
 	"auths": {
-		"cs-registry.ddnss.de": {
-			"auth": "Y2hyaXM6U2VjcmV0MTI="
+		"gitea.steinle-computer.de": {
+			"auth": "Y2hyaXM6cScsXEgoT2Q6RzMpLlh2PCMhNVA="
 		},
 		"https://index.docker.io/v1/": {
 			"auth": "Y3MyMjExOkU2U2Njc3ViRFJrYUppMlNMVSUh"
--- a/rist-editors/docker-compose.yaml
+++ b/rist-editors/docker-compose.yaml
@@ -1,12 +1,10 @@
-version: "3.9"
-
 networks:
  proxy:
    external: true

 services:
  rist-editors:
-    image: cs-registry.ddnss.de/ri-st/old_editors
+    image: gitea.steinle-computer.de/ri-st/old-editors
    container_name: rist-editors
    hostname: rist-editors
    restart: unless-stopped
--- a/rist-startup/docker-compose.yaml
+++ b/rist-startup/docker-compose.yaml
@@ -1,8 +1,6 @@
-version: '3'
-
 services:
  startup-app:
-    image: cs-git.ddnss.de/ri-st/startup
+    image: gitea.steinle-computer.de/ri-st/startup
    container_name: startup-app
    links:
      - startup-db
@@ -22,7 +20,7 @@ services:
      - "traefik.http.routers.rist-startup-secure.tls=true"
      - "traefik.http.routers.rist-startup-secure.tls.certresolver=cs"
      - "traefik.http.routers.rist-startup-secure.service=rist-startup-secure"
-      - "traefik.http.services.rist-startup-secure.loadbalancer.server.port=80"
+      - "traefik.http.services.rist-startup-secure.loadbalancer.server.port=8080"

  startup-db:
    image: mysql:8
--- a/svj/docker-compose.yaml
+++ b/svj/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: "3.9"
-
 volumes:
  svj-media:
    name: svj-media
@@ -15,7 +13,7 @@ networks:

 services:
  svj:
-    image: cs-registry.ddnss.de/svj/website:latest
+    image: gitea.steinle-computer.de/svj/website:latest
    container_name: svj
    hostname: svj
    restart: unless-stopped
@@ -28,11 +26,11 @@ services:
      - svj-media:/var/www/html/media
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.svj.rule=Host(`svj-fussball.de`, `www.svj-fussball.de`)"
+      - "traefik.http.routers.svj.rule=Host(`svj-fussball.de`) || Host(`www.svj-fussball.de`)"
      - "traefik.http.routers.svj.entrypoints=web"
      - "traefik.http.routers.svj.middlewares=svj"
      - "traefik.http.middlewares.svj.redirectscheme.scheme=https"
-      - "traefik.http.routers.svj-secure.rule=Host(`svj-fussball.de`, `www.svj-fussball.de`)"
+      - "traefik.http.routers.svj-secure.rule=Host(`svj-fussball.de`) || Host(`www.svj-fussball.de`)"
      - "traefik.http.routers.svj-secure.entrypoints=websecure"
      - "traefik.http.routers.svj-secure.tls=true"
      - "traefik.http.routers.svj-secure.tls.certresolver=cs"
Author	SHA1	Message	Date
chris	a930db1b3a	Update traefik, introduce crowdsec, add hydra stack to infra.	2026-03-27 19:36:37 +00:00
chris	8d3d7e7434	Update kimai stack.	2025-11-20 11:30:02 +00:00
chris	fa0e05e441	Use correct tag for erechnung steinle.	2025-05-12 12:03:40 +02:00
chris	aac4b1bd74	Use public repository for erechnung steinle.	2025-05-12 12:01:28 +02:00
chris	9ba5c4db83	Merge branch 'master' of https://gitea.fam-steinle.de/production/production-infra	2025-05-12 11:59:45 +02:00
chris	a00e2c2b8c	Deploy e-rechnung steinle to production.	2025-05-12 11:52:39 +02:00
chris	434e3cbee4	Use watchtower to cleanup and update cadvisor.	2025-05-09 10:15:40 +00:00
chris	b449de91fe	Merge branch 'master' of https://gitea.fam-steinle.de/production/production-infra	2025-05-06 11:09:00 +00:00
chris	f93afbf507	Use public registry for startup image.	2025-05-06 11:07:13 +00:00
chris	c84d3f4069	Use image from public registry for startup.	2025-05-06 11:05:49 +00:00
chris	28fd3daca6	Use public registry for rist-editor image.	2025-05-06 11:02:34 +00:00
Christian Steinle	1266af9265	Use new registration token for gitea runner.	2025-05-06 10:59:51 +00:00
chris	799349e041	Use prometheus image from public registry istance and remove watchtower notification.	2025-05-06 10:57:43 +00:00
chris	51b73a39fb	Use huber-putz image from public registry instance.	2025-05-06 10:56:39 +00:00
chris	5abe999d36	Use erechnung asu image from public registry instance.	2025-05-06 10:49:16 +00:00
chris	1a8f83c08f	Use public registry image for asu.	2025-05-06 10:40:29 +00:00
chris	6a5fc53fb7	Use new registration token for gitea runner.	2025-05-06 10:37:16 +00:00
chris	abb6b82fb6	Use latest tag for erechnung-asu.	2025-04-02 12:56:49 +00:00
chris	9620037b2d	Add gitea instance.	2025-04-01 09:45:30 +02:00
chris	2a044b5c12	Change startup's load balancer port caused by new base image.	2025-03-24 09:00:12 +01:00
chris	649e5b9c25	Update traefik.	2025-03-24 08:59:25 +01:00
chris	e61ee629cd	Change watchtower configuration.	2025-03-24 08:57:45 +01:00
chris	aef64555dc	Use correct package for rist editors.	2025-03-18 15:20:10 +01:00
chris	66087889ca	Eliminate obsolete version in compose files.	2025-03-18 15:02:40 +01:00
chris	b11916c058	Use rist editors image from gitea.	2025-03-18 14:59:56 +01:00
chris	f9f5b34b66	Merge remote-tracking branch 'origin/master'	2025-03-18 14:56:22 +01:00
chris	2c0e8b5ab6	Use svj image from gitea.	2025-03-18 14:56:13 +01:00
root	b1080fd46b	Use correct tag for arbeitsschutz.	2025-03-18 12:35:11 +00:00