69 lines
2.8 KiB
YAML
Executable File
69 lines
2.8 KiB
YAML
Executable File
# ==============================================================================
|
|
# GITEA - CONFIGURACIÓN DE PRODUCCIÓN (REVISIÓN DE SEGURIDAD)
|
|
# ==============================================================================
|
|
# - Identidad: Ejecución bajo UID 1032 / GID 100 (Estándar OgnirNAS).
|
|
# - Red: Conectado a 'services-internal-net' para aislamiento Bridge.
|
|
# - Traefik v3:
|
|
# * Se utiliza 'security-headers@file' (Middleware dinámico actualizado).
|
|
# * Vinculación explícita router-servicio para evitar estados 'disabled'.
|
|
# * Resolución de certificados vía Let's Encrypt.
|
|
# ==============================================================================
|
|
|
|
version: "3.9"
|
|
|
|
services:
|
|
server:
|
|
image: gitea/gitea:latest
|
|
container_name: gitea
|
|
restart: always
|
|
networks:
|
|
- services-internal-net
|
|
volumes:
|
|
- /volume1/docker/data/gitea:/data
|
|
environment:
|
|
- USER_UID=1032
|
|
- USER_GID=100
|
|
- TZ=Europe/Madrid
|
|
- GITEA__server__ROOT_URL=https://gitea.ognir-server.synology.me/
|
|
- GITEA__server__SSH_PORT=2222
|
|
- GITEA__server__SSH_LISTEN_PORT=22
|
|
- GITEA__database__DB_TYPE=sqlite3
|
|
labels:
|
|
- "traefik.enable=true"
|
|
|
|
# --- Configuración del Router ---
|
|
- "traefik.http.routers.gitea.rule=Host(`gitea.ognir-server.synology.me`)"
|
|
- "traefik.http.routers.gitea.entrypoints=websecure"
|
|
- "traefik.http.routers.gitea.tls=true"
|
|
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
|
|
|
|
# --- Vinculación Router-Service ---
|
|
# Define el destino explícito para habilitar el router en el Dashboard.
|
|
- "traefik.http.routers.gitea.service=gitea"
|
|
|
|
# --- Configuración del Servicio (Backend) ---
|
|
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
|
|
- "traefik.docker.network=services-internal-net"
|
|
|
|
# --- Middlewares ---
|
|
# Se actualiza de 'seguridad-general' a 'security-headers' según el inventario dinámico.
|
|
- "traefik.http.routers.gitea.middlewares=security-headers@file"
|
|
|
|
# --- NUEVO: BLOQUE SSH (SELLADO) ---
|
|
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
|
|
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh-git"
|
|
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
|
|
- "traefik.tcp.routers.gitea-ssh.priority=100"
|
|
- "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=22"
|
|
|
|
|
|
# El Sello de Seguridad (Whitelist)
|
|
# ESTE ES EL SELLO: Solo estas IPs pueden cruzar el puente
|
|
# Nota: En TCP puro (sin TLS), Traefik v3 usa el filtrado por IP en el middleware o router
|
|
- "traefik.tcp.routers.gitea-ssh.middlewares=whitelist-ssh"
|
|
- "traefik.tcp.middlewares.whitelist-ssh.ipallowlist.sourcerange=100.120.105.35,192.168.178.30-192.168.178.39"
|
|
|
|
networks:
|
|
services-internal-net:
|
|
external: true
|