From 17c1d39cc2e5812b98cfca6e96ecb6219376793a Mon Sep 17 00:00:00 2001 From: qpismont Date: Fri, 12 Jun 2026 23:47:50 +0200 Subject: [PATCH] add herald + upgrade gitea and woodpecker --- .devcontainer/devcontainer.json | 5 +- docker-compose.yml | 287 ++++++++++++++++++-------------- 2 files changed, 166 insertions(+), 126 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index c1d1205..36b566c 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,11 +1,12 @@ { "workspaceFolder": "/workspace", "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,Z", + "runArgs": ["--userns=keep-id", "--security-opt", "label=disable"], "mounts": [ - "source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,readonly" + "source=${localEnv:HOME}/.ssh,target=/root/.ssh,type=bind,readonly" ], "build": { "dockerfile": "Dockerfile" }, "postAttachCommand": "docker context create prod --docker \"host=ssh://user@62.210.212.10\"" -} \ No newline at end of file +} diff --git a/docker-compose.yml b/docker-compose.yml index 0f23495..c2090d6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,142 +1,181 @@ version: "3" services: - reverse_caddy: - image: caddy:2.11-alpine - ports: - - "80:80" - - "443:443" - - "443:443/udp" - configs: - - source: caddy_config - target: /etc/caddy/Caddyfile - volumes: - - reversecaddydata:/data - - reversecaddyconfig:/config - networks: - - reverse_network - - prometheus_network + reverse_caddy: + image: caddy:2.11-alpine + ports: + - "80:80" + - "443:443" + - "443:443/udp" + configs: + - source: caddy_config + target: /etc/caddy/Caddyfile + volumes: + - reversecaddydata:/data + - reversecaddyconfig:/config + networks: + - reverse_network + - prometheus_network - woodpecker_server: - image: woodpeckerci/woodpecker-server:v3.13.0-alpine - volumes: - - woodpeckerdata:/var/lib/woodpecker/ - entrypoint: /bin/sh -c "export WOODPECKER_GITEA_CLIENT=$$(cat /run/secrets/woodpecker_gitea_client) && export WOODPECKER_GITEA_SECRET=$$(cat /run/secrets/woodpecker_gitea_secret) && export WOODPECKER_AGENT_SECRET=$$(cat /run/secrets/woodpecker_agent_secret) && /bin/woodpecker-server" - environment: - WOODPECKER_ADMIN: qpismont - WOODPECKER_HOST: https://woodpecker.qpismont.fr - WOODPECKER_GITEA: "true" - WOODPECKER_GITEA_URL: https://gitea.qpismont.fr - networks: - - reverse_network - secrets: - - woodpecker_agent_secret - - woodpecker_gitea_client - - woodpecker_gitea_secret + woodpecker_server: + image: woodpeckerci/woodpecker-server:v3.15-alpine + volumes: + - woodpeckerdata:/var/lib/woodpecker/ + entrypoint: /bin/sh -c "export WOODPECKER_GITEA_CLIENT=$$(cat /run/secrets/woodpecker_gitea_client) && export WOODPECKER_GITEA_SECRET=$$(cat /run/secrets/woodpecker_gitea_secret) && export WOODPECKER_AGENT_SECRET=$$(cat /run/secrets/woodpecker_agent_secret) && /bin/woodpecker-server" + environment: + WOODPECKER_ADMIN: qpismont + WOODPECKER_HOST: https://woodpecker.qpismont.fr + WOODPECKER_GITEA: "true" + WOODPECKER_GITEA_URL: https://gitea.qpismont.fr + networks: + - reverse_network + secrets: + - woodpecker_agent_secret + - woodpecker_gitea_client + - woodpecker_gitea_secret - woodpecker_agent: - image: woodpeckerci/woodpecker-agent:v3.13.0-alpine - volumes: - - /var/run/docker.sock:/var/run/docker.sock - entrypoint: /bin/sh -c "export WOODPECKER_AGENT_SECRET=$$(cat /run/secrets/woodpecker_agent_secret) && /bin/woodpecker-agent" - environment: - WOODPECKER_SERVER: woodpecker_server:9000 - WOODPECKER_MAX_WORKFLOWS: 1 - WOODPECKER_LIMIT_CPU_SET: 1 - networks: - - reverse_network - secrets: - - woodpecker_agent_secret + woodpecker_agent: + image: woodpeckerci/woodpecker-agent:v3.15-alpine + volumes: + - /var/run/docker.sock:/var/run/docker.sock + entrypoint: /bin/sh -c "export WOODPECKER_AGENT_SECRET=$$(cat /run/secrets/woodpecker_agent_secret) && /bin/woodpecker-agent" + environment: + WOODPECKER_SERVER: woodpecker_server:9000 + WOODPECKER_MAX_WORKFLOWS: 1 + WOODPECKER_LIMIT_CPU_SET: 1 + networks: + - reverse_network + secrets: + - woodpecker_agent_secret - gitea: - image: docker.gitea.com/gitea:1.25.2 - environment: - - USER_UID=1000 - - USER_GID=1000 - restart: always - volumes: - - giteadata:/data - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - networks: - - reverse_network + gitea: + image: docker.gitea.com/gitea:1.26.2 + environment: + - USER_UID=1000 + - USER_GID=1000 + restart: always + volumes: + - giteadata:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + networks: + - reverse_network - wireguard_server: - image: linuxserver/wireguard - cap_add: - - NET_ADMIN - - SYS_MODULE - environment: - PUID: 1000 - PGID: 1000 - TZ: Europe/Paris - SERVEURURL: wireguard.qpismont.fr - SERVERPORT: 51820 - PEERS: 1 - PEERDNS: auto - volumes: - - /home/user/wireguard-config:/config - - /lib/modules:/lib/modules - ports: - - 51820:51820/udp - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 - networks: - - wireguard_network + wireguard_server: + image: linuxserver/wireguard + cap_add: + - NET_ADMIN + - SYS_MODULE + environment: + PUID: 1000 + PGID: 1000 + TZ: Europe/Paris + SERVEURURL: wireguard.qpismont.fr + SERVERPORT: 51820 + PEERS: 1 + PEERDNS: auto + volumes: + - /home/user/wireguard-config:/config + - /lib/modules:/lib/modules + ports: + - 51820:51820/udp + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + networks: + - wireguard_network - perses: - image: persesdev/perses:latest - networks: - - wireguard_network - - prometheus_network + perses: + image: persesdev/perses:latest + networks: + - wireguard_network + - prometheus_network - prometheus: - image: prom/prometheus:v3.9.1 - configs: - - source: prometheus_config - target: /etc/prometheus/prometheus.yml - networks: - - prometheus_network + prometheus: + image: prom/prometheus:v3.9.1 + configs: + - source: prometheus_config + target: /etc/prometheus/prometheus.yml + networks: + - prometheus_network - cadvisor: - image: gcr.io/cadvisor/cadvisor:latest - volumes: - - /:/rootfs:ro - - /var/run:/var/run:rw - - /sys:/sys:ro - - /var/lib/docker/:/var/lib/docker:ro - networks: - - prometheus_network + cadvisor: + image: gcr.io/cadvisor/cadvisor:latest + volumes: + - /:/rootfs:ro + - /var/run:/var/run:rw + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + networks: + - prometheus_network + + herald: + image: tintounn/herald:1.0 + entrypoint: + - /bin/sh + - -c + - >- + export GITEA_TOKEN=$$(cat /run/secrets/herald_gitea_token) && + export OPEN_ROUTER_API_KEY=$$(cat /run/secrets/herald_openrouter_token) && + export WEBHOOK_SIG_HEADER_SECRET=$$(cat /run/secrets/herald_gitea_header_secret) && + export SENTRY_DSN=$$(cat /run/secrets/herald_sentry_dsn) && + /app/herald + networks: + - reverse_network + secrets: + - herald_gitea_token + - herald_openrouter_token + - herald_gitea_header_secret + - herald_sentry_dsn + environment: + HTTP_PORT: 3000 + BOT_NAME: Herald + BOT_MAX_CONCURRENT: 5 + GITEA_URL: http://gitea:3000 + GITEA_TIMEOUT: 60 + OPEN_ROUTER_MODEL: deepseek/deepseek-v4-flash + OPEN_ROUTER_TIMEOUT: 600 secrets: - woodpecker_agent_secret: - name: woodpecker_agent_secret_${DATETIME} - file: ./secrets/woodpecker_agent_secret - woodpecker_gitea_secret: - name: woodpecker_gitea_secret_${DATETIME} - file: ./secrets/woodpecker_gitea_secret - woodpecker_gitea_client: - name: woodpecker_gitea_client_${DATETIME} - file: ./secrets/woodpecker_gitea_client + woodpecker_agent_secret: + name: woodpecker_agent_secret_${DATETIME} + file: ./secrets/woodpecker_agent_secret + woodpecker_gitea_secret: + name: woodpecker_gitea_secret_${DATETIME} + file: ./secrets/woodpecker_gitea_secret + woodpecker_gitea_client: + name: woodpecker_gitea_client_${DATETIME} + file: ./secrets/woodpecker_gitea_client + herald_gitea_token: + name: herald_gitea_token_${DATETIME} + file: ./secrets/herald/herald_gitea_token + herald_openrouter_token: + name: herald_openrouter_token_${DATETIME} + file: ./secrets/herald/herald_openrouter_token + herald_gitea_header_secret: + name: herald_gitea_header_secret_${DATETIME} + file: ./secrets/herald/herald_gitea_header_secret + herald_sentry_dsn: + name: herald_sentry_dsn_${DATETIME} + file: ./secrets/herald/herald_sentry_dsn configs: - caddy_config: - name: caddy_config_${DATETIME} - file: ./Caddyfile - prometheus_config: - name: prometheus_config_${DATETIME} - file: ./prometheus.yml + caddy_config: + name: caddy_config_${DATETIME} + file: ./Caddyfile + prometheus_config: + name: prometheus_config_${DATETIME} + file: ./prometheus.yml volumes: - giteadata: - woodpeckerdata: - reversecaddyconfig: - reversecaddydata: + giteadata: + woodpeckerdata: + reversecaddyconfig: + reversecaddydata: networks: - reverse_network: - external: true - wireguard_network: - external: true - prometheus_network: - external: true + reverse_network: + external: true + wireguard_network: + external: true + prometheus_network: + external: true