From b924ac1569280a03ed3e29f57e9803aca4b5fe99 Mon Sep 17 00:00:00 2001 From: Reinaldy Rafli Date: Tue, 30 Jan 2024 21:16:50 +0700 Subject: [PATCH] feat: pph21 --- bagetter/CaddyFile | 23 -------------- bagetter/Caddyfile | 23 ++++++++++++++ bagetter/docker-compose.yml | 2 +- bagetter/setup.sh | 2 +- pph21/docker-compose.yml | 63 +++++++++++++++++++++++++++++++++++++ pph21/setup.sh | 3 ++ traefik/docker-compose.yml | 3 ++ 7 files changed, 94 insertions(+), 25 deletions(-) delete mode 100644 bagetter/CaddyFile create mode 100644 bagetter/Caddyfile create mode 100644 pph21/docker-compose.yml create mode 100644 pph21/setup.sh diff --git a/bagetter/CaddyFile b/bagetter/CaddyFile deleted file mode 100644 index e78af2c..0000000 --- a/bagetter/CaddyFile +++ /dev/null @@ -1,23 +0,0 @@ -nuget.teknologiumum.com { - reverse_proxy 127.0.0.1:5000 { - transport http { - read_buffer 16KiB - write_buffer 16KiB - compression off - } - } - - header { - Server "Teknologi Umum" - Permissions-Policy interest-cohort=() - ?Strict-Transport-Security "max-age=604800; includeSubDomains" - ?X-Content-Type-Options nosniff - ?X-Frame-Options DENY - ?Referrer-Policy no-referrer-when-downgrade - ?Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'self' blob:; manifest-src 'self'; media-src 'self' data: blob: about:; style-src 'self' 'unsafe-inline'; base-uri 'none'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; connect-src 'self'; worker-src blob:;" - ?Vary Origin - ?X-XSS-Protection "1; mode=block" - } - - tls opensource@teknologiumum.com -} \ No newline at end of file diff --git a/bagetter/Caddyfile b/bagetter/Caddyfile new file mode 100644 index 0000000..cd18695 --- /dev/null +++ b/bagetter/Caddyfile @@ -0,0 +1,23 @@ +nuget.teknologiumum.com { + reverse_proxy 127.0.0.1:5000 { + transport http { + read_buffer 16KiB + write_buffer 16KiB + compression off + } + } + + header { + Server "Teknologi Umum" + Permissions-Policy interest-cohort=() + ?Strict-Transport-Security "max-age=604800; includeSubDomains" + ?X-Content-Type-Options nosniff + ?X-Frame-Options DENY + ?Referrer-Policy no-referrer-when-downgrade + ?Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'self' blob:; manifest-src 'self'; media-src 'self' data: blob: about:; style-src 'self' 'unsafe-inline'; base-uri 'none'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; connect-src 'self'; worker-src blob:;" + ?Vary Origin + ?X-XSS-Protection "1; mode=block" + } + + tls opensource@teknologiumum.com +} diff --git a/bagetter/docker-compose.yml b/bagetter/docker-compose.yml index a79ed2c..0f99425 100644 --- a/bagetter/docker-compose.yml +++ b/bagetter/docker-compose.yml @@ -29,4 +29,4 @@ services: volumes: bagetter-storage: - external: true \ No newline at end of file + external: true diff --git a/bagetter/setup.sh b/bagetter/setup.sh index f737bb9..5ad6420 100644 --- a/bagetter/setup.sh +++ b/bagetter/setup.sh @@ -1,3 +1,3 @@ #!/usr/bin/env bash -docker volume create bagetter-storage \ No newline at end of file +docker volume create bagetter-storage diff --git a/pph21/docker-compose.yml b/pph21/docker-compose.yml new file mode 100644 index 0000000..ae019c2 --- /dev/null +++ b/pph21/docker-compose.yml @@ -0,0 +1,63 @@ +services: + pph21: + image: ghcr.io/teknologi-umum/pph21:edge + labels: + - "traefik.enable=true" + - "traefik.docker.network=pph21" + - "traefik.http.routers.pph21.entrypoints=web,websecure" + - "traefik.http.routers.pph21.rule=Host(`pph21.teknologiumum.com`)" + - "traefik.http.routers.pph21.tls.certresolver=tlsresolver" + - "traefik.http.routers.pph21.middlewares=pph21-header,pph21-rate,pph21-redirectscheme" + - "traefik.http.services.pph21.loadbalancer.server.port=3000" + - "traefik.http.services.pph21.loadbalancer.server.scheme=http" + - "traefik.http.services.pph21.loadbalancer.healthcheck.interval=30s" + - "traefik.http.services.pph21.loadbalancer.healthcheck.path=/" + - "traefik.http.middlewares.pph21-rate.ratelimit.average=200" + - "traefik.http.middlewares.pph21-rate.ratelimit.burst=100" + - "traefik.http.middlewares.pph21-rate.ratelimit.period=1s" + - "traefik.http.middlewares.pph21-header.headers.addvaryheader=true" + - "traefik.http.middlewares.pph21-header.headers.frameDeny=true" + - "traefik.http.middlewares.pph21-header.headers.browserxssfilter=true" + - "traefik.http.middlewares.pph21-header.headers.stsSeconds=604800" + - "traefik.http.middlewares.pph21-header.headers.stsIncludeSubdomains=true" + - "traefik.http.middlewares.pph21-header.headers.browserXssFilter=true" + - "traefik.http.middlewares.pph21-header.headers.contentTypeNosniff=true" + - "traefik.http.middlewares.pph21-header.headers.customResponseHeaders.server=Teknologi Umum" + - "traefik.http.middlewares.pph21-redirectscheme.redirectscheme.scheme=https" + - "traefik.http.middlewares.pph21-redirectscheme.redirectscheme.permanent=true" + - "com.centurylinklabs.watchtower.enable=true" + platform: linux/amd64 + healthcheck: + test: curl -f http://localhost:3000/ || exit 1 + interval: 15s + timeout: 10s + retries: 5 + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: unless-stopped + delay: 30s + window: 120s + resources: + limits: + memory: 500MB + cpus: '1' + reservations: + memory: 10M + cpus: '0.05' + networks: + - pph21 + logging: + driver: json-file + options: + max-size: 10M + max-file: 1 + +networks: + pph21: + driver: bridge + external: true + ipam: + config: + - subnet: 172.16.20.16/28 diff --git a/pph21/setup.sh b/pph21/setup.sh new file mode 100644 index 0000000..a95ac65 --- /dev/null +++ b/pph21/setup.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +docker network create --subnet=172.16.20.16/28 pph21 diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml index bf32899..f5fd889 100644 --- a/traefik/docker-compose.yml +++ b/traefik/docker-compose.yml @@ -83,6 +83,7 @@ services: - conference - gold - monitoring + - pph21 networks: pesto: @@ -126,3 +127,5 @@ networks: external: true monitoring: external: true + pph21: + external: true