Micha
813d3bd303
Codex applied the ipallowlist middleware (Tailnet 100.64.0.0/10 + LAN 192.168.178.0/24) to the Komodo router live in the inline-managed self-stack; public now returns 403. Mirror the labels in ops/komodo/docker-compose.yml for parity (not auto-deployed), record the decision in docs/DECISIONS.md, and update docs/AUTH_MATRIX.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
127 lines
5.8 KiB
YAML
127 lines
5.8 KiB
YAML
services:
|
||
# ──────────────────────────────────────────────────────────────────
|
||
# MongoDB – Datenbank fuer Komodo Core
|
||
# Netz: komodo_net (internal: true) – niemals frontend_net
|
||
# ACHTUNG: Dieser Stack wird NICHT aus diesem Repo deployed. Der komodo-Stack
|
||
# ist in Komodo inline (file_contents) verwaltet (Bootstrap-/Self-Stack).
|
||
# Diese Datei ist nur Doku/Spiegel; Aenderungen hier wirken NICHT zur Laufzeit.
|
||
# ops/komodo/** ist in renovate.json ignorePaths. Siehe docs/RENOVATE.md.
|
||
# Digest = aktuell real laufender Stand (kein Renovate-Auto-Update).
|
||
# ──────────────────────────────────────────────────────────────────
|
||
komodo-mongo:
|
||
image: mongo:8.0.23@sha256:44aa79ae28ff80b56fe58681b66cda9336706df408a5175a6c04988aa54610d3
|
||
container_name: komodo-mongo
|
||
labels:
|
||
komodo.skip:
|
||
restart: unless-stopped
|
||
command: --quiet
|
||
volumes:
|
||
- /mnt/user/appdata/komodo/mongo:/data/db
|
||
- /mnt/user/appdata/secrets/komodo_mongo_password.txt:/run/secrets/mongo_password:ro
|
||
networks:
|
||
- komodo_net
|
||
environment:
|
||
- MONGO_INITDB_ROOT_USERNAME=komodo
|
||
- MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/mongo_password
|
||
healthcheck:
|
||
test: ["CMD", "mongosh", "--eval", "db.adminCommand('ping')"]
|
||
interval: 10s
|
||
timeout: 5s
|
||
retries: 5
|
||
start_period: 30s
|
||
security_opt:
|
||
- no-new-privileges:true
|
||
|
||
# ──────────────────────────────────────────────────────────────────
|
||
# Komodo Core – Management-UI (Portainer-Ersatz)
|
||
# Netz: frontend_net (Traefik) + komodo_net (MongoDB/Periphery)
|
||
# Admin-Dienst: bewusst ohne pauschale ForwardAuth-Middleware; dokumentierte Ausnahme
|
||
# ──────────────────────────────────────────────────────────────────
|
||
komodo-core:
|
||
image: ghcr.io/moghtech/komodo-core:2@sha256:7afbcfa99674bf3f51539ec3aa7235795e9b994af9b7099a6c4c654d5d8a5b6b
|
||
container_name: komodo-core
|
||
init: true
|
||
restart: unless-stopped
|
||
depends_on:
|
||
komodo-mongo:
|
||
condition: service_healthy
|
||
volumes:
|
||
- komodo_keys:/config/keys
|
||
- /mnt/user/appdata/komodo/core:/repo-cache
|
||
networks:
|
||
- komodo_net
|
||
- frontend_net
|
||
extra_hosts:
|
||
- "git.kaleschke.info:192.168.178.58"
|
||
environment:
|
||
- TZ=Europe/Berlin
|
||
- KOMODO_HOST=https://komodo.kaleschke.info
|
||
- KOMODO_TITLE=Kallilabcore
|
||
- KOMODO_SECRET_KEY=${KOMODO_SECRET_KEY}
|
||
- KOMODO_WEBHOOK_SECRET=${KOMODO_WEBHOOK_SECRET}
|
||
- KOMODO_PASSKEY=${KOMODO_PERIPHERY_PASSKEY}
|
||
- KOMODO_DATABASE_ADDRESS=komodo-mongo:27017
|
||
- KOMODO_DATABASE_USERNAME=komodo
|
||
- KOMODO_DATABASE_PASSWORD=${KOMODO_MONGO_PASSWORD}
|
||
- KOMODO_LOG_LEVEL=info
|
||
- KOMODO_LOCAL_AUTH=true
|
||
- KOMODO_JWT_SECRET=${KOMODO_JWT_SECRET}
|
||
labels:
|
||
- traefik.enable=true
|
||
- traefik.docker.network=frontend_net
|
||
- traefik.http.routers.komodo.rule=Host(`komodo.kaleschke.info`)
|
||
- traefik.http.routers.komodo.entrypoints=websecure
|
||
- traefik.http.routers.komodo.tls=true
|
||
- traefik.http.routers.komodo.tls.certresolver=le
|
||
- traefik.http.services.komodo.loadbalancer.server.port=9120
|
||
# Audit 2026-06-23 (P1): Komodo war public mit 200 erreichbar + RW-Docker-Socket-Kette.
|
||
# IP-Allowlist begrenzt den GANZEN Router auf Tailnet + LAN (public -> 403). KEINE ForwardAuth
|
||
# (Webhooks/Periphery laufen intern ueber komodo-core:9120, nicht ueber Traefik).
|
||
# ACHTUNG: Self-Stack ist inline in Komodo verwaltet -> diese Labels muessen in der Komodo-UI
|
||
# am Inline-Compose gesetzt werden; diese Datei ist nur Spiegel.
|
||
- traefik.http.routers.komodo.middlewares=komodo-allowlist@docker
|
||
- traefik.http.middlewares.komodo-allowlist.ipallowlist.sourcerange=100.64.0.0/10,192.168.178.0/24
|
||
|
||
security_opt:
|
||
- no-new-privileges:true
|
||
|
||
# ──────────────────────────────────────────────────────────────────
|
||
# Komodo Periphery – Docker-Agent auf Kallilabcore
|
||
# Netz: komodo_net (Core) + frontend_net (Git-Zugriff auf internes Gitea), kein Traefik noetig
|
||
# Ausnahme: Docker-Socket ohne :ro (Periphery startet/stoppt Container)
|
||
# ──────────────────────────────────────────────────────────────────
|
||
komodo-periphery:
|
||
image: ghcr.io/moghtech/komodo-periphery:2@sha256:7fb1a4807d125ce036a17d37c940b4001402afcaf342a2c720c98d096b1b54da
|
||
container_name: komodo-periphery
|
||
init: true
|
||
restart: unless-stopped
|
||
volumes:
|
||
- komodo_keys:/config/keys
|
||
- /var/run/docker.sock:/var/run/docker.sock
|
||
- /proc:/proc
|
||
- /mnt/user/appdata/komodo/periphery:/etc/komodo
|
||
- /mnt/user/services:/mnt/user/services
|
||
networks:
|
||
- komodo_net
|
||
- frontend_net
|
||
environment:
|
||
- PERIPHERY_ROOT_DIRECTORY=/mnt/user/services
|
||
- PERIPHERY_PASSKEYS=${KOMODO_PERIPHERY_PASSKEY}
|
||
- PERIPHERY_SSL_ENABLED=false
|
||
- TZ=Europe/Berlin
|
||
extra_hosts:
|
||
- "git.kaleschke.info:192.168.178.58"
|
||
security_opt:
|
||
- no-new-privileges:true
|
||
|
||
networks:
|
||
frontend_net:
|
||
external: true
|
||
komodo_net:
|
||
name: komodo_net
|
||
internal: true
|
||
driver: bridge
|
||
|
||
volumes:
|
||
komodo_keys:
|