Merge branch 'main' of gitea:services/codebase

README.md

@@ -0,0 +1,248 @@
+# 🏗️ Private DevOps Stack — Aetoskia Infrastructure
+
+This repository defines a private, self-hosted DevOps stack running on Raspberry Pi nodes, consisting of:
+
+* **Gitea** for Git hosting
+* **Drone** for CI/CD automation
+* **Docker Registry** with **Registry UI**
+* **Drone Runner** for build execution
+
+---
+
+## 🧬 Services Overview
+
+| Service          | Role                                                 | Port(s)   | Depends On   |
+| ---------------- | ---------------------------------------------------- | --------- | ------------ |
+| **gitea**        | Git server and web UI for repositories               | 6002, 222 | —            |
+| **drone-server** | CI/CD orchestration linked with Gitea                | 6003      | gitea        |
+| **drone-runner** | Executes Drone pipelines on local Docker host        | —         | drone-server |
+| **registry**     | Private Docker registry                              | 6005      | —            |
+| **registry-ui**  | Web UI for browsing and managing the registry images | 6001      | registry     |
+
+---
+
+## ⚙️ Service Details
+
+---
+
+### 🐳 **Registry**
+
+Private Docker registry storing all container images built and deployed across your network.
+
+#### Ports
+
+* **6005 → 5000** — Exposes the registry API to clients.
+
+#### Mounts
+
+* `/home/aetos/registry:/var/lib/registry` — Persistent image storage.
+* `/home/aetos/registry/auth:/auth (ro)` — Authentication credentials.
+* `./registry/config.yml:/etc/docker/registry/config.yml (ro)` — Custom registry configuration.
+
+#### Environment
+
+* **REGISTRY_AUTH:** Enables authentication using `htpasswd`.
+* **REGISTRY_AUTH_HTPASSWD_REALM:** Realm name for authentication.
+* **REGISTRY_AUTH_HTPASSWD_PATH:** Path to the `htpasswd` file.
+
+#### Extra Config Required
+
+1. Generate authentication file:
+
+   ```bash
+   mkdir -p /home/aetos/registry/auth
+   docker run --rm httpd:2.4 htpasswd -Bbn <username> <password> > /home/aetos/registry/auth/htpasswd
+   ```
+2. Set correct permissions:
+
+   ```bash
+   chmod 644 /home/aetos/registry/auth/htpasswd
+   ```
+3. Verify config file (`registry/config.yml`) includes your chosen storage and auth setup.
+
+---
+
+### 🦯 **Registry UI**
+
+Web interface for visualizing and managing images stored in the internal registry.
+
+#### Ports
+
+* **6001 → 80** — Accessible on port 6001 via browser.
+
+#### Mounts
+
+* `/home/aetos/registry/auth:/auth (ro)` — Shared authentication file with the registry.
+
+#### Environment
+
+* **REGISTRY_TITLE:** UI header title.
+* **REGISTRY_URL:** Backend registry endpoint (`https://dcr.aetoskia.com`).
+* **REGISTRY_AUTH:** Enables `htpasswd` login.
+* **REGISTRY_AUTH_HTPASSWD_PATH:** Location of `htpasswd`.
+* **SINGLE_REGISTRY:** Limits UI to a single registry source.
+
+#### Extra Config Required
+
+* Ensure DNS or local `/etc/hosts` includes:
+
+  ```
+  192.168.1.111 dcr.aetoskia.com
+  ```
+* Login using credentials from `/auth/htpasswd`.
+
+---
+
+### 🦉 **Gitea**
+
+Self-hosted Git service used as Drone’s SCM backend and code hosting platform.
+
+#### Ports
+
+* **6002 → 3000** — Web UI.
+* **222 → 22** — Git SSH access.
+
+#### Mounts
+
+* `/home/aetos/gitea:/data` — Persistent Gitea data (repos, users, configs).
+
+#### Environment
+
+* **USER_UID / USER_GID:** Runs Gitea under the specified user/group IDs.
+
+#### Extra Config Required
+
+1. Access Gitea at [https://gitea.aetoskia.com:6002](https://gitea.aetoskia.com:6002).
+2. Log in as the **`aetos`** admin user (repository owner).
+3. Verify Drone OAuth App is registered with:
+
+   ```
+   Application Name: Drone CI
+   Redirect URI: https://drone.aetoskia.com/login
+   ```
+4. Confirm Gitea has these extra host mappings:
+
+   ```
+   192.168.1.111 drone.aetoskia.com
+   ```
+
+---
+
+### 🚀 **Drone Server**
+
+Core CI/CD engine that connects to Gitea and manages build pipelines.
+
+#### Ports
+
+* **6003 → 80** — Drone web UI and API endpoint.
+
+#### Mounts
+
+* `/home/aetos/drone:/data` — Persistent Drone data and SQLite database.
+* `/home/aetos/certs:/usr/local/share/ca-certificates (ro)` — Trusted CA certificates.
+
+#### Environment
+
+* **DRONE_GITEA_CLIENT_ID / SECRET:** OAuth credentials from Gitea.
+* **DRONE_GITEA_SERVER:** Gitea URL (`https://gitea.aetoskia.com`).
+* **DRONE_RPC_SECRET:** Shared secret for secure runner communication.
+* **DRONE_SERVER_HOST / PROTO:** External access configuration.
+
+#### Extra Config Required
+
+1. Register the OAuth app in Gitea → Admin → Applications:
+
+   * Redirect URI: `https://drone.aetoskia.com/login`
+2. Stop Drone and make admin user (if needed):
+
+   ```bash
+   docker stop drone-server
+   sqlite3 /home/aetos/drone/database.sqlite "UPDATE users SET user_admin=1 WHERE user_login='aetos';"
+   docker start drone-server
+   ```
+3. Use admin token for CLI:
+
+   ```bash
+   export DRONE_SERVER=https://drone.aetoskia.com
+   export DRONE_TOKEN=<admin_token>
+   ```
+4. Mark repositories as trusted:
+
+   ```bash
+   drone repo update apps/homepage --trusted=true
+   ```
+
+---
+
+### 🧮 **Drone Runner**
+
+Executes pipeline steps on the Docker host using the Drone RPC secret.
+
+#### Ports
+
+* *(none)* — Internal runner; connects to Drone Server API via HTTPS.
+
+#### Mounts
+
+* `/var/run/docker.sock:/var/run/docker.sock` — Allows pipeline containers to spawn Docker builds.
+
+#### Environment
+
+* **DRONE_RPC_PROTO / HOST / SECRET:** Connects to Drone Server via shared key.
+* **DRONE_RUNNER_CAPACITY:** Number of parallel jobs supported.
+* **DRONE_RUNNER_NAME / OS / ARCH:** Runner identification.
+* **DRONE_LOGS_DEBUG / TRACE:** Enables detailed logging for troubleshooting.
+
+#### Extra Config Required
+
+1. Ensure the RPC secret matches the one defined in `drone-server`.
+2. Validate connectivity:
+
+   ```bash
+   docker logs drone-runner
+   ```
+
+   Look for:
+
+   ```
+   successfully pinged the remote drone server
+   ```
+
+---
+
+## 🧬 Network Integration
+
+Ensure `/etc/hosts` on all relevant devices (Pi nodes, local dev systems) includes:
+
+```
+192.168.1.111 gitea.aetoskia.com
+192.168.1.111 drone.aetoskia.com
+192.168.1.111 dcr.aetoskia.com
+```
+
+---
+
+## 🧠 Tips
+
+* Always start containers with profile `private-pi` to avoid unnecessary public exposure:
+
+  ```bash
+  docker compose --profile private-pi up -d
+  ```
+* Drone and Gitea must both trust the same SSL certificate chain under `/home/aetos/certs`.
+* The `registry-ui` and `drone-runner` depend on hostname resolution between internal services, so avoid using raw IPs in environment variables.
+
+---
+
+## ✅ Quick Test Checklist
+
+| Component        | URL                                                                                    | Expected Result                       |
+| ---------------- | -------------------------------------------------------------------------------------- | ------------------------------------- |
+| **Gitea**        | [https://gitea.aetoskia.com:6002](https://gitea.aetoskia.com:6002)                     | Gitea login page                      |
+| **Drone**        | [https://drone.aetoskia.com:6003](https://drone.aetoskia.com:6003)                     | Drone CI UI linked to Gitea           |
+| **Registry UI**  | [http://localhost:6001](http://localhost:6001)                                         | Authenticated Docker registry browser |
+| **Registry API** | [https://dcr.aetoskia.com:6005/v2/_catalog](https://dcr.aetoskia.com:6005/v2/_catalog) | JSON listing of repositories          |
+
+---
+
+© Aetoskia Internal Infrastructure — All rights reserved.

docker-compose.yaml

@@ -66,6 +66,7 @@ services:
     image: drone/drone-runner-docker:latest
     container_name: drone-runner
     restart: always
+    network_mode: host
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     environment:
@@ -78,6 +79,8 @@ services:
       DRONE_RUNNER_ARCH: arm64
       DRONE_LOGS_DEBUG: true
       DRONE_LOGS_TRACE: true
+    extra_hosts:
+      - "private-pi:192.168.1.111"
     profiles:
       - server-pi