WIP

.woodpecker/.documentation.yml

@@ -44,5 +44,5 @@ steps:
   "publish:documentation":
     image: alpine/crane # because the official crane image is not compatible with woodpecker (no /bin/sh)
     commands:
-      - crane push --insecure image.tar "container.192.168.1.151.nip.io:8543/${CI_REPO_OWNER}/${CI_REPO_NAME}"
+      - crane push --insecure image.tar "container.demo.rattermeyer.de/${CI_REPO_OWNER}/${CI_REPO_NAME}"
     directory: documentation

build.gradle.kts

@@ -1,4 +1,7 @@
-plugins { id("com.diffplug.spotless") version "6.22.0" }
+plugins {
+  id("com.diffplug.spotless") version "6.22.0"
+  id("maven-publish")
+}
 
 repositories { mavenCentral() }
 

buildSrc/src/main/kotlin/com.opitzconsulting.demo.ci.java-common-conventions.gradle.kts

@@ -10,7 +10,9 @@ plugins {
 
 repositories {
   // Use Maven Central for resolving dependencies.
-  mavenCentral()
+   maven {
+        url = uri("https://mvn.demo.rattermeyer.de/releases")
+    }
 }
 
 dependencies {

documentation/Dockerfile

@@ -1,6 +1,6 @@
 FROM nginx:1.25.3-alpine
 
-RUN mkdir /docroot \
+RUN mkdir -p /docroot /var/run \
  && chgrp -R 0 /etc/nginx \
  && chmod -R g+rwX /etc/nginx \
 # support running as arbitrary user which belongs to the root group \

documentation/README.adoc

@@ -1 +1 @@
-test2
+test4

infrastructure/.env

@@ -0,0 +1,45 @@
+# base domain
+BASE_DOMAIN=rattermeyer.de
+
+# Traefik server host
+TRAEFIK_HOST=traefik.demo.${BASE_DOMAIN}
+TRAEFIK_LETSENCRYPT_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory
+TRAEFIK_LETSENCRYPT_EMAIL=richard.attermeyer@gmail.com
+
+
+MAIL_HOST=mail.demo.${BASE_DOMAIN}
+
+# forgejo server address
+FORGEJO_HOST=git.demo.${BASE_DOMAIN}
+FORGEJO_URL=https://${FORGEJO_HOST}
+
+# Woodpecker server host
+WOODPECKER_HOST=ci.demo.${BASE_DOMAIN}
+# Woodpecker server address
+WOODPECKER_URL=https://${WOODPECKER_HOST}
+
+# Shared secret used by server and agents to authenticate communication (can be generated by 'openssl rand -hex 32')
+WOODPECKER_AGENT_SECRET=CHANGE_ME
+# Comma-separated list of admin accounts
+#WOODPECKER_ADMIN=CHANGE_ME
+WOODPECKER_ADMIN=fjadmin
+
+WOODPECKER_FORGEJO_URL=${FORGEJO_URL}
+WOODPECKER_FORGEJO_CLIENT=b81129fc-6e15-4142-9492-e6172840f35b
+WOODPECKER_FORGEJO_SECRET=gto_xs5t7in6nws3okf75nqfukachuevda7rgw6s6hxlz4vq7pcdndha
+
+# Renovate
+RENOVATE_TOKEN=CHANGE_ME
+
+# Registry
+REGISTRY_HOST=container.demo.${BASE_DOMAIN}
+REGISTRY_UI_HOST=container-ui.demo.${BASE_DOMAIN}
+
+REPOSILITE_HOST=mvn.demo.${BASE_DOMAIN}
+REPOSILITE_UI_HOST=mvn-ui.demo.${BASE_DOMAIN}
+REPOSILITE_JAVA_COMPOSE_OPTS=
+REPOSILITE_MEMORY=256M
+REPOSILITE_COMPOSE_OPTS="--token admin:changeme"
+REPOSILITE_PORT=8080
+
+VERDACCIO_HOST=npm.demo.${BASE_DOMAIN}

infrastructure/README.adoc

@@ -9,9 +9,15 @@ Lets say it is `192.168.1.151` then the URLs for accessing the services are:
 |===
 |Service | URL | User / Pwd
 
-| git | https://git.192.168.1.151.nip.io:8543[] |
+| Traefik Dashboard | http://traefik.demorattermeyer.de[] |
-| woodpecker | https://ci.192.168.1.151.nip.io:8543[] |
+| git | https://git.demo.rattermeyer.de[] |
-| Traefik Dashboard | http://traefik.192.168.1.151.nip.io:8181[] |
+| woodpecker | https://ci.demo.rattermeyer.de[] |
+| mvn ui | https://mvn-ui.demo.rattermeyer.de[] |
+| mvn (repo) | http://mvn.rattermeyer.de[] |
+| Mail | https://mail.demo.rattermeyer.de[] |
+| Docker Registry | https://container.demo.rattermeyer.de[] |
+| Docker Registry UI | https://container-ui.demo.rattermeyer.de[] |
+| NPM Registry / proxy | https://npm.demo.rattermeyer.de[] |
 |===
 
 First start forgejo using:
@@ -20,17 +26,17 @@ First start forgejo using:
 
 And then register an (admin) user in forgejo.
 
-E.g., fjadmin / admin123 / fjadmin@localhost.de
+E.g., fjadmin / admin123 / fjadmin@rattermeyer.de
 
 Setup > Applications > oauth2 apps
 
-woodpecker / https://ci.192.168.1.151.nip.io:8543/authorize
+woodpecker / https://ci.demo.rattermeyer.de/authorize
 
 note client-id and client-secret and enter this in .env for.
 
 Now you can start everything using `docker compose up -d`.
 
-== Chaning IP
+== Changing IP
 
 If the IP address of your computer changes, you have to update some configuration.
 
@@ -42,7 +48,7 @@ If the IP address of your computer changes, you have to update some configuratio
 
 == Check access to woodpecker
 
-Access https://ci.192.168.1.151.nip.io:8543 and try to login.
+Access https://ci.demo.rattermeyer.de and try to login.
 
 
 == Create and push a repository
@@ -55,7 +61,7 @@ You need to disable ssl verification for this remote in your local git directory
 
 Then add the repository
 
-git remote add origin https://git.192.168.1.151.nip.io:8543/fjadmin/ci-demo-2.git
+git remote add origin https://git.demo.rattermeyer.de:8543/fjadmin/ci-demo-2.git
 
 and push it
 

infrastructure/compose.yaml

@@ -0,0 +1,278 @@
+---
+version: "3.7"
+
+networks:
+  woodpecker:
+  forgejo:
+  sonarqube:
+  proxy:
+    driver: bridge
+
+
+volumes:
+  forgejo:
+  postgres:
+  woodpecker:
+  traefik_config:
+  traefik_certs:
+  traefik_logs:
+  traefik_acme:
+  registry:
+  artifacts_data:
+  verdaccio_data:
+  verdaccio_config:
+  verdaccio_plugins:
+  sonarqube_data:
+  sonarqube_logs:
+
+services:
+  traefik:
+    image: traefik:v2.10.5
+    container_name: traefik
+    restart: always
+    # using network mode host allows traefik access to all "docker networks"
+    # otherwise traefik needs to be part of any network defined
+    network_mode: host
+    command:
+      - "--certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.letsencrypt.acme.email=richard.attermeyer@gmail.com"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
+      - "traefik_certs:/etc/certs"
+      - "traefik_logs:/var/log/traefik"
+      - "traefik_acme:/etc/acme"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dashboard.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.dashboard.entrypoints=https"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
+      - "traefik.http.middlewares.local-ipwhitelist.ipwhitelist.sourcerange=${TRAEIFK_LOCALIP_WHITELIST}"
+
+  smtp:
+    image: "maildev/maildev:2.1.0"
+    networks:
+      - proxy
+    ports:
+      - "1025:1025"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.mail.rule=Host(`${MAIL_HOST}`)"
+      - "traefik.http.routers.mail.tls=true"
+      - "traefik.http.routers.mail.entrypoints=https"
+      - "traefik.http.services.mail.loadbalancer.server.port=1080"
+
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:1.20
+    container_name: forgejo
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - FORGEJO__database__DB_TYPE=postgres
+      - FORGEJO__database__HOST=db:5432
+      - FORGEJO__database__NAME=forgejo
+      - FORGEJO__database__USER=forgejo_admin
+      - FORGEJO__database__PASSWD=forgejo_admin
+      - FORGEJO__database__SCHEMA=forgejo
+      - FORGEJO__server__ROOT_URL=${FORGEJO_URL}
+      - FORGEJO__webhook__SKIP_TLS_VERIFY=true
+      - FORGEJO__webhook__ALLOWED_HOST_LIST=external,*
+      - FORGEJO__webhook__DELIVER_TIMEOUT=20
+      - FORGEJO__mailer__SMTP_ADDR=smtp
+      - FORGEJO__mailer__SMTP_PORT=1025
+      - FORGEJO__mailer__SMTP_ENABLED=true
+      - FORGEJO__server__LFS_START_SERVER=true
+      - FORGEJO__CRON__ENABLED=true
+      - FORGEJO__service__DISABLE_REGISTRATION=true
+    restart: always
+    ports:
+      - "3000:3000"
+    networks:
+      - forgejo
+      - proxy
+    volumes:
+      - forgejo:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    depends_on:
+      - db
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.forgejo.rule=Host(`${FORGEJO_HOST}`)"
+      - "traefik.http.routers.forgejo.entrypoints=https"
+      - "traefik.http.routers.forgejo.tls=true"
+      - "traefik.http.routers.forgejo.tls.certresolver=letsencrypt"
+      - "traefik.http.services.forgejo.loadbalancer.server.port=3000"
+      - "traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.forgejo-ssh.entrypoints=ssh"
+      - "traefik.tcp.routers.forgejo-ssh.service=gitea-ssh-svc"
+      - "traefik.tcp.services.forgejo-ssh-svc.loadbalancer.server.port=22"
+
+  db:
+    image: postgres:16
+    restart: always
+    environment:
+      - POSTGRES_PASSWORD=changeme
+      - POSTGRESQL_POSTGRES_PASSWORD=changeme
+      - PGPASSWORD=changeme
+      - POSTGRESQL_PASSWORD=changeme
+      - POSTGRESQL_MULTIPLE_DATABASES=forgejo,sonarqube
+    networks:
+      - forgejo
+      - sonarqube
+    volumes:
+      - postgres:/var/lib/postgresql/data
+      - "./postgresql/initdb.d:/docker-entrypoint-initdb.d:Z"
+
+  woodpecker-server:
+    image: woodpeckerci/woodpecker-server:v1.0.5
+    container_name: woodpecker-server
+    restart: unless-stopped
+    cpus: 0.5
+    mem_limit: 512m
+    networks:
+      - woodpecker
+      - proxy
+    environment:
+      - "WOODPECKER_OPEN=true"
+      - "WOODPECKER_HOST=${WOODPECKER_URL}"
+      - "WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}"
+      - "WOODPECKER_ADMIN=${WOODPECKER_ADMIN}"
+      - "WOODPECKER_GITEA=true"
+      - "WOODPECKER_GITEA_URL=${WOODPECKER_FORGEJO_URL}"
+      - "WOODPECKER_GITEA_CLIENT=${WOODPECKER_FORGEJO_CLIENT}"
+      - "WOODPECKER_GITEA_SECRET=${WOODPECKER_FORGEJO_SECRET}"
+      - "WOODPECKER_GITEA_SKIP_VERIFY=true"
+      - "WOODPECKER_LIMIT_MEM=2147483648"
+      - "WOODPECKER_LIMIT_MEM_SWAP=2147483648"
+    volumes:
+      - "woodpecker:/var/lib/woodpecker"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.woodpecker.rule=Host(`${WOODPECKER_HOST}`)"
+      - "traefik.http.routers.woodpecker.tls=true"
+      - "traefik.http.routers.woodpecker.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.woodpecker.entrypoints=https"
+      - "traefik.http.services.woodpecker.loadbalancer.server.port=8000"
+
+  woodpecker-agent:
+    container_name: woodpecker-agent
+    image: woodpeckerci/woodpecker-agent:v1.0.5
+    restart: unless-stopped
+    cpus: 0.5
+    mem_limit: 512m
+    depends_on:
+      - woodpecker-server
+    networks:
+      - woodpecker
+    environment:
+      - "WOODPECKER_SERVER=woodpecker-server:9000"
+      - "WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}"
+      - "WOODPECKER_MAX_WORKFLOWS=2"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+
+  registry:
+    image: registry:2
+    container_name: registry
+    networks:
+      - proxy
+    environment:
+      - REGISTRY_STORAGE_DELETE_ENABLED=true
+    volumes:
+      - registry:/var/lib/registry
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.registry.rule=Host(`${REGISTRY_HOST}`)"
+      - "traefik.http.routers.registry.tls=true"
+      - "traefik.http.routers.registry.middlewares=local-ipwhitelist"
+      - "traefik.http.routers.registry.entrypoints=https"
+      - "traefik.http.services.registry.loadbalancer.server.port=5000"
+  ui:
+    image: joxit/docker-registry-ui:latest
+    environment:
+      - DELETE_IMAGES=true
+      - REGISTRY_TITLE=My Private Docker Registry
+      - NGINX_PROXY_PASS_URL=http://registry:5000
+      - SINGLE_REGISTRY=true
+    depends_on: ['registry']
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.regui.rule=Host(`${REGISTRY_UI_HOST}`)"
+      - "traefik.http.routers.regui.tls=true"
+      - "traefik.http.routers.regui.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.regui.entrypoints=https"
+      - "traefik.http.services.regui.loadbalancer.passhostheader=true"
+  mvn-registry:
+    image: ghcr.io/dzikoysk/reposilite:3.5.0
+    container_name: reposilite
+    deploy:
+      resources:
+        limits:
+          memory: ${REPOSILITE_MEMORY}
+    networks:
+      - proxy
+    volumes:
+      - artifacts_data:/app/data
+    stdin_open: true
+    environment:
+      - JAVA_OPTS=-Xmx${REPOSILITE_MEMORY} ${REPOSILITE_JAVA_COMPOSE_OPTS}
+      - REPOSILITE_OPTS=--port ${REPOSILITE_PORT} ${REPOSILITE_COMPOSE_OPTS}
+    tty: true
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.mvn.rule=Host(`${REPOSILITE_HOST}`)"
+      - "traefik.http.routers.mvn.tls=true"
+      - "traefik.http.routers.mvn.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.mvn.entrypoints=https"
+
+  verdaccio:
+    image: verdaccio/verdaccio:5
+    container_name: verdaccio
+    volumes:
+      - verdaccio_data:/verdaccio/storage
+      - verdaccio_config:/verdaccio/conf
+      - verdaccio_plugins:/verdaccio/plugins
+    ports:
+      - "4873:4873"
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.npm.rule=Host(`${VERDACCIO_HOST}`)"
+      - "traefik.http.routers.npm.entrypoints=http"
+      - "traefik.http.services.npm.loadbalancer.server.port=4873"
+
+  sonarqube:
+    image: demo/sonarqube:9.9-custom
+    build:
+      context: ./sonarqube
+    volumes:
+      - 'sonarqube_data:/opt/sonarqube/data'
+      - 'sonarqube_logs:/opt/sonarqube/logs'
+    depends_on:
+      - db
+    networks:
+      - sonarqube
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonarqube
+      - SONAR_JDBC_USERNAME=sonarqube_admin
+      - SONAR_JDBC_PASSWORD=sonarqube_admin
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.sonarqube.rule=Host(`${SONARQUBE_HOST}`)"
+      - "traefik.http.routers.sonarqube.tls=true"
+      - "traefik.http.routers.sonarqube.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.sonarqube.entrypoints=https"
+  #
+  # watchtower:
+  #  image: containrrr/watchtower:latest
+  #  volumes:
+  #    - /var/run/docker.sock:/var/run/docker.sock

infrastructure/docker-compose.yml.bak

@@ -15,6 +15,7 @@ volumes:
   traefik_config:
   traefik_certs:
   traefik_logs:
+  traefik_acme:
   registry:
   artifacts_data:
   verdaccio_data:
@@ -23,39 +24,43 @@ volumes:
 
 services:
   traefik:
-    image: traefik:latest
+    image: traefik:v2.10.5
     container_name: traefik
     restart: always
-    ports:
+    # using network mode host allows traefik access to all "docker networks"
-      # The HTTP port
+    # otherwise traefik needs to be part of any network defined
-      - "8380:80"
+    network_mode: host
-      # The HTTPS port
+    command:
-      - "8543:443"
+      - "--certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
-      # SSH port
+      - "--certificatesresolvers.letsencrypt.acme.email=richard.attermeyer@gmail.com"
-      - "2222:222/tcp"
-      # The Web UI (enabled by '--api.dashboard=true' and '--api.insecure=true')
-      - "8181:8080"
-    networks:
-      - proxy
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
       - "traefik_certs:/etc/certs"
       - "traefik_logs:/var/log/traefik"
+      - "traefik_acme:/etc/acme"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dashboard.rule=Host(`${TRAEFIK_HOST}`)"
       - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
       - "traefik.http.routers.dashboard.entrypoints=https"
+      - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
+      - "traefik.http.middlewares.local-ipwhitelist.ipwhitelist.sourcerange=${TRAEIFK_LOCALIP_WHITELIST}"
 
   smtp:
     image: "maildev/maildev:2.1.0"
     networks:
       - proxy
     ports:
-      - "1080:1080"
       - "1025:1025"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.mail.rule=Host(`${MAIL_HOST}`)"
+      - "traefik.http.routers.mail.tls=true"
+      - "traefik.http.routers.mail.entrypoints=https"
+      - "traefik.http.services.mail.loadbalancer.server.port=1080"
 
   forgejo:
     image: codeberg.org/forgejo/forgejo:1.20
@@ -68,12 +73,19 @@ services:
       - FORGEJO__database__NAME=forgejo
       - FORGEJO__database__USER=forgejo
       - FORGEJO__database__PASSWD=forgejo
+      - FORGEJO__server__ROOT_URL=${FORGEJO_URL}
       - FORGEJO__webhook__SKIP_TLS_VERIFY=true
       - FORGEJO__webhook__ALLOWED_HOST_LIST=external,*
       - FORGEJO__webhook__DELIVER_TIMEOUT=20
       - FORGEJO__mailer__SMTP_ADDR=smtp
       - FORGEJO__mailer__SMTP_PORT=1025
+      - FORGEJO__mailer__SMTP_ENABLED=true
+      - FORGEJO__server__LFS_START_SERVER=true
+      - FORGEJO__CRON__ENABLED=true
+      - FORGEJO__service__DISABLE_REGISTRATION=true
     restart: always
+    ports:
+      - "3000:3000"
     networks:
       - forgejo
       - proxy
@@ -88,6 +100,7 @@ services:
       - "traefik.http.routers.forgejo.rule=Host(`${FORGEJO_HOST}`)"
       - "traefik.http.routers.forgejo.entrypoints=https"
       - "traefik.http.routers.forgejo.tls=true"
+      - "traefik.http.routers.forgejo.tls.certresolver=letsencrypt"
       - "traefik.http.services.forgejo.loadbalancer.server.port=3000"
       - "traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)"
       - "traefik.tcp.routers.forgejo-ssh.entrypoints=ssh"
@@ -133,6 +146,7 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.woodpecker.rule=Host(`${WOODPECKER_HOST}`)"
       - "traefik.http.routers.woodpecker.tls=true"
+      - "traefik.http.routers.woodpecker.tls.certresolver=letsencrypt"
       - "traefik.http.routers.woodpecker.entrypoints=https"
       - "traefik.http.services.woodpecker.loadbalancer.server.port=8000"
 
@@ -166,7 +180,8 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.registry.rule=Host(`${REGISTRY_HOST}`)"
       - "traefik.http.routers.registry.tls=true"
-      - "traefik.http.routers.registry.entrypoints=https,http"
+      - "traefik.http.routers.registry.middlewares=local-ipwhitelist"
+      - "traefik.http.routers.registry.entrypoints=https"
       - "traefik.http.services.registry.loadbalancer.server.port=5000"
   ui:
     image: joxit/docker-registry-ui:latest
@@ -182,11 +197,12 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.regui.rule=Host(`${REGISTRY_UI_HOST}`)"
       - "traefik.http.routers.regui.tls=true"
+      - "traefik.http.routers.regui.tls.certresolver=letsencrypt"
       - "traefik.http.routers.regui.entrypoints=https"
       - "traefik.http.services.regui.loadbalancer.passhostheader=true"
   mvn-registry:
-    image: ghcr.io/dzikoysk/reposilite:3.4.10
+    image: ghcr.io/dzikoysk/reposilite:3.5.0
-    container_name: mvn-registry
+    container_name: reposilite
     deploy:
       resources:
         limits:
@@ -202,9 +218,11 @@ services:
     tty: true
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.artifacts.rule=Host(`${ARTIFACTS_HOST}`)"
+      - "traefik.http.routers.mvn.rule=Host(`${REPOSILITE_HOST}`)"
-      - "traefik.http.routers.artifacts.entrypoints=http"
+      - "traefik.http.routers.mvn.tls=true"
-      - "traefik.http.services.artifacts.loadbalancer.server.port=8080"
+      - "traefik.http.routers.mvn.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.mvn.entrypoints=https"
+
   verdaccio:
     image: verdaccio/verdaccio:5
     container_name: verdaccio
@@ -217,9 +235,10 @@ services:
     networks:
       - proxy
     labels:
-      - "traefik.http.routers.artifacts.rule=Host(`${VERDACCIO_HOST}`)"
+      - "traefik.enable=true"
-      - "traefik.http.routers.artifacts.entrypoints=http"
+      - "traefik.http.routers.npm.rule=Host(`${VERDACCIO_HOST}`)"
-      - "traefik.http.services.artifacts.loadbalancer.server.port=4873"
+      - "traefik.http.routers.npm.entrypoints=http"
+      - "traefik.http.services.npm.loadbalancer.server.port=4873"
   #
   #watchtower:
   # image: containrrr/watchtower:latest

infrastructure/postgresql/initdb.d/0010_create_multiple_databases.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+set -u
+
+function create_user_and_database() {
+	local database=$1
+	echo "  Creating user and database '$database'"
+	psql -v ON_ERROR_STOP=1 --username postgres <<EOSQL
+	    CREATE USER $database PASSWORD '$database';
+	    CREATE USER ${database}_admin WITH PASSWORD '${database}_admin';
+	    ALTER USER ${database}_admin WITH CREATEROLE;
+	    CREATE DATABASE $database;
+      ALTER DATABASE $database OWNER TO ${database}_admin
+EOSQL
+
+  psql -v ON_ERROR_STOP=1 --username postgres -d "$database" <<EOSQL
+      CREATE SCHEMA ${database};
+      ALTER SCHEMA ${database} OWNER TO ${database}_admin;
+      GRANT USAGE ON SCHEMA ${database} TO ${database};
+
+      GRANT ALL ON SCHEMA ${database} TO ${database}_admin;
+
+      GRANT select,insert,update,delete ON ALL TABLES IN SCHEMA ${database} TO ${database};
+      ALTER DEFAULT PRIVILEGES FOR USER ${database}_admin IN SCHEMA ${database} GRANT select,insert,update,delete ON TABLES TO ${database};
+
+      GRANT select,usage ON ALL SEQUENCES IN SCHEMA ${database} to ${database};
+      ALTER DEFAULT PRIVILEGES FOR USER ${database}_admin IN SCHEMA ${database} GRANT select,usage ON SEQUENCES TO ${database};
+
+      GRANT execute ON ALL FUNCTIONS IN SCHEMA ${database} to ${database};
+      ALTER DEFAULT PRIVILEGES FOR user ${database}_admin IN SCHEMA ${database} GRANT execute ON FUNCTIONS TO ${database};
+      ALTER DEFAULT PRIVILEGES FOR user ${database}_admin IN SCHEMA ${database} GRANT execute ON FUNCTIONS TO ${database};
+
+      -- extensions must be created by superuser
+      -- therefore we cannot create them as part of the application setup process
+      CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA ${database};
+      CREATE EXTENSION IF NOT EXISTS "uuid-ossp" WITH SCHEMA ${database};
+
+EOSQL
+}
+
+if [ -n "$POSTGRESQL_MULTIPLE_DATABASES" ]; then
+	echo "Multiple database creation requested: $POSTGRESQL_MULTIPLE_DATABASES"
+	for db in $(echo "$POSTGRESQL_MULTIPLE_DATABASES" | tr ',' ' '); do
+		create_user_and_database "$db"
+	done
+	echo "Multiple databases created"
+fi

infrastructure/sonarqube/Dockerfile

@@ -0,0 +1,6 @@
+FROM sonarqube:9.9-community
+ARG COMMUNITY_BRANCH_VERSION=1.14.0
+ENV COMMUNITY_BRANCH_URL=https://github.com/mc1arke/sonarqube-community-branch-plugin/releases/download/${COMMUNITY_BRANCH_VERSION}/sonarqube-community-branch-plugin-${COMMUNITY_BRANCH_VERSION}.jar
+WORKDIR ${SONARQUBE_HOME}/extensions
+RUN wget ${COMMUNITY_BRANCH_URL}
+WORKDIR ${SONARQUBE_HOME}

infrastructure/traefik/traefik.yml

@@ -4,11 +4,9 @@ global:
 
 api:
   dashboard: true
-  insecure: true
 
 log:
-  level: INFO
+  level: DEBUG
-  filePath: /var/log/traefik/traefik.log
 
 accessLog:
   filePath: /var/log/traefik/access.log
@@ -18,17 +16,22 @@ providers:
   docker:
     watch: true
     exposedByDefault: false
-    network: forgejo_proxy
+    network: proxy
 
 entryPoints:
   http:
     address: ":80"
-    http:
-      redirections:
-        entrypoint:
-          to: https
-          scheme: https
   https:
     address: ":443"
   ssh:
-    address: ":222"
+    address: ":2222"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: "richard.attermeyer@gmail.com"
+#     for Testing purposes
+#      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      storage: "/etc/acme/acme.json"
+      httpChallenge:
+        entrypoint: http

infrastructure/verdaccio/config.yaml

@@ -0,0 +1,16 @@
+---
+storage: ./storage
+auth:
+  htpasswd:
+    file: ./htpasswd
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+packages:
+  '@*/*':
+    access: $all
+    publish: $authenticated
+    proxy: npmjs
+  '**':
+    proxy: npmjs
+log: {type: stdout, format: pretty, level: http}

utilities/build.gradle.kts

@@ -2,6 +2,42 @@
  * This file was generated by the Gradle 'init' task.
  */
 
-plugins { id("com.opitzconsulting.demo.ci.java-library-conventions") }
+plugins {
+    id("com.opitzconsulting.demo.ci.java-library-conventions")
+    `maven-publish`
+    id("org.springframework.boot") version "3.2.0"
+  id("io.spring.dependency-management") version "1.1.4"
+}
 
-dependencies { api(project(":list")) }
+repositories {
+    maven {
+        url = uri("https://mvn.demo.rattermeyer.de")
+    }
+}
+
+publishing {
+    repositories {
+        maven {
+            name = "mvnRepository"
+            url = uri("https://mvn.demo.rattermeyer.de/releases")
+            isAllowInsecureProtocol = true
+            credentials(PasswordCredentials::class)
+            authentication {
+                create<BasicAuthentication>("basic")
+            }
+        }
+    }
+    publications {
+        create<MavenPublication>("maven") {
+            groupId = "com.example"
+            artifactId = "utils-library"
+            version = "1.0.0"
+            from(components["java"])
+        }
+    }
+}
+
+
+dependencies {
+    implementation("org.springframework.boot:spring-boot-starter")
+    api(project(":list")) }