Перейти к содержанию

▍Homer

Homer

Настройка Homer в Docker Swarm

С ростом количества сервисов в docker и ПУ всяких железок встал вопрос организации своего локального дашборда, чтобы можно было зайти на некую центральную точку и с неё уже быстро перейти в нужный сервис. Этой некой центральной точкой у нас будет Homer.

Docker-compose

nano dashboard.yml
version: '3.9'

services:
  homer:
    image: b4bz/homer:latest
    volumes:
      - /docker/conf/homer:/www/assets
    networks:
      - traefik-public
    deploy:
      replicas: 1
      restart_policy:
        condition: any
        delay: 5s
        window: 120s
      update_config:
        parallelism: 1
        monitor: 60s
        failure_action: rollback
        order: start-first
      placement:
        constraints: [node.role == worker]
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.homer.rule=Host(`homer.example.ru`)"
        - "traefik.http.routers.homer.entrypoints=https"
        - "traefik.http.routers.homer.tls=true"
        - "traefik.http.routers.homer.middlewares=WhitelistHome"
        - "traefik.http.services.homer.loadbalancer.server.port=8080"

networks:
  traefik-public:
    external: true

Конфигурация

nano /docker/conf/homer/config.yml
---
# Homepage configuration

title: ""
subtitle: ""
logo: "logo.png"
columns: "4"
connectivityCheck: true
#icon: "fas fa-skull-crossbones" # Optional icon

header: false
footer: false
#footer: '<p>Created with <span class="has-text-danger">❤</span> with <a href="https://bulma.io/">bulma</a>, <a href="https://vuejs.org/">vuejs</a> & <a href="https://fontawesome.com/">font awesome</a> // Fork me on <a href="https://github.com/bastienwirtz/homer"><i class="fab fa-github-alt"></i></a></p>' # set false if you want to hide it.


# Optional theme customization
theme: default
colors:
  light:
    highlight-primary: "#3367d6"
    highlight-secondary: "#4285f4"
    highlight-hover: "#5a95f5"
    background: "#f5f5f5"
    card-background: "#ffffff"
    text: "#363636"
    text-header: "#ffffff"
    text-title: "#303030"
    text-subtitle: "#424242"
    card-shadow: rgba(0, 0, 0, 0.1)
    link: "#3273dc"
    link-hover: "#363636"
  dark:
    highlight-primary: "#3367d6"
    highlight-secondary: "#4285f4"
    highlight-hover: "#5a95f5"
    background: "#131313"
    card-background: "#2b2b2b"
    text: "#eaeaea"
    text-header: "#ffffff"
    text-title: "#fafafa"
    text-subtitle: "#f5f5f5"
    card-shadow: rgba(0, 0, 0, 0.4)
    link: "#3273dc"
    link-hover: "#ffdd57"


links:
  - name: "daffin"
    icon: "fab fa-github"
    url: "https://daffin.ru"
    target: "_blank" # optional html a tag target attribute


# Services
# First level array represent a group.
# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed).
services:
  - name: "Разработка"
    icon: "fas fa-cloud"
    items:
      - name: "Code server"
        type: Ping
        logo: "assets/png/codeserver.png"
        subtitle: "IDE VS code"
        tag: "app"
        url: "https://vs.example.ru/"
        target: "_blank"
        method: "head"
      - name: "GitLab"
        type: Ping
        logo: "assets/png/gitlab.png"
        subtitle: "Git репозиторий"
        tag: "app"
        url: "https://gitlab.example.ru/"
        target: "_blank"
      - name: "Registry"
        type: Ping
        logo: "assets/png/docker-moby.png"
        subtitle: "Docker репозиторий"
        tag: "app"
        url: "https://registry.example.ru/"
        target: "_blank"
      - name: "Adminer"
        type: Ping
        logo: "assets/png/adminer.png"
        subtitle: ""
        tag: "app"
        url: "https://adminer.example.ru/"
        target: "_blank"
      - name: "PhpMyAdmin"
        type: Ping
        logo: "assets/png/phpmyadmin.png"
        subtitle: ""
        tag: "app"
        url: "https://pma.example.ru/"
        target: "_blank"
      - name: "PgAdmin"
        type: Ping
        logo: "assets/png/pgadmin.png"
        subtitle: ""
        tag: "app"
        url: "https://pgadmin.example.ru"
        target: "_blank"

Запуск

docker stack deploy --with-registry-auth -c dashboard.yml dashboard

Решение проблем

Если вы хотите чтобы отображался индикатор доступности сервиса (зелёный/красный огонёк), который активируется строкой "type: Ping", то можно столкнуться с блокировкой запросов к сервисам из-за политики CORS (Cross-origin resource sharing)

Homer CORS

Т.к. у меня используется Traefik, то на его стороне добавил блок параметров CORS:

nano config.yml
http:
  routers:
  middlewares:
    default-headers:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
        customResponseHeaders:
          server: Blackbox
          x-powered-by: Blackbox
        referrerpolicy: same-origin
        permissionsPolicy: geolocation=(self), microphone=(), camera=()

    WhitelistHome:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "172.16.0.0/12"
        - "192.168.0.0/16"

    CORS:
      headers:
        accessControlAllowMethods:
          - OPTION
          - POST
          - GET
          - PUT
          - DELETE
        accessControlAllowCredentials: true
        accessControlAllowHeaders:
          - "*"
        accessControlAllowOriginList:
          - https://dashboard.example.ru
        accessControlMaxAge: 100
        addVaryHeader: true
        sslRedirect: true


    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
        - TLS_AES_256_GCM_SHA384                  # TLS 1.3
        - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
      curvePreferences:
        - CurveP521
        - CurveP384
      minVersion: VersionTLS12
      sniStrict: true

    mintls13:
      minVersion: VersionTLS13
Далее приведу пример docker-compose gitlab:

  gitlab:
    image: gitlab/gitlab-ce:latest
    environment:
#      GITLAB_SKIP_UNMIGRATED_DATA_CHECK: 'true'
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.example.ru'
        nginx['listen_port'] = 80
        nginx['listen_https'] = false
        nginx['proxy_set_headers'] = {
        "X-Forwarded-Proto" => "https",
        "X-Forwarded-Ssl" => "on"
         }
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = "smtp.mail.ru"
        gitlab_rails['smtp_port'] = 465
        gitlab_rails['smtp_user_name'] = "[email protected]"
        gitlab_rails['smtp_password'] = "PASSWORD"
        gitlab_rails['smtp_domain'] = "mail.ru"
        gitlab_rails['smtp_authentication'] = "login"
        gitlab_rails['smtp_enable_starttls_auto'] = false
        gitlab_rails['smtp_tls'] = true
        gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
        gitlab_rails['gitlab_email_from'] = '[email protected]'
        gitlab_rails['gitlab_email_reply_to'] = '[email protected]'
        patroni['remove_data_directory_on_rewind_failure'] = true
        patroni['remove_data_directory_on_diverged_timelines'] = true
    ports:
      - "2222:22"
    volumes:
      - /docker/conf/gitlab:/etc/gitlab
      - /docker/data/gitlab:/var/opt/gitlab
      - /etc/localtime:/etc/localtime:ro
    networks:
      - traefik-public
    deploy:
      replicas: 1
      restart_policy:
        condition: any
        delay: 5s
        window: 120s
      update_config:
        parallelism: 1
        monitor: 600s
        failure_action: continue
        order: stop-first
      placement:
        constraints: [node.role == worker]
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.gitlab.tls=true"
        - "traefik.http.routers.gitlab.rule=Host(`gitlab.example.ru`)"
        - "traefik.http.routers.gitlab.middlewares=WhitelistHome,CORS@file"
        - "traefik.http.services.gitlab.loadbalancer.server.port=80"
Т.е. Нам нужно в параметре middlewares перечислить, что хотим подключить в промежуточный слой, в нашем случае это IP фильтрация и политика CORS.

Полезные ссылки

К началу