josedario87
aeb76bf60f
Some checks failed
deploy-meshcentral / deploy (push) Failing after 2s
CAMBIOS MAYORES: - Usar paths absolutos /srv/meshcentral/* en lugar de relativos - Limpiar datos viejos completamente (empezar de cero) - config.json correcto: * Puerto 443 (no 4430) * OIDC con Authentik configurado * Dominio mesh.nucleoriofrio.com * TlsOffload false (Traefik maneja SSL externo) - Traefik conecta al puerto 443 interno - Sin middleware authentik-forward-auth (OIDC nativo) SOLUCIÓN AL PROBLEMA: Los paths relativos en docker-compose creaban directorios nuevos en cada ejecución de Gitea Actions (/root/.cache/act/HASH/). Ahora usamos /srv/meshcentral/ fijo para persistencia real.
73 lines
3.1 KiB
YAML
73 lines
3.1 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
meshcentral:
|
|
image: ghcr.io/ylianst/meshcentral:latest
|
|
container_name: ${APP_NAME:-meshcentral}
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${MESH_PORT:-4430}:4430"
|
|
volumes:
|
|
- /srv/meshcentral/data:/opt/meshcentral/meshcentral-data
|
|
- /srv/meshcentral/files:/opt/meshcentral/meshcentral-files
|
|
- /srv/meshcentral/backup:/opt/meshcentral/meshcentral-backup
|
|
- /srv/meshcentral/config:/opt/meshcentral/meshcentral-config
|
|
environment:
|
|
- HOSTNAME=${APP_DOMAIN}
|
|
- REVERSE_PROXY=traefik
|
|
- REVERSE_PROXY_TLS_PORT=443
|
|
- IFRAME=false
|
|
- ALLOWLOGINTOKEN=true
|
|
- LOCALSESSIONRECORDING=false
|
|
- MINIFY=true
|
|
- WEBRTC=true
|
|
- CLICKONCE=false
|
|
- ALLOWHIGHQUALITYDESKTOP=true
|
|
- DESKTOPASPECTRATIOS=1.33,1.5,1.6,1.7,1.778,2.0
|
|
- ALLOWFRAMING=false
|
|
- COOKIEENCODING=hex
|
|
- SESSIONRECORDINGCHUNKSIZE=1000000
|
|
ulimits:
|
|
nofile:
|
|
soft: 65536
|
|
hard: 65536
|
|
networks:
|
|
- principal
|
|
- traefik-network
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=principal"
|
|
|
|
# Service
|
|
- "traefik.http.services.${APP_NAME}.loadbalancer.server.port=443"
|
|
- "traefik.http.services.${APP_NAME}.loadbalancer.server.scheme=https"
|
|
|
|
# Router principal con Authentik Forward Auth para rutas de usuario
|
|
- "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`) && !PathPrefix(`/agent.ashx`) && !PathPrefix(`/meshrelay.ashx`) && !PathPrefix(`/devicefile.ashx`) && !PathPrefix(`/amtactivate`) && !PathPrefix(`/meshsettings`) && !PathPrefix(`/devicepower.ashx`)"
|
|
- "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
|
|
- "traefik.http.routers.${APP_NAME}.tls=true"
|
|
- "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
|
|
- "traefik.http.routers.${APP_NAME}.priority=100"
|
|
- "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-headers"
|
|
|
|
# Router para agentes (sin autenticación) - mayor prioridad
|
|
- "traefik.http.routers.${APP_NAME}-agents.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/agent.ashx`) || PathPrefix(`/meshrelay.ashx`) || PathPrefix(`/devicefile.ashx`) || PathPrefix(`/amtactivate`) || PathPrefix(`/meshsettings`) || PathPrefix(`/devicepower.ashx`))"
|
|
- "traefik.http.routers.${APP_NAME}-agents.entrypoints=websecure"
|
|
- "traefik.http.routers.${APP_NAME}-agents.tls=true"
|
|
- "traefik.http.routers.${APP_NAME}-agents.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.${APP_NAME}-agents.service=${APP_NAME}"
|
|
- "traefik.http.routers.${APP_NAME}-agents.priority=200"
|
|
- "traefik.http.routers.${APP_NAME}-agents.middlewares=${APP_NAME}-headers"
|
|
|
|
# Custom headers middleware
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Host=${APP_DOMAIN}"
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.sslredirect=true"
|
|
|
|
networks:
|
|
principal:
|
|
external: true
|
|
traefik-network:
|
|
external: true
|