michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(deployment): update Semaphore stack and Traefik configuration

Browse Source 
- Add QUICKSTART.md and SETUP_REPOSITORY.md for Semaphore stack
- Add playbooks directory for Semaphore deployment
- Update Semaphore docker-compose.yml, env.example, and README
- Add Traefik local configuration files
- Disable semaphore.yml in Traefik dynamic config
- Update docker-compose.local.yml and build-image workflow
This commit is contained in:
Michael Schiemer
2025-11-02 22:55:51 +01:00
parent 0c4ff1283c
commit 77c656af62
15 changed files with 1280 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
deployment/stacks/semaphore/docker-compose.yml
View File

@@ -38,24 +38,12 @@ services:
networks:
- semaphore-internal
ports:
# Only bind to localhost, not external interfaces
# Default port 3001 to avoid conflict with Gitea (port 3000)
- "127.0.0.1:${SEMAPHORE_PORT:-3001}:3000"
labels:
# Traefik configuration
- "traefik.enable=true"
# HTTP Router (redirects to HTTPS)
- "traefik.http.routers.semaphore.rule=Host(`semaphore.michaelschiemer.de`)"
- "traefik.http.routers.semaphore.entrypoints=web"
- "traefik.http.routers.semaphore.middlewares=redirect-to-https"
# HTTPS Router
- "traefik.http.routers.semaphore-secure.rule=Host(`semaphore.michaelschiemer.de`)"
- "traefik.http.routers.semaphore-secure.entrypoints=websecure"
- "traefik.http.routers.semaphore-secure.tls=true"
- "traefik.http.routers.semaphore-secure.tls.certresolver=letsencrypt"
- "traefik.http.routers.semaphore-secure.service=semaphore"
# Service definition (use localhost port binding)
# Note: Dynamic config in traefik/dynamic/semaphore.yml takes precedence
# ONLY bind to localhost (127.0.0.1) - NOT accessible externally!
# Default port 9300 to avoid conflict with Gitea (port 3000)
# SECURITY: This ensures Semaphore is only accessible locally
- "127.0.0.1:${SEMAPHORE_PORT:-9300}:3000"
# NO Traefik labels - Semaphore should only be accessible locally!
# External access is disabled for security reasons.
environment:
- TZ=Europe/Berlin
# Database Configuration
@@ -80,6 +68,9 @@ services:
- SEMAPHORE_WEBHOOK_URL=${SEMAPHORE_WEBHOOK_URL:-}
volumes:
- semaphore-data:/etc/semaphore
# Mount playbooks from repository so Semaphore can access them
- ../../../deployment/stacks/semaphore/playbooks:/tmp/semaphore/playbooks:ro
- ../../../deployment/ansible/playbooks:/tmp/semaphore/repo-playbooks:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
healthcheck: