Michael Schiemer
77c656af62
- Add QUICKSTART.md and SETUP_REPOSITORY.md for Semaphore stack - Add playbooks directory for Semaphore deployment - Update Semaphore docker-compose.yml, env.example, and README - Add Traefik local configuration files - Disable semaphore.yml in Traefik dynamic config - Update docker-compose.local.yml and build-image workflow
94 lines
3.3 KiB
YAML
94 lines
3.3 KiB
YAML
services:
|
|
# MySQL Database for Semaphore
|
|
mysql:
|
|
image: mysql:8.0
|
|
container_name: semaphore-mysql
|
|
restart: unless-stopped
|
|
networks:
|
|
- semaphore-internal
|
|
environment:
|
|
- TZ=Europe/Berlin
|
|
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-semaphore_root}
|
|
- MYSQL_DATABASE=${MYSQL_DATABASE:-semaphore}
|
|
- MYSQL_USER=${MYSQL_USER:-semaphore}
|
|
- MYSQL_PASSWORD=${MYSQL_PASSWORD:-semaphore}
|
|
volumes:
|
|
- semaphore-mysql-data:/var/lib/mysql
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
healthcheck:
|
|
test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p${MYSQL_ROOT_PASSWORD:-semaphore_root}"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
command: >
|
|
--default-authentication-plugin=mysql_native_password
|
|
--character-set-server=utf8mb4
|
|
--collation-server=utf8mb4_unicode_ci
|
|
|
|
# Semaphore CI/CD Platform
|
|
semaphore:
|
|
image: semaphoreui/semaphore:latest
|
|
container_name: semaphore
|
|
restart: unless-stopped
|
|
depends_on:
|
|
mysql:
|
|
condition: service_healthy
|
|
networks:
|
|
- semaphore-internal
|
|
ports:
|
|
# ONLY bind to localhost (127.0.0.1) - NOT accessible externally!
|
|
# Default port 9300 to avoid conflict with Gitea (port 3000)
|
|
# SECURITY: This ensures Semaphore is only accessible locally
|
|
- "127.0.0.1:${SEMAPHORE_PORT:-9300}:3000"
|
|
# NO Traefik labels - Semaphore should only be accessible locally!
|
|
# External access is disabled for security reasons.
|
|
environment:
|
|
- TZ=Europe/Berlin
|
|
# Database Configuration
|
|
- SEMAPHORE_DB_DIALECT=mysql
|
|
- SEMAPHORE_DB_HOST=mysql
|
|
- SEMAPHORE_DB_PORT=3306
|
|
- SEMAPHORE_DB=${MYSQL_DATABASE:-semaphore}
|
|
- SEMAPHORE_DB_USER=${MYSQL_USER:-semaphore}
|
|
- SEMAPHORE_DB_PASS=${MYSQL_PASSWORD:-semaphore}
|
|
# Admin Configuration
|
|
- SEMAPHORE_ADMIN=${SEMAPHORE_ADMIN:-admin}
|
|
- SEMAPHORE_ADMIN_NAME=${SEMAPHORE_ADMIN_NAME:-Administrator}
|
|
- SEMAPHORE_ADMIN_EMAIL=${SEMAPHORE_ADMIN_EMAIL:-admin@localhost}
|
|
- SEMAPHORE_ADMIN_PASSWORD=${SEMAPHORE_ADMIN_PASSWORD:-admin}
|
|
# Playbook Path
|
|
- SEMAPHORE_PLAYBOOK_PATH=${SEMAPHORE_PLAYBOOK_PATH:-/tmp/semaphore}
|
|
# Encryption Key (generate with: head -c32 /dev/urandom | base64)
|
|
- SEMAPHORE_ACCESS_KEY_ENCRYPTION=${SEMAPHORE_ACCESS_KEY_ENCRYPTION:-change-me-in-production}
|
|
# Optional: LDAP Configuration (disabled by default)
|
|
- SEMAPHORE_LDAP_ENABLED=${SEMAPHORE_LDAP_ENABLED:-false}
|
|
# Optional: Webhook Configuration
|
|
- SEMAPHORE_WEBHOOK_URL=${SEMAPHORE_WEBHOOK_URL:-}
|
|
volumes:
|
|
- semaphore-data:/etc/semaphore
|
|
# Mount playbooks from repository so Semaphore can access them
|
|
- ../../../deployment/stacks/semaphore/playbooks:/tmp/semaphore/playbooks:ro
|
|
- ../../../deployment/ansible/playbooks:/tmp/semaphore/repo-playbooks:ro
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
|
|
volumes:
|
|
semaphore-mysql-data:
|
|
name: semaphore-mysql-data
|
|
semaphore-data:
|
|
name: semaphore-data
|
|
|
|
networks:
|
|
semaphore-internal:
|
|
name: semaphore-internal
|
|
driver: bridge
|
|
|