From 75eff7189638a6d8b0ee12c2b83d75b72039d5f2 Mon Sep 17 00:00:00 2001 From: furyhawk Date: Sun, 29 Jun 2025 20:00:44 +0800 Subject: [PATCH] feat: add Seafile services and configurations for Docker deployment --- swarm/core.yml | 2 + swarm/seafile.yml | 178 +++++++++++++++++++++++++++++++ swarm/seafile/caddy.yml | 26 +++++ swarm/seafile/seadoc.yml | 39 +++++++ swarm/seafile/seafile-server.yml | 74 +++++++++++++ 5 files changed, 319 insertions(+) create mode 100644 swarm/seafile.yml create mode 100644 swarm/seafile/caddy.yml create mode 100644 swarm/seafile/seadoc.yml create mode 100644 swarm/seafile/seafile-server.yml diff --git a/swarm/core.yml b/swarm/core.yml index aa62de0..c6a891d 100644 --- a/swarm/core.yml +++ b/swarm/core.yml @@ -86,6 +86,8 @@ services: - traefik.http.routers.traefik-public-https.service=api@internal # Define the port inside of the Docker service to use - traefik.http.services.traefik-public.loadbalancer.server.port=8080 + # Pass the original Host header to the backend + # - "traefik.http.services.dashboard.loadbalancer.passhostheader=true" # - crowdsec.enable=true # - crowdsec.labels.type=nginx volumes: diff --git a/swarm/seafile.yml b/swarm/seafile.yml new file mode 100644 index 0000000..e01af00 --- /dev/null +++ b/swarm/seafile.yml @@ -0,0 +1,178 @@ +networks: + seafile-network: + external: true + traefik-public: + external: true + +volumes: + mariadb-data: + seafile-data: + seafile-mariadb-backup: + seafile-data-backups: + seafile-database-backups: + +services: + mariadb: + image: ${SEAFILE_MARIADB_IMAGE_TAG} + volumes: + - mariadb-data:/var/lib/mysql + environment: + MARIADB_USER: ${SEAFILE_MYSQL_DB_USER} + MARIADB_PASSWORD: ${SEAFILE_MYSQL_DB_PASSWORD} + MARIADB_ROOT_PASSWORD: ${INIT_SEAFILE_MYSQL_ROOT_PASSWORD} + networks: + - seafile-network + healthcheck: + test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 60s + restart: unless-stopped + + memcached: + command: memcached -m 256M + image: ${SEAFILE_MEMCACHE_IMAGE_TAG} + networks: + - seafile-network + restart: unless-stopped + + seafile: + image: ${SEAFILE_IMAGE_TAG} + volumes: + - seafile-data:${DATA_PATH} + environment: + - DB_HOST=${SEAFILE_MYSQL_DB_HOST:-mariadb} + - DB_PORT=${SEAFILE_MYSQL_DB_PORT:-3306} + - DB_USER=${SEAFILE_MYSQL_DB_USER:-seafile} + - DB_ROOT_PASSWD=${INIT_SEAFILE_MYSQL_ROOT_PASSWORD:-} + - DB_PASSWORD=${SEAFILE_MYSQL_DB_PASSWORD:?Variable is not set or empty} + - SEAFILE_MYSQL_DB_CCNET_DB_NAME=${SEAFILE_MYSQL_DB_CCNET_DB_NAME:-ccnet_db} + - SEAFILE_MYSQL_DB_SEAFILE_DB_NAME=${SEAFILE_MYSQL_DB_SEAFILE_DB_NAME:-seafile_db} + - SEAFILE_MYSQL_DB_SEAHUB_DB_NAME=${SEAFILE_MYSQL_DB_SEAHUB_DB_NAME:-seahub_db} + - TIME_ZONE=${TIME_ZONE:-Etc/UTC} + - INIT_SEAFILE_ADMIN_EMAIL=${INIT_SEAFILE_ADMIN_EMAIL:-me@example.com} + - INIT_SEAFILE_ADMIN_PASSWORD=${INIT_SEAFILE_ADMIN_PASSWORD:-asecret} + - SEAFILE_SERVER_HOSTNAME=${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} + - SEAFILE_SERVER_PROTOCOL=${SEAFILE_SERVER_PROTOCOL:-http} + - SITE_ROOT=${SITE_ROOT:-/} + - NON_ROOT=${NON_ROOT:-false} + - JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty} + - SEAFILE_LOG_TO_STDOUT=${SEAFILE_LOG_TO_STDOUT:-false} + - ENABLE_SEADOC=${ENABLE_SEADOC:-true} + - SEADOC_SERVER_URL=${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}/sdoc-server + networks: + - seafile-network + - traefik-public + healthcheck: + test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/8000' || exit 1 + interval: 10s + timeout: 5s + retries: 3 + start_period: 90s + labels: + # Enable Traefik for this container + - "traefik.enable=true" + # Global settings for compression middleware + - "traefik.http.middlewares.compresstraefik.compress=true" + # Match incoming requests on the specific hostname for Seafile/Seahub + - "traefik.http.routers.seafile.rule=Host(`${SEAFILE_SERVER_HOSTNAME}`)" + # Assign the router to a named Traefik service + - "traefik.http.routers.seafile.service=seafile" + # Use the 'websecure' (HTTPS) entry point + - "traefik.http.routers.seafile.entrypoints=https" + # Define the internal container port for routing + - "traefik.http.services.seafile.loadbalancer.server.port=8000" + # Enable TLS on this router + - "traefik.http.routers.seafile.tls=true" + # Use Let's Encrypt for certificate management + - "traefik.http.routers.seafile.tls.certresolver=le" + # Pass the original Host header to the container + - "traefik.http.services.seafile.loadbalancer.passhostheader=true" + # Apply middlewares for security headers and compression + - "traefik.http.routers.seafile.middlewares=sec-headers,compresstraefik" + # Match incoming requests on the specific hostname for Seafdav + - "traefik.http.routers.seafile-dav.rule=Host(`${SEAFILE_SERVER_HOSTNAME}`) && PathPrefix(`/seafdav`)" + # Assign the router to a named Traefik service + - "traefik.http.routers.seafile-dav.service=seafile-dav" + # Use the 'websecure' (HTTPS) entry point + - "traefik.http.routers.seafile-dav.entrypoints=https" + # Define the internal container port for routing + - "traefik.http.services.seafile-dav.loadbalancer.server.port=8080" + # Enable TLS on this router + - "traefik.http.routers.seafile-dav.tls=true" + # Use Let's Encrypt for certificate management + - "traefik.http.routers.seafile-dav.tls.certresolver=le" + # Pass the original Host header to the container + - "traefik.http.services.seafile-dav.loadbalancer.passhostheader=true" + # Apply compression middleware + - "traefik.http.routers.seafile-dav.middlewares=compresstraefik" + # Match incoming requests on the specific hostname for Seafhttp + - "traefik.http.routers.seafile-http.rule=Host(`${SEAFILE_SERVER_HOSTNAME}`) && PathPrefix(`/seafhttp`)" + # Assign the router to a named Traefik service + - "traefik.http.routers.seafile-http.service=seafile-http" + # Use the 'websecure' (HTTPS) entry point + - "traefik.http.routers.seafile-http.entrypoints=https" + # Define the internal container port for routing + - "traefik.http.services.seafile-http.loadbalancer.server.port=8082" + # Enable TLS on this router + - "traefik.http.routers.seafile-http.tls=true" + # Use Let's Encrypt for certificate management + - "traefik.http.routers.seafile-http.tls.certresolver=le" + # Pass the original Host header to the container + - "traefik.http.services.seafile-http.loadbalancer.passhostheader=true" + # Apply middlewares for stripping prefix and compression + - "traefik.http.middlewares.seafile-strip.stripprefix.prefixes=/seafhttp" + - "traefik.http.routers.seafile-http.middlewares=seafile-strip,compresstraefik" + # Security headers settings + - "traefik.http.middlewares.sec-headers.headers.sslredirect=true" + - "traefik.http.middlewares.sec-headers.headers.browserXssFilter=true" + - "traefik.http.middlewares.sec-headers.headers.contentTypeNosniff=true" + - "traefik.http.middlewares.sec-headers.headers.forceSTSHeader=true" + - "traefik.http.middlewares.sec-headers.headers.stsIncludeSubdomains=true" + - "traefik.http.middlewares.sec-headers.headers.stsPreload=true" + - "traefik.http.middlewares.sec-headers.headers.referrerPolicy=same-origin" + # Specify which Docker network Traefik should use for routing + - "traefik.docker.network=traefik-public" + + restart: unless-stopped + depends_on: + mariadb: + condition: service_healthy + traefik: + condition: service_healthy + + backups: + image: ${SEAFILE_MARIADB_IMAGE_TAG} + command: >- + sh -c 'sleep $BACKUP_INIT_SLEEP && + while true; do + mariadb-dump -h mariadb -u $SEAFILE_MYSQL_DB_USER -p"$SEAFILE_MYSQL_DB_PASSWORD" --all-databases | gzip > "$MARIADB_BACKUPS_PATH/$MARIADB_BACKUP_NAME-$(date '+%Y-%m-%d_%H-%M').gz" && + tar -zcpf $DATA_BACKUPS_PATH/$DATA_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").tar.gz $DATA_PATH && + find $MARIADB_BACKUPS_PATH -type f -mtime +$MARIADB_BACKUP_PRUNE_DAYS | xargs rm -f && + find $DATA_BACKUPS_PATH -type f -mtime +$DATA_BACKUP_PRUNE_DAYS | xargs rm -f; + sleep $BACKUP_INTERVAL; done' + volumes: + - seafile-mariadb-backup:/var/lib/mysql + - seafile-data:${DATA_PATH} + - seafile-data-backups:${DATA_BACKUPS_PATH} + - seafile-database-backups:${MARIADB_BACKUPS_PATH} + environment: + SEAFILE_DB_USER: ${SEAFILE_MYSQL_DB_USER} + SEAFILE_DB_PASSWORD: ${SEAFILE_MYSQL_DB_PASSWORD} + MARIADB_ROOT_PASSWORD: ${INIT_SEAFILE_MYSQL_ROOT_PASSWORD} + BACKUP_INIT_SLEEP: ${BACKUP_INIT_SLEEP} + BACKUP_INTERVAL: ${BACKUP_INTERVAL} + MARIADB_BACKUP_PRUNE_DAYS: ${MARIADB_BACKUP_PRUNE_DAYS} + DATA_BACKUP_PRUNE_DAYS: ${DATA_BACKUP_PRUNE_DAYS} + MARIADB_BACKUPS_PATH: ${MARIADB_BACKUPS_PATH} + DATA_BACKUPS_PATH: ${DATA_BACKUPS_PATH} + DATA_PATH: ${DATA_PATH} + MARIADB_BACKUP_NAME: ${MARIADB_BACKUP_NAME} + DATA_BACKUP_NAME: ${DATA_BACKUP_NAME} + networks: + - seafile-network + restart: unless-stopped + depends_on: + mariadb: + condition: service_healthy \ No newline at end of file diff --git a/swarm/seafile/caddy.yml b/swarm/seafile/caddy.yml new file mode 100644 index 0000000..2321ed1 --- /dev/null +++ b/swarm/seafile/caddy.yml @@ -0,0 +1,26 @@ +services: + + caddy: + image: ${SEAFILE_CADDY_IMAGE:-lucaslorentz/caddy-docker-proxy:2.9-alpine} + restart: unless-stopped + container_name: seafile-caddy + ports: + - 80:80 + - 443:443 + environment: + - CADDY_INGRESS_NETWORKS=seafile-net + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ${SEAFILE_CADDY_VOLUME:-/opt/seafile-caddy}:/data/caddy + networks: + - seafile-net + healthcheck: + test: ["CMD-SHELL", "curl --fail http://localhost:2019/metrics || exit 1"] + start_period: 20s + interval: 20s + timeout: 5s + retries: 3 + +networks: + seafile-net: + name: seafile-net diff --git a/swarm/seafile/seadoc.yml b/swarm/seafile/seadoc.yml new file mode 100644 index 0000000..a64374b --- /dev/null +++ b/swarm/seafile/seadoc.yml @@ -0,0 +1,39 @@ +services: + + seadoc: + image: ${SEADOC_IMAGE:-seafileltd/sdoc-server:1.0-latest} + container_name: seadoc + volumes: + - ${SEADOC_VOLUME:-/opt/seadoc-data/}:/shared + # ports: + # - "80:80" + environment: + - DB_HOST=${SEAFILE_MYSQL_DB_HOST:-db} + - DB_PORT=${SEAFILE_MYSQL_DB_PORT:-3306} + - DB_USER=${SEAFILE_MYSQL_DB_USER:-seafile} + - DB_PASSWORD=${SEAFILE_MYSQL_DB_PASSWORD:?Variable is not set or empty} + - DB_NAME=${SEADOC_MYSQL_DB_NAME:-seahub_db} + - TIME_ZONE=${TIME_ZONE:-Etc/UTC} + - JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty} + - NON_ROOT=${NON_ROOT:-false} + - SEAHUB_SERVICE_URL=${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} + labels: + caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} + caddy.@ws.0_header: "Connection *Upgrade*" + caddy.@ws.1_header: "Upgrade websocket" + caddy.0_reverse_proxy: "@ws {{upstreams 80}}" + caddy.1_handle_path: "/socket.io/*" + caddy.1_handle_path.0_rewrite: "* /socket.io{uri}" + caddy.1_handle_path.1_reverse_proxy: "{{upstreams 80}}" + caddy.2_handle_path: "/sdoc-server/*" + caddy.2_handle_path.0_rewrite: "* {uri}" + caddy.2_handle_path.1_reverse_proxy: "{{upstreams 80}}" + depends_on: + db: + condition: service_healthy + networks: + - seafile-net + +networks: + seafile-net: + name: seafile-net diff --git a/swarm/seafile/seafile-server.yml b/swarm/seafile/seafile-server.yml new file mode 100644 index 0000000..e98596f --- /dev/null +++ b/swarm/seafile/seafile-server.yml @@ -0,0 +1,74 @@ +services: + db: + image: ${SEAFILE_DB_IMAGE:-mariadb:10.11} + container_name: seafile-mysql + environment: + - MYSQL_ROOT_PASSWORD=${INIT_SEAFILE_MYSQL_ROOT_PASSWORD:-} + - MYSQL_LOG_CONSOLE=true + - MARIADB_AUTO_UPGRADE=1 + volumes: + - "${SEAFILE_MYSQL_VOLUME:-/opt/seafile-mysql/db}:/var/lib/mysql" + networks: + - seafile-net + healthcheck: + test: + [ + "CMD", + "/usr/local/bin/healthcheck.sh", + "--connect", + "--mariadbupgrade", + "--innodb_initialized", + ] + interval: 20s + start_period: 30s + timeout: 5s + retries: 10 + + memcached: + image: ${SEAFILE_MEMCACHED_IMAGE:-memcached:1.6.29} + container_name: seafile-memcached + entrypoint: memcached -m 256 + networks: + - seafile-net + + seafile: + image: ${SEAFILE_IMAGE:-seafileltd/seafile-mc:12.0-latest} + container_name: seafile + # ports: + # - "80:80" + volumes: + - ${SEAFILE_VOLUME:-/opt/seafile-data}:/shared + environment: + - DB_HOST=${SEAFILE_MYSQL_DB_HOST:-db} + - DB_PORT=${SEAFILE_MYSQL_DB_PORT:-3306} + - DB_USER=${SEAFILE_MYSQL_DB_USER:-seafile} + - DB_ROOT_PASSWD=${INIT_SEAFILE_MYSQL_ROOT_PASSWORD:-} + - DB_PASSWORD=${SEAFILE_MYSQL_DB_PASSWORD:?Variable is not set or empty} + - SEAFILE_MYSQL_DB_CCNET_DB_NAME=${SEAFILE_MYSQL_DB_CCNET_DB_NAME:-ccnet_db} + - SEAFILE_MYSQL_DB_SEAFILE_DB_NAME=${SEAFILE_MYSQL_DB_SEAFILE_DB_NAME:-seafile_db} + - SEAFILE_MYSQL_DB_SEAHUB_DB_NAME=${SEAFILE_MYSQL_DB_SEAHUB_DB_NAME:-seahub_db} + - TIME_ZONE=${TIME_ZONE:-Etc/UTC} + - INIT_SEAFILE_ADMIN_EMAIL=${INIT_SEAFILE_ADMIN_EMAIL:-me@example.com} + - INIT_SEAFILE_ADMIN_PASSWORD=${INIT_SEAFILE_ADMIN_PASSWORD:-asecret} + - SEAFILE_SERVER_HOSTNAME=${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} + - SEAFILE_SERVER_PROTOCOL=${SEAFILE_SERVER_PROTOCOL:-http} + - SITE_ROOT=${SITE_ROOT:-/} + - NON_ROOT=${NON_ROOT:-false} + - JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty} + - SEAFILE_LOG_TO_STDOUT=${SEAFILE_LOG_TO_STDOUT:-false} + - ENABLE_SEADOC=${ENABLE_SEADOC:-true} + - SEADOC_SERVER_URL=${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}/sdoc-server + labels: + caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} + caddy.reverse_proxy: "{{upstreams 80}}" + depends_on: + db: + condition: service_healthy + memcached: + condition: service_started + networks: + - seafile-net + +networks: + seafile-net: + name: seafile-net