Add systemd unit, Dockerfile, docker-compose, and fail2ban configs for production deployment

2026-06-11 13:42:08 +00:00
parent 5d1e29fde9
commit 6d497eb5d3
5 changed files with 108 additions and 0 deletions
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -0,0 +1,22 @@
+FROM rust:alpine AS builder
+
+RUN apk add --no-cache musl-dev
+
+WORKDIR /usr/src/reverse-proxy
+COPY . .
+
+RUN cargo build --release --target x86_64-unknown-linux-musl
+
+FROM alpine:latest
+
+RUN apk add --no-cache ca-certificates
+
+COPY --from=builder /usr/src/reverse-proxy/target/x86_64-unknown-linux-musl/release/reverse-proxy /usr/local/bin/reverse-proxy
+
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
+  CMD wget -q --spider http://127.0.0.1:9900/health || exit 1
+
+EXPOSE 80 443
+
+ENTRYPOINT ["reverse-proxy"]
+CMD ["--config", "/etc/reverse-proxy/config.toml"]
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -0,0 +1,52 @@
+services:
+  reverse-proxy:
+    build: .
+    container_name: reverse-proxy
+    restart: unless-stopped
+    ports:
+      - "203.0.113.10:80:80"
+      - "203.0.113.10:443:443"
+    volumes:
+      - /etc/reverse-proxy/config.toml:/etc/reverse-proxy/config.toml:ro
+      - /var/lib/reverse-proxy/acme-cache:/var/lib/reverse-proxy/acme-cache
+      - /var/log/reverse-proxy:/var/log/reverse-proxy
+      - /run/reverse-proxy:/run/reverse-proxy
+    networks:
+      - proxy-net
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:9900/health"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: unless-stopped
+    ports:
+      - "203.0.113.10:22:2222"
+    volumes:
+      - /opt/gitea:/data
+    networks:
+      - proxy-net
+      - gitea-db-net
+
+  gitea-db:
+    image: postgres:16-alpine
+    container_name: gitea-db
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: admin
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_DB: gitea
+    volumes:
+      - gitea-db:/var/lib/postgresql/data
+    networks:
+      - gitea-db-net
+
+networks:
+  proxy-net:
+  gitea-db-net:
+
+volumes:
+  gitea-db:
--- a/deploy/fail2ban/filter.d/reverse-proxy.conf
+++ b/deploy/fail2ban/filter.d/reverse-proxy.conf
@@ -0,0 +1,3 @@
+[Definition]
+failregex = ^RATE_LIMIT client_ip=<HOST> host=\S+ path=\S+ status=\d+$
+ignoreregex =
--- a/deploy/fail2ban/jail.d/reverse-proxy.conf
+++ b/deploy/fail2ban/jail.d/reverse-proxy.conf
@@ -0,0 +1,7 @@
+[reverse-proxy]
+enabled = true
+filter = reverse-proxy
+logpath = /var/log/reverse-proxy/access.log
+maxretry = 10
+findtime = 60
+bantime = 3600
--- a/deploy/reverse-proxy.service
+++ b/deploy/reverse-proxy.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Reverse Proxy
+After=network.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStart=/usr/local/bin/reverse-proxy --config /etc/reverse-proxy/config.toml
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+ReadWritePaths=/var/lib/reverse-proxy /var/log/reverse-proxy
+
+# ACME challenge cache directory
+StateDirectory=reverse-proxy
+
+[Install]
+WantedBy=multi-user.target