feat: 集成 OpenTofu + Ansible + Gitea CI/CD

- 重构项目目录结构 - 添加 OpenTofu 多云支持 - 配置 Ansible 自动化部署 - 集成 Gitea Actions CI/CD 流水线 - 添加 Docker Swarm 管理 - 完善监控和安全配置
2025-09-20 10:48:41 +00:00
parent d755f237a0
commit 7eb4a33523
55 changed files with 3745 additions and 1921 deletions
--- a/containers/compose/production/demo-services-stack.yml
+++ b/containers/compose/production/demo-services-stack.yml
@@ -0,0 +1,166 @@
+version: '3.8'
+
+services:
+  # Web 应用示例
+  webapp:
+    image: nginx:alpine
+    networks:
+      - traefik-public
+    configs:
+      - source: webapp-html
+        target: /usr/share/nginx/html/index.html
+    deploy:
+      replicas: 2
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.webapp.rule=Host(`app.local`)
+        - traefik.http.routers.webapp.entrypoints=web
+        - traefik.http.services.webapp.loadbalancer.server.port=80
+      update_config:
+        parallelism: 1
+        delay: 10s
+      restart_policy:
+        condition: on-failure
+
+  # API 服务示例
+  api:
+    image: httpd:alpine
+    networks:
+      - traefik-public
+    configs:
+      - source: api-html
+        target: /usr/local/apache2/htdocs/index.html
+    deploy:
+      replicas: 2
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.api.rule=Host(`api.local`)
+        - traefik.http.routers.api.entrypoints=web
+        - traefik.http.services.api.loadbalancer.server.port=80
+        # 添加路径前缀
+        - traefik.http.routers.api-path.rule=Host(`app.local`) && PathPrefix(`/api`)
+        - traefik.http.routers.api-path.entrypoints=web
+        - traefik.http.routers.api-path.service=api
+      update_config:
+        parallelism: 1
+        delay: 10s
+      restart_policy:
+        condition: on-failure
+
+  # 监控服务示例
+  monitor:
+    image: nginx:alpine
+    networks:
+      - traefik-public
+    configs:
+      - source: monitor-html
+        target: /usr/share/nginx/html/index.html
+    deploy:
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.monitor.rule=Host(`monitor.local`)
+        - traefik.http.routers.monitor.entrypoints=web
+        - traefik.http.services.monitor.loadbalancer.server.port=80
+        # 添加基本认证 (可选)
+        - traefik.http.routers.monitor.middlewares=auth
+        - traefik.http.middlewares.auth.basicauth.users=admin:$$2y$$10$$DLKjKQKQKQKQKQKQKQKQKe
+      restart_policy:
+        condition: on-failure
+
+networks:
+  traefik-public:
+    external: true
+
+configs:
+  webapp-html:
+    content: |
+      <!DOCTYPE html>
+      <html>
+      <head>
+          <title>Web App - Traefik Swarm Demo</title>
+          <style>
+              body { font-family: Arial, sans-serif; margin: 40px; background: #f5f5f5; }
+              .container { background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+              h1 { color: #2c3e50; }
+              .info { background: #e8f4fd; padding: 15px; border-radius: 4px; margin: 20px 0; }
+          </style>
+      </head>
+      <body>
+          <div class="container">
+              <h1>🚀 Web Application</h1>
+              <div class="info">
+                  <p><strong>服务:</strong> webapp</p>
+                  <p><strong>访问地址:</strong> http://app.local</p>
+                  <p><strong>负载均衡:</strong> Traefik + Docker Swarm</p>
+                  <p><strong>时间:</strong> <span id="time"></span></p>
+              </div>
+              <p>这是通过 Traefik 路由的 Web 应用示例。</p>
+          </div>
+          <script>
+              document.getElementById('time').textContent = new Date().toLocaleString();
+          </script>
+      </body>
+      </html>
+
+  api-html:
+    content: |
+      <!DOCTYPE html>
+      <html>
+      <head>
+          <title>API Service - Traefik Swarm Demo</title>
+          <style>
+              body { font-family: Arial, sans-serif; margin: 40px; background: #f5f5f5; }
+              .container { background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+              h1 { color: #27ae60; }
+              .info { background: #e8f8f5; padding: 15px; border-radius: 4px; margin: 20px 0; }
+          </style>
+      </head>
+      <body>
+          <div class="container">
+              <h1>🔌 API Service</h1>
+              <div class="info">
+                  <p><strong>服务:</strong> api</p>
+                  <p><strong>访问地址:</strong> http://api.local</p>
+                  <p><strong>路径路由:</strong> http://app.local/api</p>
+                  <p><strong>负载均衡:</strong> Traefik + Docker Swarm</p>
+                  <p><strong>时间:</strong> <span id="time"></span></p>
+              </div>
+              <p>这是通过 Traefik 路由的 API 服务示例。</p>
+          </div>
+          <script>
+              document.getElementById('time').textContent = new Date().toLocaleString();
+          </script>
+      </body>
+      </html>
+
+  monitor-html:
+    content: |
+      <!DOCTYPE html>
+      <html>
+      <head>
+          <title>Monitor Service - Traefik Swarm Demo</title>
+          <style>
+              body { font-family: Arial, sans-serif; margin: 40px; background: #f5f5f5; }
+              .container { background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+              h1 { color: #e74c3c; }
+              .info { background: #fdf2e9; padding: 15px; border-radius: 4px; margin: 20px 0; }
+          </style>
+      </head>
+      <body>
+          <div class="container">
+              <h1>📊 Monitor Service</h1>
+              <div class="info">
+                  <p><strong>服务:</strong> monitor</p>
+                  <p><strong>访问地址:</strong> http://monitor.local</p>
+                  <p><strong>认证:</strong> 基本认证保护</p>
+                  <p><strong>负载均衡:</strong> Traefik + Docker Swarm</p>
+                  <p><strong>时间:</strong> <span id="time"></span></p>
+              </div>
+              <p>这是通过 Traefik 路由的监控服务示例。</p>
+          </div>
+          <script>
+              document.getElementById('time').textContent = new Date().toLocaleString();
+          </script>
+      </body>
+      </html>
--- a/containers/compose/production/traefik-swarm-stack.yml
+++ b/containers/compose/production/traefik-swarm-stack.yml
@@ -0,0 +1,70 @@
+version: '3.8'
+
+services:
+  traefik:
+    image: traefik:v3.0
+    command:
+      # API 和 Dashboard
+      - --api.dashboard=true
+      - --api.insecure=true
+      
+      # 入口点
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      
+      # Docker Swarm Provider
+      - --providers.swarm=true
+      - --providers.swarm.endpoint=unix:///var/run/docker.sock
+      - --providers.swarm.exposedByDefault=false
+      - --providers.swarm.network=traefik-public
+      
+      # 日志
+      - --log.level=INFO
+      - --accesslog=true
+      
+      # 指标
+      - --metrics.prometheus=true
+      - --metrics.prometheus.addEntryPointsLabels=true
+      - --metrics.prometheus.addServicesLabels=true
+      
+      # 证书解析器 (可选)
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+      - --certificatesresolvers.letsencrypt.acme.email=admin@example.com
+      - --certificatesresolvers.letsencrypt.acme.storage=/certificates/acme.json
+    
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"  # Dashboard
+    
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik-certificates:/certificates
+    
+    networks:
+      - traefik-public
+    
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        # Traefik Dashboard 路由
+        - traefik.enable=true
+        - traefik.http.routers.traefik-dashboard.rule=Host(`traefik.local`)
+        - traefik.http.routers.traefik-dashboard.service=api@internal
+        - traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080
+      update_config:
+        parallelism: 1
+        delay: 10s
+      restart_policy:
+        condition: on-failure
+
+networks:
+  traefik-public:
+    external: true
+
+volumes:
+  traefik-certificates:
--- a/containers/infrastructure/traefik-consul-setup.yml
+++ b/containers/infrastructure/traefik-consul-setup.yml
@@ -0,0 +1,138 @@
+version: '3.8'
+
+services:
+  # Traefik 负载均衡器
+  traefik:
+    image: traefik:v3.0
+    container_name: traefik
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"  # Traefik Dashboard
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./certs:/certs:ro
+    environment:
+      - CONSUL_ENDPOINTS=consul1:8500,consul2:8500,consul3:8500
+    depends_on:
+      - consul1
+      - consul2
+      - consul3
+    networks:
+      - traefik-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dashboard.rule=Host(`traefik.local`)"
+      - "traefik.http.routers.dashboard.service=api@internal"
+
+  # Consul 集群节点 1
+  consul1:
+    image: consul:1.16.1
+    container_name: consul1
+    hostname: consul1
+    restart: unless-stopped
+    ports:
+      - "8500:8500"
+    volumes:
+      - consul1_data:/consul/data
+    command: >
+      consul agent -server -bootstrap-expect=3
+      -datacenter=dc1 -data-dir=/consul/data
+      -node=consul1 -bind=0.0.0.0 -client=0.0.0.0
+      -retry-join=consul2 -retry-join=consul3
+      -ui-config='{"enabled": true}'
+      -log-level=INFO
+    networks:
+      - traefik-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.consul.rule=Host(`consul.local`)"
+      - "traefik.http.services.consul.loadbalancer.server.port=8500"
+
+  # Consul 集群节点 2
+  consul2:
+    image: consul:1.16.1
+    container_name: consul2
+    hostname: consul2
+    restart: unless-stopped
+    volumes:
+      - consul2_data:/consul/data
+    command: >
+      consul agent -server -bootstrap-expect=3
+      -datacenter=dc1 -data-dir=/consul/data
+      -node=consul2 -bind=0.0.0.0 -client=0.0.0.0
+      -retry-join=consul1 -retry-join=consul3
+      -log-level=INFO
+    networks:
+      - traefik-net
+
+  # Consul 集群节点 3
+  consul3:
+    image: consul:1.16.1
+    container_name: consul3
+    hostname: consul3
+    restart: unless-stopped
+    volumes:
+      - consul3_data:/consul/data
+    command: >
+      consul agent -server -bootstrap-expect=3
+      -datacenter=dc1 -data-dir=/consul/data
+      -node=consul3 -bind=0.0.0.0 -client=0.0.0.0
+      -retry-join=consul1 -retry-join=consul2
+      -log-level=INFO
+    networks:
+      - traefik-net
+
+  # 示例 Web 应用
+  web-app:
+    image: nginx:alpine
+    container_name: web-app
+    restart: unless-stopped
+    volumes:
+      - ./web-content:/usr/share/nginx/html:ro
+    environment:
+      - CONSUL_URL=http://consul1:8500
+    networks:
+      - traefik-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.web.rule=Host(`app.local`)"
+      - "traefik.http.services.web.loadbalancer.server.port=80"
+      - "traefik.http.routers.web.middlewares=web-auth"
+      - "traefik.http.middlewares.web-auth.basicauth.users=admin:$$2y$$10$$..."
+
+  # 示例 API 应用
+  api-app:
+    image: node:18-alpine
+    container_name: api-app
+    restart: unless-stopped
+    working_dir: /app
+    volumes:
+      - ./api:/app
+    command: ["node", "server.js"]
+    environment:
+      - CONSUL_URL=http://consul1:8500
+      - NODE_ENV=production
+    networks:
+      - traefik-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.api.rule=Host(`api.local`) && PathPrefix(`/api`)"
+      - "traefik.http.services.api.loadbalancer.server.port=3000"
+      - "traefik.http.routers.api.middlewares=api-cors"
+      - "traefik.http.middlewares.api-cors.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE"
+      - "traefik.http.middlewares.api-cors.headers.accesscontrolalloworigin=*"
+
+volumes:
+  consul1_data:
+  consul2_data:
+  consul3_data:
+
+networks:
+  traefik-net:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.20.0.0/16
--- a/containers/infrastructure/traefik.yml
+++ b/containers/infrastructure/traefik.yml
@@ -0,0 +1,60 @@
+# Traefik 配置文件
+api:
+  dashboard: true
+  insecure: true  # 仅开发环境，生产环境请使用 HTTPS
+
+# 入口点配置
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+
+# 提供者配置
+providers:
+  # Docker 标签发现
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    watch: true
+
+  # Consul 服务发现
+  consul:
+    endpoints:
+      - "consul1:8500"
+      - "consul2:8500"
+      - "consul3:8500"
+    watch: true
+    
+  # 文件配置提供者
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true
+
+# 证书解析器（Let's Encrypt）
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: admin@example.com
+      storage: /certs/acme.json
+      httpChallenge:
+        entryPoint: web
+
+# 日志配置
+log:
+  level: INFO
+  filePath: "/var/log/traefik.log"
+
+accessLog:
+  filePath: "/var/log/access.log"
+
+# 指标配置
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+    addServicesLabels: true
+
+# 全局配置
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false