Update

container/compose/net/net-stack.md

@@ -472,6 +472,13 @@ step ca certificate *.light.local certs/light.local.crt certs/light.local.key
 # 查看证书
 step certificate inspect certs/light.local.crt
 
+# Gitlab子域名证书
+step ca certificate *.gitlab.light.local certs/gitlab.light.local.crt certs/gitlab.light.local.key
+step ca certificate *.pages.gitlab.light.local certs/pages.gitlab.light.local.crt certs/pages.gitlab.light.local.key
+
+# Minio子域名证书
+step ca certificate *.minio.light.local certs/minio.light.local.crt certs/minio.light.local.key
+
 ```
 
 4. 将证书复制到Web Server中

container/compose/net/nginx/conf.d/gitlab-pages-wildcard_light_local.conf

@@ -22,8 +22,8 @@ server {
   server_name *.pages.gitlab.light.local;
 
   # ssl证书地址
-  ssl_certificate         /etc/nginx/certs/light.local.crt;   # pem文件的路径
-  ssl_certificate_key     /etc/nginx/certs/light.local.key;   # key文件的路径
+  ssl_certificate         /etc/nginx/certs/pages.gitlab.light.local.crt;   # pem文件的路径
+  ssl_certificate_key     /etc/nginx/certs/pages.gitlab.light.local.key;   # key文件的路径
 
   # ssl验证相关配置
   ssl_session_timeout     5m;    # 缓存有效期

container/compose/net/nginx/conf.d/gitlab-pages_light_local.conf

@@ -22,8 +22,8 @@ server {
   server_name pages.gitlab.light.local;
 
   # ssl证书地址
-  ssl_certificate         /etc/nginx/certs/light.local.crt;   # pem文件的路径
-  ssl_certificate_key     /etc/nginx/certs/light.local.key;   # key文件的路径
+  ssl_certificate         /etc/nginx/certs/gitlab.light.local.crt;   # pem文件的路径
+  ssl_certificate_key     /etc/nginx/certs/gitlab.light.local.key;   # key文件的路径
 
   # ssl验证相关配置
   ssl_session_timeout     5m;    # 缓存有效期

container/compose/net/nginx/conf.d/gitlab-registry_light_local.conf

@@ -22,8 +22,8 @@ server {
   server_name registry.gitlab.light.local;
 
   # ssl证书地址
-  ssl_certificate         /etc/nginx/certs/light.local.crt;   # pem文件的路径
-  ssl_certificate_key     /etc/nginx/certs/light.local.key;   # key文件的路径
+  ssl_certificate         /etc/nginx/certs/gitlab.light.local.crt;   # pem文件的路径
+  ssl_certificate_key     /etc/nginx/certs/gitlab.light.local.key;   # key文件的路径
 
   # ssl验证相关配置
   ssl_session_timeout     5m;    # 缓存有效期

container/compose/net/nginx/conf.d/minio-console_light_local.conf

@@ -43,8 +43,8 @@ server {
   server_name console.minio.light.local;
 
   # ssl证书地址
-  ssl_certificate         /etc/nginx/certs/light.local.crt;   # pem文件的路径
-  ssl_certificate_key     /etc/nginx/certs/light.local.key;   # key文件的路径
+  ssl_certificate         /etc/nginx/certs/minio.light.local.crt;   # pem文件的路径
+  ssl_certificate_key     /etc/nginx/certs/minio.light.local.key;   # key文件的路径
 
   # ssl验证相关配置
   ssl_session_timeout     5m;    # 缓存有效期

container/compose/net/nginx/conf.d/outline_light_local.conf

@@ -70,10 +70,12 @@ server {
     proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto  $scheme;
     proxy_set_header X-Real-IP          $remote_addr;
-    proxy_set_header Connection         keep-alive;
+    proxy_set_header Upgrade            $http_upgrade;
+    proxy_set_header Connection         "Upgrade";
     proxy_set_header Host               $host;
     # proxy_set_header Host               $http_host;
     # proxy_set_header X-NginX-Proxy      true;
+    proxy_redirect                      off;
 
     proxy_connect_timeout               300;
     chunked_transfer_encoding           off;
@@ -86,4 +88,41 @@ server {
     proxy_ssl_protocols                 TLSv1.1 TLSv1.2 TLSv1.3;
     proxy_ssl_ciphers                   HIGH:!aNULL:!MD5;
   }
+
+  location /realtime {
+    # 域名解析
+    resolver 127.0.0.11  valid=10s;
+
+    # set $upstream_app   minio.web;
+    # set $upstream_port  9000;
+    # set $upstream_proto http;
+
+    ### Fix: State not return in OAuth flow
+    ###! https://github.com/outline/outline/issues/1985
+    # proxy_pass                          $upstream_proto://$upstream_app:$upstream_port;
+
+    # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+    proxy_http_version                  1.1;
+    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    proxy_set_header X-Real-IP          $remote_addr;
+    proxy_set_header Upgrade            $http_upgrade;
+    proxy_set_header Connection         $http_connection;
+    proxy_set_header Host               $host;
+    # proxy_set_header Host               $http_host;
+    # proxy_set_header X-NginX-Proxy      true;
+    proxy_redirect                      off;
+    proxy_read_timeout 86400;
+
+    proxy_connect_timeout               300;
+    chunked_transfer_encoding           off;
+
+    # This uses the upstream directive definition to load balance
+    proxy_pass http://outline_server/realtime;
+
+    # SSL config
+    proxy_ssl_session_reuse             on;
+    proxy_ssl_protocols                 TLSv1.1 TLSv1.2 TLSv1.3;
+    proxy_ssl_ciphers                   HIGH:!aNULL:!MD5;
+  }
 }

container/compose/web/minio/config.env

@@ -7,11 +7,15 @@ MINIO_BROWSER_REDIRECT_URL=https://console.minio.light.local
 
 # 集成 Keycloak 认证 _KEYCLOAK 自定义，可以为任意值
 # https://min.io/docs/minio/linux/operations/external-iam/configure-keycloak-identity-management.html#configure-minio-for-keycloak-authentication
-MINIO_IDENTITY_OPENID_SCOPES_KEYCLOAK="openid,profile,email,preferred_username"
+MINIO_IDENTITY_OPENID_SCOPES_KEYCLOAK="openid,profile,email,policy"
 MINIO_IDENTITY_OPENID_CLIENT_ID_KEYCLOAK="Minio"
 MINIO_IDENTITY_OPENID_CLIENT_SECRET_KEYCLOAK="QQO0uOF9w9XAx8BW8JGMR9fdIEXYAwuy"
 MINIO_IDENTITY_OPENID_CONFIG_URL_KEYCLOAK=https://keycloak.light.local/realms/master/.well-known/openid-configuration
-MINIO_IDENTITY_OPENID_DISPLAY_NAME_KEYCLOAK="Keycloak"
+MINIO_IDENTITY_OPENID_DISPLAY_NAME_KEYCLOAK="Keycloak OIDC"
+MINIO_IDENTITY_OPENID_CLAIM_NAME="policy"
+MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
+MINIO_IDENTITY_OPENID_REDIRECT_URI_KEYCLOAK="https://console.minio.light.local/oauth_callback"
+MINIO_IDENTITY_OPENID_CLAIM_USER_INFO_KEYCLOAK="on"
 MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC_KEYCLOAK="on"
 
 # https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html#minio-server-envvar-external-identity-management-openid

container/compose/web/web-stack.md

@@ -187,9 +187,7 @@ services:
       KC_HTTP_ENABLED: true
       KC_HEALTH_ENABLED: true
       # PROXY_ADDRESS_FORWARDING: true
-    ### 日志默认位置 opt/keycloak/data/log
-    ###! Docs: https://www.keycloak.org/server/logging#_configuring_the_location_and_name_of_the_log_file
-    command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --log="console,file"
+    command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
     restart: unless-stopped
     # depends_on:
     #   - postgres
@@ -230,7 +228,7 @@ services:
       - //d/docker/develop/web/minio/conf/config.env:/etc/minio/config.env
     environment:
       MINIO_CONFIG_ENV_FILE: /etc/minio/config.env
-    command: ['server', '/data', '--address', ':9000', '--console-address', ':9001']
+    command: ['server', '/data', '--address', ':9000', '--console-address', ':9001', '--certs-dir', '/opt/minio/certs/']
     restart: unless-stopped
 
   gitlab:
@@ -359,7 +357,7 @@ services:
     #   - postgres
 
   # gitlab-runner:
-  #   image: 'gitlab/gitlab-runner:latest'
+  #   image: 'gitlab/gitlab-runner:ubi-fips'
   #   container_name: web_gitlab-runner
   #   hostname: gitlab-runner.web
   #   networks:
@@ -467,7 +465,7 @@ services:
   #   #   - postgres
 
   outline:
-    image: docker.getoutline.com/outlinewiki/outline:latest
+    image: outlinewiki/outline:0.80.1
     container_name: web_outline
     hostname: outline.web
     networks:
@@ -500,13 +498,13 @@ services:
     environment:
       NODE_TLS_REJECT_UNAUTHORIZED: "0"
     command: sh -c "sleep 60 && yarn start --env production-ssl-disabled"
-    env_file: ./outline.env
+    env_file: ./outline/outline.env
     # depends_on:
     #   - postgres
     #   - redis
 
   readeck:
-    image: codeberg.org/readeck/readeck:latest
+    image: codeberg.org/readeck/readeck:0.15.3
     container_name: web_readeck
     hostname: readeck.web
     networks:
@@ -604,17 +602,18 @@ docker compose -f web.yaml -p web down
   - Direct access grants
 
 1. Root URL: 
-   - https://minio.console.light.local/
+   - https://console.minio.light.local/
 2. Home URL: 
-   - https://minio.console.light.local
+   - https://console.minio.light.local
 3. Valid redirect URIs: 
-   - https://minio.console.light.local/*
+   - https://console.minio.light.local/*
+   - https://console.minio.light.local/oauth_callback/*
 4. Valid post logout redirect URIs 
-   - https://minio.console.light.local/
+   - https://console.minio.light.local/
 5. Web origins 
-   - https://minio.console.light.local
+   - https://console.minio.light.local
 6. Admin URL: 
-   - https://minio.console.light.local
+   - https://console.minio.light.local
 
 #### 3. 配置Gitlab认证
 
@@ -799,4 +798,76 @@ git config --global http.sslVerify false
 
    - 一般是密码包含不识别的特殊字符，建议使用 数字 大小写字母 = 等符号，不要使用@ # & $等符号
 
+### 3. Outline 标题可以编辑，内容无法编辑
+- https://github.com/outline/outline/issues/6568
+- https://linear.app/outline/issue/OLN-269/the-title-can-be-entered-but-the-content-cannot-be-entered
+- https://github.com/outline/outline/discussions/6569
+- https://github.com/outline/outline/discussions/3677
 
+
+```conf
+proxy_set_header Connection         keep-alive;
+
+# 将上面的配置改为下面的值即可
+proxy_set_header Upgrade            $http_upgrade;
+proxy_set_header Connection         "Upgrade";
+proxy_redirect                      off;
+```
+
+### 4. Outline 集成Minio文件下载
+- https://github.com/chsasank/outline-wiki-docker-compose/issues/1
+- https://github.com/outline/outline/issues/1912
+
+
+### 5. Minio集成Keycloak认证失败
+- https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html
+
+```bash
+# 在容器中执行
+curl https://keycloak.light.local/realms/master/.well-known/openid-configuration
+
+curl --insecure https://keycloak.light.local/realms/master/.well-known/openid-configuration
+
+```
+
+1. 未知的主机 `dial tcp: lookup keycloak.light.local on 127.0.0.11:53: no such host`
+
+```bash
+Get "https://keycloak.light.local/realms/master/.well-known/openid-configuration": dial tcp: lookup keycloak.light.local on 127.0.0.11:53: no such host
+```
+
+```bash
+# 查看原来的DNS
+cat /etc/resolv.conf 
+
+# 添加宿主机的DNS
+cat > /etc/resolv.conf << EOF
+nameserver 127.0.0.11
+nameserver 192.168.137.1
+nameserver 8.8.8.8
+options ndots:0
+EOF
+
+# 修改完成后重启容器
+```
+
+2. 无法识别的CA `unable to get local issuer certificate` `x509: certificate signed by unknown authority`
+
+- https://min.io/docs/minio/container/operations/network-encryption.html#third-party-certificate-authorities
+- https://github.com/minio/minio/issues/16616
+
+```bash
+docker cp D:/docker/develop/net/nginx/cert/light.local.key        web_minio:/opt/minio/certs/light.local.key
+docker cp D:/docker/develop/net/nginx/cert/light.local.crt        web_minio:/opt/minio/certs/light.local.crt
+docker cp D:/docker/develop/net/nginx/cert/minio.light.local.key  web_minio:/opt/minio/certs/minio.light.local.key
+docker cp D:/docker/develop/net/nginx/cert/minio.light.local.crt  web_minio:/opt/minio/certs/minio.light.local.crt
+
+docker cp D:/docker/develop/net/nginx/cert/root_ca.crt            web_minio:/opt/minio/certs/CAs/root_ca.crt
+docker cp D:/docker/develop/net/nginx/cert/intermediate_ca.crt    web_minio:/opt/minio/certs/CAs/intermediate_ca.crt
+
+# 安装CA证书
+cp /opt/minio/certs/*.crt     /etc/ssl/certs/
+cp /opt/minio/certs/CAs/*.crt /etc/ssl/certs/
+update-ca-trust
+
+```

container/compose/web/web.yaml

@@ -98,7 +98,7 @@ services:
       - //d/docker/develop/web/minio/conf/config.env:/etc/minio/config.env
     environment:
       MINIO_CONFIG_ENV_FILE: /etc/minio/config.env
-    command: ['server', '/data', '--address', ':9000', '--console-address', ':9001']
+    command: ['server', '/data', '--address', ':9000', '--console-address', ':9001', '--certs-dir', '/opt/minio/certs/']
     restart: unless-stopped
 
   gitlab: