本文整合了常用私有服务的 Docker 部署配置,包括制品仓库、CI/CD、身份认证和密码管理。

Nexus 制品仓库

Nexus 支持 Docker、Helm、npm、PyPI、Maven 等多种格式的制品管理。

Docker 部署

1
2
3
4
5
6
7
8
9
10
11
12
version: '2.0'

services:
  nexus:
    image: sonatype/nexus3
    container_name: nexus
    restart: always
    ports:
      - "127.0.0.1:8081:8081"  # Web UI
      - "127.0.0.1:5000:5000"  # Docker Registry
    volumes:
      - ${HOME}/nexus-data:/nexus-data
1
2
# 获取初始密码
docker exec nexus cat /nexus-data/admin.password

Nginx 反向代理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
server {
    listen 443 ssl;
    server_name repo.example.com;

    ssl_certificate /etc/letsencrypt/live/repo.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/repo.example.com/privkey.pem;

    client_max_body_size 10G;  # Docker 镜像可能很大

    location / {
        proxy_pass http://localhost:8081/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto "https";
    }
}

使用示例

1
2
3
4
5
6
7
8
9
10
11
# Docker Registry
docker login docker.example.com
docker tag myapp:latest docker.example.com/myapp:latest
docker push docker.example.com/myapp:latest

# Helm 仓库
helm repo add myrepo https://repo.example.com/repository/helm-hosted/ \
  --username admin --password password

# npm 仓库
npm config set registry https://repo.example.com/repository/npm-group/

Jenkins CI/CD

Docker 部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
version: '3'
services:
  jenkins:
    image: jenkins/jenkins:lts
    user: root
    restart: always
    container_name: jenkins
    ports:
      - "127.0.0.1:8080:8080"
      - "127.0.0.1:50000:50000"  # Agent 连接
    volumes:
      - ${HOME}/jenkins/jenkins_home:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock  # Docker in Docker
      - ${HOME}/.ssh:/root/.ssh
    environment:
      - JENKINS_OPTS=--sessionTimeout=43200
1
2
# 查看初始密码
docker exec jenkins cat /var/jenkins_home/secrets/initialAdminPassword

Nginx 反向代理(含 WebSocket)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

upstream jenkins {
  keepalive 32;
  server 127.0.0.1:8080;
}

server {
  listen 443 ssl;
  server_name jenkins.example.com;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  ignore_invalid_headers off;

  location / {
    sendfile off;
    proxy_pass http://jenkins;
    proxy_http_version 1.1;

    # WebSocket 支持
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Upgrade $http_upgrade;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_buffering off;
    proxy_request_buffering off;
  }
}

Pipeline 示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
pipeline {
  agent any
  environment {
    DOCKER_REGISTRY = 'docker.example.com'
    IMAGE_NAME = 'myapp'
  }
  stages {
    stage('Build') {
      steps {
        sh 'docker build -t ${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_NUMBER} .'
      }
    }
    stage('Push') {
      steps {
        sh 'docker push ${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_NUMBER}'
      }
    }
  }
}

OpenLDAP 身份认证

Docker 部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
version: '3.8'

services:
  openldap:
    image: osixia/openldap:1.5.0
    restart: always
    container_name: ldap
    hostname: ldap.example.com
    ports:
      - "389:389"
      - "636:636"
    environment:
      - LDAP_ORGANISATION=MyCompany
      - LDAP_DOMAIN=example.com
      - LDAP_ADMIN_PASSWORD=adminPassword
    volumes:
      - ${PWD}/ldap:/var/lib/ldap
      - ${PWD}/slapd.d:/etc/ldap/slapd.d

  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    ports:
      - "8080:80"
    environment:
      - PHPLDAPADMIN_LDAP_HOSTS=ldap
      - PHPLDAPADMIN_HTTPS=false
    depends_on:
      - openldap

添加用户

add-user.ldif:

1
2
3
4
5
6
7
8
9
10
11
dn: uid=john,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
uid: john
cn: John Doe
sn: Doe
mail: [email protected]
userPassword: {SSHA}xxxxx
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/john
1
2
3
4
5
6
7
8
9
# 生成密码
docker exec ldap slappasswd

# 添加用户
docker exec ldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w adminPassword -f /tmp/add-user.ldif

# 搜索用户
ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=example,dc=com" -w adminPassword \
  -b "dc=example,dc=com" "(uid=john)"

应用集成示例

Grafana:

1
2
3
4
5
6
7
[[servers]]
host = "ldap.example.com"
port = 389
bind_dn = "cn=admin,dc=example,dc=com"
bind_password = "adminPassword"
search_filter = "(uid=%s)"
search_base_dns = ["ou=Users,dc=example,dc=com"]

Vaultwarden 密码管理

Vaultwarden 是 Bitwarden 的轻量级开源替代,资源占用极低。

Docker 部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
version: "3.9"

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=your-secure-random-token
      - DOMAIN=https://vault.example.com
    volumes:
      - ${HOME}/vaultwarden:/data
    ports:
      - "127.0.0.1:8080:80"
      - "127.0.0.1:3012:3012"  # WebSocket
1
2
# 生成管理员 Token
openssl rand -base64 48

Nginx 反向代理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
server {
  listen 443 ssl http2;
  server_name vault.example.com;

  ssl_certificate /etc/letsencrypt/live/vault.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/vault.example.com/privkey.pem;

  client_max_body_size 128M;

  # Web UI
  location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  # WebSocket
  location /notifications/hub {
    proxy_pass http://localhost:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://localhost:8080;
  }
}

客户端使用

  1. 安装 Bitwarden 浏览器扩展/App
  2. 设置 → 自托管环境
  3. 服务器 URL:https://vault.example.com
  4. 登录使用

服务对比

服务 用途 端口 资源占用
Nexus 制品仓库 8081, 5000 中等
Jenkins CI/CD 8080, 50000 较高
OpenLDAP 身份认证 389, 636
Vaultwarden 密码管理 80, 3012 极低

通用注意事项

安全配置

  • HTTPS:所有服务通过 Nginx 反向代理启用 HTTPS
  • 防火墙:只开放必要端口,内部服务绑定 127.0.0.1
  • 密码:使用强密码,定期更换

备份策略

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 通用备份脚本
#!/bin/bash
BACKUP_DIR=~/backups
DATE=$(date +%Y%m%d)

# Nexus
tar -czf $BACKUP_DIR/nexus-$DATE.tar.gz ~/nexus-data

# Jenkins
tar -czf $BACKUP_DIR/jenkins-$DATE.tar.gz ~/jenkins/jenkins_home

# LDAP
docker exec ldap slapcat > $BACKUP_DIR/ldap-$DATE.ldif

# Vaultwarden
tar -czf $BACKUP_DIR/vault-$DATE.tar.gz ~/vaultwarden

# 清理 30 天前的备份
find $BACKUP_DIR -name "*.tar.gz" -mtime +30 -delete

SSL 证书

使用 Let’s Encrypt 自动证书:

1
certbot certonly --nginx -d repo.example.com -d jenkins.example.com -d vault.example.com

参考资料