GitLab

This patch adds the ability to define a oauth provider for Grafana.

In order to collect all information from the docker daemon, the INFO
endpoint is needed. This patch adds the access on the
docker-socket-proxy container.

Seems like when adding the rendering, I forgot to add the networks to
grafana and the general network definition.

Telegraf doesn't need traefik, so the role shouldn't run here.

This patch allows to render dashboards for sharing with external users
as well as in alerts and alike.

Nothing fundamentally changed, mainly some typos and oversights fixed.

This patch adds a first version of my monitoring setup to the
repository. It should be improved over time, but for a first versions
it's already rather satisfied.

Since switching to "absolute" image names, this image pull instruction
also needs an update to this full image name.

As pointed out in a github issue[1] and the docs[2] using `SIGINT` will
not just make postgres stop accepting new connections but also make it
drop existing onces. Since most applications use longer lasting
connections or connection pooling these days, it's definitely a good
idea, to drop those connection even when it means that some transactions
will be rejected.

[1]: https://github.com/docker-library/postgres/issues/714
[2]: https://www.postgresql.org/docs/11/server-shutdown.html

Postgresql needs some time to shutdown. The default `stop_grace_period`
is quite short and in worst case causes database corruptions. This
change increased this shutdown period a lot in order to help postgres
ending its processing gracefully and not being killed by the container
engine using `kill -9`.

Details:
https://github.com/docker-library/postgres/issues/544

Currently container image names are all over the place. From short form
to full form and other things. This patch will update all of them to
"absolute" image names which should prevent any issues if the default
container registry for the moby-engine is ever changed.

This CLI allows management of the minecraft container. It can be used to
allow people to manage the container who are not overly experienced with
UNIX shell commands.

The idea is to provide a simplified CLI that can do take care of the
most essential tasks.

The format for alt-svc headers in traefik 2.0 was wrongly used in all
templates. This patch fixes the header by using
`customresponseheaders.alt-svc=h2=` instead of
`customresponseheaders.alt-svc:h2=`.

After doing this the header is set again, properly. Thanks to perflyst
for the report.

This patch adds the ability to specify an array of encryption keys that
are used for the backup encryption. This should provide better
recoverability in a crisis situation.

The usual recommendation is to backup the gpg key, that is used for
encryption and signing. But the time between storing this key and being
in a recovery situation is huge and in worst case keys get lost.

Adding a second key, that is more frequently used i.e. an encryption key
stored on a yubikey that is used on a daily basis, might saves the day
here. This of course means the backup has to be downloaded, decrypted
and uploaded, but a backup that takes a few days to recover is better
than a backup that can't be recovered at all.

In order to use the new feature extend the `backup_gpg` config with a
`sign_key` identifier and a `encryption_keys` identifier array.

Example (old vs new):

```yaml
---

backup_gpg:
  id: "123456789"
  passphrase: "abcdefghiklmnopqrstuvwxyz"
```

vs.

```yaml
---

backup_gpg:
  id: "123456789"
  passphrase: "abcdefghiklmnopqrstuvwxyz"
  sign_key: "123456789"
  encryption_keys:
    - "123456789"
    - "098765432"
```

Note: The `backup_gpg.passphrase` is for the signing key, not for the
encryption keys. The `backup_gpg.id` field exists only for backwards
compatiblity.

Containers can gain a significant security benefit from read-only
filesystems. This patch adds the ability to host nginx-based static
websites in read-only mode and this way reduce the attack surface
drastically.

The patch provides the needed changes as well as an extension of the
example in the README.