From 654fc767fa9570735ae9deaf9890660d1973ccd0 Mon Sep 17 00:00:00 2001 From: Francesco Antognazza Date: Fri, 3 Feb 2023 18:01:35 +0100 Subject: [PATCH] Add traefik reverse proxy --- .../traefik/files/conf/http_compress.yml | 8 ++ containers/traefik/files/conf/http_config.yml | 2 + containers/traefik/tasks.yml | 125 ++++++++++++++++++ .../traefik/templates/conf/cockpit.yml.j2 | 14 ++ containers/traefik/templates/traefik.yml.j2 | 40 ++++++ 5 files changed, 189 insertions(+) create mode 100644 containers/traefik/files/conf/http_compress.yml create mode 100644 containers/traefik/files/conf/http_config.yml create mode 100644 containers/traefik/tasks.yml create mode 100644 containers/traefik/templates/conf/cockpit.yml.j2 create mode 100644 containers/traefik/templates/traefik.yml.j2 diff --git a/containers/traefik/files/conf/http_compress.yml b/containers/traefik/files/conf/http_compress.yml new file mode 100644 index 0000000..81d851b --- /dev/null +++ b/containers/traefik/files/conf/http_compress.yml @@ -0,0 +1,8 @@ +http: + middlewares: + http-compress: + compress: + excludedContentTypes: + - "video/*" + - "image/*" + - "audio/*" diff --git a/containers/traefik/files/conf/http_config.yml b/containers/traefik/files/conf/http_config.yml new file mode 100644 index 0000000..ad51944 --- /dev/null +++ b/containers/traefik/files/conf/http_config.yml @@ -0,0 +1,2 @@ +serversTransport: + insecureSkipVerify: true diff --git a/containers/traefik/tasks.yml b/containers/traefik/tasks.yml new file mode 100644 index 0000000..83eaadd --- /dev/null +++ b/containers/traefik/tasks.yml @@ -0,0 +1,125 @@ +--- +- hosts: all + name: Traefik reverse proxy + tasks: + - name: Get containers UID + ansible.builtin.command: "id -u containers" + register: uid_containers + changed_when: uid_containers.rc != 0 + + - name: Permit traffic from any IP to http port + become: true + ansible.builtin.ufw: + direction: in + from_ip: any + proto: tcp + to_port: 80 + rule: allow + + - name: Permit traffic from any IP to https port + become: true + ansible.builtin.ufw: + direction: in + from_ip: any + proto: tcp + to_port: 443 + rule: allow + + - name: Pull traefik image + become_user: containers + become: true + containers.podman.podman_image: + name: docker.io/traefik:latest + + - name: Change permission to traefik folder + become: true + ansible.builtin.file: + path: /etc/traefik + owner: containers + group: containers + mode: 0700 + state: directory + + - name: Copy config directory + become: true + ansible.builtin.copy: + src: files/ + dest: /etc/traefik/ + owner: containers + group: containers + mode: 0600 + + - name: Copy config files from templates + become: true + ansible.builtin.template: + src: "templates/{{ item }}.j2" + dest: "/etc/traefik/{{ item }}" + owner: containers + group: containers + mode: 0600 + loop: + - traefik.yml + - conf/cockpit.yml + + - name: Create podman networks + containers.podman.podman_network: + name: "{{ item }}" + recreate: false + state: "present" + disable_dns: true + become_user: containers + become: true + loop: + - traefik + - traefik-portainer + - traefik-nextcloud + + - name: Create traefik instance + become_user: containers + become: true + containers.podman.podman_container: + name: traefik + image: docker.io/traefik:latest + state: present + ports: + - 80:80 + - 443:443 + security_opt: + - label=type:container_runtime_t + volume: + - /run/user/{{ uid_containers.stdout }}/podman/podman.sock:/var/run/docker.sock:z + - /etc/traefik/:/etc/traefik:Z + network: + - traefik + - traefik-portainer + - traefik-nextcloud + cap_add: + - NET_ADMIN + label: + io.containers.autoupdate: "registry" + traefik.enable: "true" + traefik.http.middlewares.traefik-auth.basicauth.users: "{{ vault_traefik_basic_auth }}" + traefik.http.routers.traefik.entrypoints: "https" + traefik.http.routers.traefik.rule: "Path(`/traefik`)" + traefik.http.routers.traefik.middlewares: "traefik-auth@docker" + traefik.http.routers.traefik.tls: "true" + traefik.http.routers.traefik.tls.certresolver: "wildcard" + traefik.http.routers.traefik.tls.domains[0].main: "{{ inventory_hostname }}" + traefik.http.routers.traefik.service: "api@internal" + generate_systemd: + path: /home/containers/.config/systemd/user/ + restart_policy: on-failure + names: true + new: true + + - name: Start containers at boot + become_user: containers + become: true + ansible.builtin.systemd: + scope: user + name: container-{{ item }}.service + enabled: true + state: started + daemon_reload: true + loop: + - traefik diff --git a/containers/traefik/templates/conf/cockpit.yml.j2 b/containers/traefik/templates/conf/cockpit.yml.j2 new file mode 100644 index 0000000..cd7fedd --- /dev/null +++ b/containers/traefik/templates/conf/cockpit.yml.j2 @@ -0,0 +1,14 @@ +http: + routers: + cockpit: + rule: "Path(`/cockpit`)" + entryPoints: https + service: cockpit + tls: + certresolver: wildcard + + services: + cockpit: + loadBalancer: + servers: + - url: "http://131.175.120.208:9090" diff --git a/containers/traefik/templates/traefik.yml.j2 b/containers/traefik/templates/traefik.yml.j2 new file mode 100644 index 0000000..5bdfd03 --- /dev/null +++ b/containers/traefik/templates/traefik.yml.j2 @@ -0,0 +1,40 @@ +log: + level: "ERROR" + +api: + dashboard: true + +accessLog: + filters: + statusCodes: + - "400-418" + - "500-508" + +entryPoints: + http: + address: ":80" + http: + redirections: + entryPoint: + to: https + scheme: https + permanent: true + https: + address: ":443" + +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + exposedByDefault: false + file: + directory: "/etc/traefik/conf" + watch: true + +certificatesResolvers: + wildcard: + acme: + email: {{ vault_acme_admin_email }} + storage: "/etc/traefik/acme_wildcard.json" + keyType: "EC256" + httpChallenge: + entryPoint: http