diff --git a/all.yml b/all.yml index e47315d..bcf25a8 100644 --- a/all.yml +++ b/all.yml @@ -10,9 +10,9 @@ tags: ["ufw"] - role: fail2ban tags: ["fail2ban"] - -- hosts: all - become: yes - roles: - role: "node-exporter" tags: ["node-exporter"] + - role: "docker" + tags: ["docker"] + - role: "traefik" + tags: ["docker", "traefik"] diff --git a/inv/group_vars/all/vars.yml b/inv/group_vars/all/vars.yml index fdca1f9..8d508b8 100644 --- a/inv/group_vars/all/vars.yml +++ b/inv/group_vars/all/vars.yml @@ -1,10 +1,22 @@ +--- +base_user_name: chosto ihl_base_users: - - name: chosto - group: chosto + - name: "{{ base_user_name }}" + group: "{{ base_user_name }}" groups: - sudo ssh_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6fs07sdt9PbzzQ6IA2tkbPLqspaWXAMLzUK/LtXQBhN/+q4Bxz4I4eUyF7regsWgvOObjKoMilGfOXi2Q8ZZIXZ3DBqSMJpYkwVC0qqU3YJfVLhNa1NU5m+QYqhmREu8HIIFty4jZRTmkAxjy5Zv8af4l3q0VEWUxGV0MoDsJYroao5UcOPKo/Qv75ZIy7x4KWLcXMM1jYLczjF0E6XR99aOWex1XuAvW5bDS9wC+fAN/nMRS7A6Wsvt2tyth9lR40fM0IaUjG+TjQ2CCbmp7zFBpa0LQcCktksSXpfd4Vj6eczHz7N+l1V+inbAd99s84K7LKoTH0tXv02c42XSK52pVBUzyif2EO85dgHJ3NFmTcNdRJ1v5bSRu3vm0Gcq0kgWjYZq2TCHUYOkm5WWdJuDLIbPLydaSr8LGfv+QqL6RHJnKBt5CZ5Nrrei/ZPTjZCm/OgCrmbMQQeoSpE8ZBEMSlN5An5+ZuaR7BPfCNFoQK/mcbA2cqs6ZiNUQdoeb93DAbsQMqDtCnevDf7hbiy282rRMkRYX5Cj6vt3jpUKS7vwoDMIKWYAOKASPZ2IgvC6Buj8aE4p24qR3xbiTHF4iJyxdo2B/x1pwT+kRmCdmCK5XnlkrQfrwP1Kkaiz88XOxkqfsvpRWd1JUUcipYbO+7zTvVQZkLnKZ2AzciQ== quentinduchemin@tuta.io ihl_base_ssh_users: - - chosto + - "{{ base_user_name }}" + +docker_edition: 'ce' +docker_package_state: present +docker_service_state: started +docker_service_enabled: true +docker_restart_handler_state: restarted +docker_install_compose: true +docker_compose_version: "1.28.5" +docker_users: + - "{{ base_user_name }}" diff --git a/inv/host_vars/new.chosto.me/secrets.yml b/inv/host_vars/new.chosto.me/secrets.yml index 9692a12..20cb1b9 100644 --- a/inv/host_vars/new.chosto.me/secrets.yml +++ b/inv/host_vars/new.chosto.me/secrets.yml @@ -1,7 +1,16 @@ $ANSIBLE_VAULT;1.1;AES256 -33343337653333343366613634323137303835383230363964333832666562633230656233636530 -3462643333626535363437656337363239653533633830320a633762323565393235616431626361 -65313861666266313336626537383636666566383634363234613532373631343061323837633636 -3762333033636462330a323362323034336365326432373030626634396265343365393162326538 -33663862303831646239383735353766616464386532346665316664376434666363633034396363 -3763316133353034653439316538383563353739323132626164 +66363166326338646463393939653335373564616361303565363066633931333637656330616636 +3031633235313930666138646662643036376662613139340a396466303434386232663131346466 +35653261386639623264646331363037336439373065323437663039333635633430323938363861 +6631656433626432320a303938333734373961333264663835316134326464643365393963613036 +30306337373636366336373736633233393466323663306331343762336465373737383536393735 +35353837316264663461643733653536346537333731646436646566656538643661623530323536 +62646665303566633461343739626332326334636531336264636533353431393436336333393564 +30353062326434613663373730656431623638333537383031343837353231323665666432356166 +31653432383261396664383863623864633633373431356363656131313862336364343061393730 +38666236323237626536313739643063303838653636613037383465663163313061326532356239 +32363966323363353233356631363033616462313036376663383833636331353763373132303031 +38653866303636633163303064343239663330666537333833373630326335323261356534643062 +30363463643162623736373233633661623530353037353430376535636361336534353936336136 +61346235373034626563343637336166633531373939636366666666616338396339353535323032 +623138313638333138323638336365643930 diff --git a/inv/host_vars/new.chosto.me/vars.yml b/inv/host_vars/new.chosto.me/vars.yml index f5c1328..e0a4afb 100644 --- a/inv/host_vars/new.chosto.me/vars.yml +++ b/inv/host_vars/new.chosto.me/vars.yml @@ -3,8 +3,16 @@ firewall_in_ports: - "443" - "{{ ssh_port }}" -hostname: chosto +hostname: "{{ base_user_name }}" ssh_port: "2220" prometheus_server_ip: "51.178.182.35" + +docker_files: "/home/{{ base_user_name }}/docker" + +traefik_network: proxy + +domain_name: new.chosto.me + +letsencrypt_email: quentinduchemin@tuta.io diff --git a/roles/geerlingguy.docker/LICENSE b/roles/docker/LICENSE similarity index 100% rename from roles/geerlingguy.docker/LICENSE rename to roles/docker/LICENSE diff --git a/roles/geerlingguy.docker/README.md b/roles/docker/README.md similarity index 100% rename from roles/geerlingguy.docker/README.md rename to roles/docker/README.md diff --git a/roles/geerlingguy.docker/defaults/main.yml b/roles/docker/defaults/main.yml similarity index 74% rename from roles/geerlingguy.docker/defaults/main.yml rename to roles/docker/defaults/main.yml index 8d66047..ed14f5e 100644 --- a/roles/geerlingguy.docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -21,11 +21,5 @@ docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker docker_apt_ignore_key_error: true docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg -# Used only for RedHat/CentOS/Fedora. -docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo -docker_yum_repo_enable_nightly: '0' -docker_yum_repo_enable_test: '0' -docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg - # A list of users who will be added to the docker group. docker_users: [] diff --git a/roles/geerlingguy.docker/handlers/main.yml b/roles/docker/handlers/main.yml similarity index 75% rename from roles/geerlingguy.docker/handlers/main.yml rename to roles/docker/handlers/main.yml index 7847bc1..690d7a1 100644 --- a/roles/geerlingguy.docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -1,3 +1,3 @@ --- -- name: restart docker +- name: Restart docker service: "name=docker state={{ docker_restart_handler_state }}" diff --git a/roles/geerlingguy.docker/tasks/docker-compose.yml b/roles/docker/tasks/docker-compose.yml similarity index 100% rename from roles/geerlingguy.docker/tasks/docker-compose.yml rename to roles/docker/tasks/docker-compose.yml diff --git a/roles/geerlingguy.docker/tasks/docker-users.yml b/roles/docker/tasks/docker-users.yml similarity index 100% rename from roles/geerlingguy.docker/tasks/docker-users.yml rename to roles/docker/tasks/docker-users.yml diff --git a/roles/geerlingguy.docker/tasks/main.yml b/roles/docker/tasks/main.yml similarity index 80% rename from roles/geerlingguy.docker/tasks/main.yml rename to roles/docker/tasks/main.yml index 56449ef..088e33d 100644 --- a/roles/geerlingguy.docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,7 +1,4 @@ --- -- include_tasks: setup-RedHat.yml - when: ansible_os_family == 'RedHat' - - include_tasks: setup-Debian.yml when: ansible_os_family == 'Debian' @@ -9,7 +6,14 @@ package: name: "{{ docker_package }}" state: "{{ docker_package_state }}" - notify: restart docker + notify: Restart docker + +- name: Install Docker and Compose pip package + pip: + name: "{{ item }}" + loop: + - docker + - docker-compose - name: Ensure Docker is started and enabled at boot. service: diff --git a/roles/geerlingguy.docker/tasks/setup-Debian.yml b/roles/docker/tasks/setup-Debian.yml similarity index 65% rename from roles/geerlingguy.docker/tasks/setup-Debian.yml rename to roles/docker/tasks/setup-Debian.yml index d701135..ccd8b63 100644 --- a/roles/geerlingguy.docker/tasks/setup-Debian.yml +++ b/roles/docker/tasks/setup-Debian.yml @@ -22,17 +22,6 @@ register: add_repository_key ignore_errors: "{{ docker_apt_ignore_key_error }}" -- name: Ensure curl is present (on older systems without SNI). - package: name=curl state=present - when: add_repository_key is failed - -- name: Add Docker apt key (alternative for older systems without SNI). - shell: > - curl -sSL {{ docker_apt_gpg_key }} | sudo apt-key add - - args: - warn: false - when: add_repository_key is failed - - name: Add Docker repository. apt_repository: repo: "{{ docker_apt_repository }}" diff --git a/roles/geerlingguy.docker/.ansible-lint b/roles/geerlingguy.docker/.ansible-lint deleted file mode 100644 index affe64f..0000000 --- a/roles/geerlingguy.docker/.ansible-lint +++ /dev/null @@ -1,3 +0,0 @@ -skip_list: - - '306' - - '106' diff --git a/roles/geerlingguy.docker/.github/FUNDING.yml b/roles/geerlingguy.docker/.github/FUNDING.yml deleted file mode 100644 index 96b4938..0000000 --- a/roles/geerlingguy.docker/.github/FUNDING.yml +++ /dev/null @@ -1,4 +0,0 @@ -# These are supported funding model platforms ---- -github: geerlingguy -patreon: geerlingguy diff --git a/roles/geerlingguy.docker/.github/stale.yml b/roles/geerlingguy.docker/.github/stale.yml deleted file mode 100644 index 3ac21f9..0000000 --- a/roles/geerlingguy.docker/.github/stale.yml +++ /dev/null @@ -1,56 +0,0 @@ -# Configuration for probot-stale - https://github.com/probot/stale ---- -# Number of days of inactivity before an Issue or Pull Request becomes stale -daysUntilStale: 90 - -# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. -# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. -daysUntilClose: 30 - -# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) -onlyLabels: [] - -# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable -exemptLabels: - - pinned - - security - - planned - -# Set to true to ignore issues in a project (defaults to false) -exemptProjects: false - -# Set to true to ignore issues in a milestone (defaults to false) -exemptMilestones: false - -# Set to true to ignore issues with an assignee (defaults to false) -exemptAssignees: false - -# Label to use when marking as stale -staleLabel: stale - -# Limit the number of actions per hour, from 1-30. Default is 30 -limitPerRun: 30 - -pulls: - markComment: |- - This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! - - Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. - - unmarkComment: >- - This pull request is no longer marked for closure. - - closeComment: >- - This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. - -issues: - markComment: |- - This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! - - Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. - - unmarkComment: >- - This issue is no longer marked for closure. - - closeComment: >- - This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/roles/geerlingguy.docker/.github/workflows/ci.yml b/roles/geerlingguy.docker/.github/workflows/ci.yml deleted file mode 100644 index 42b7a1d..0000000 --- a/roles/geerlingguy.docker/.github/workflows/ci.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -name: CI -'on': - pull_request: - push: - branches: - - master - schedule: - - cron: "0 7 * * 0" - -defaults: - run: - working-directory: 'geerlingguy.docker' - -jobs: - - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - name: Check out the codebase. - uses: actions/checkout@v2 - with: - path: 'geerlingguy.docker' - - - name: Set up Python 3. - uses: actions/setup-python@v2 - with: - python-version: '3.x' - - - name: Install test dependencies. - run: pip3 install yamllint ansible-lint - - - name: Lint code. - run: | - yamllint . - ansible-lint - - molecule: - name: Molecule - runs-on: ubuntu-latest - strategy: - matrix: - distro: - - centos8 - - centos7 - - ubuntu2004 - - ubuntu1804 - - debian10 - - debian9 - - fedora31 - - steps: - - name: Check out the codebase. - uses: actions/checkout@v2 - with: - path: 'geerlingguy.docker' - - - name: Set up Python 3. - uses: actions/setup-python@v2 - with: - python-version: '3.x' - - - name: Install test dependencies. - run: pip3 install ansible molecule[docker] docker - - - name: Run Molecule tests. - run: molecule test - env: - PY_COLORS: '1' - ANSIBLE_FORCE_COLOR: '1' - MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/roles/geerlingguy.docker/.github/workflows/release.yml b/roles/geerlingguy.docker/.github/workflows/release.yml deleted file mode 100644 index 5d02a3e..0000000 --- a/roles/geerlingguy.docker/.github/workflows/release.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# This workflow requires a GALAXY_API_KEY secret present in the GitHub -# repository or organization. -# -# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy -# See: https://github.com/ansible/galaxy/issues/46 - -name: Release -'on': - push: - tags: - - '*' - -defaults: - run: - working-directory: 'geerlingguy.docker' - -jobs: - - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Check out the codebase. - uses: actions/checkout@v2 - with: - path: 'geerlingguy.docker' - - - name: Set up Python 3. - uses: actions/setup-python@v2 - with: - python-version: '3.x' - - - name: Install Ansible. - run: pip3 install ansible-base - - - name: Trigger a new import on Galaxy. - run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.docker/.gitignore b/roles/geerlingguy.docker/.gitignore deleted file mode 100644 index f56f5b5..0000000 --- a/roles/geerlingguy.docker/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -*.retry -*/__pycache__ -*.pyc diff --git a/roles/geerlingguy.docker/.yamllint b/roles/geerlingguy.docker/.yamllint deleted file mode 100644 index e6fc538..0000000 --- a/roles/geerlingguy.docker/.yamllint +++ /dev/null @@ -1,11 +0,0 @@ ---- -extends: default - -rules: - line-length: - max: 200 - level: warning - -ignore: | - .github/stale.yml - .travis.yml diff --git a/roles/geerlingguy.docker/meta/.galaxy_install_info b/roles/geerlingguy.docker/meta/.galaxy_install_info deleted file mode 100644 index fc17786..0000000 --- a/roles/geerlingguy.docker/meta/.galaxy_install_info +++ /dev/null @@ -1,2 +0,0 @@ -install_date: Sun Mar 14 18:38:43 2021 -version: 3.0.0 diff --git a/roles/geerlingguy.docker/meta/main.yml b/roles/geerlingguy.docker/meta/main.yml deleted file mode 100644 index fc01727..0000000 --- a/roles/geerlingguy.docker/meta/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependencies: [] - -galaxy_info: - role_name: docker - author: geerlingguy - description: Docker for Linux. - company: "Midwestern Mac, LLC" - license: "license (BSD, MIT)" - min_ansible_version: 2.4 - platforms: - - name: EL - versions: - - 7 - - 8 - - name: Fedora - versions: - - all - - name: Debian - versions: - - stretch - - buster - - name: Ubuntu - versions: - - xenial - - bionic - - focal - galaxy_tags: - - web - - system - - containers - - docker - - orchestration - - compose - - server diff --git a/roles/geerlingguy.docker/molecule/default/converge.yml b/roles/geerlingguy.docker/molecule/default/converge.yml deleted file mode 100644 index 629095b..0000000 --- a/roles/geerlingguy.docker/molecule/default/converge.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - - pre_tasks: - - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 - when: ansible_os_family == 'Debian' - - - name: Wait for systemd to complete initialization. # noqa 303 - command: systemctl is-system-running - register: systemctl_status - until: > - 'running' in systemctl_status.stdout or - 'degraded' in systemctl_status.stdout - retries: 30 - delay: 5 - when: ansible_service_mgr == 'systemd' - changed_when: false - failed_when: systemctl_status.rc > 1 - - roles: - - role: geerlingguy.docker diff --git a/roles/geerlingguy.docker/molecule/default/molecule.yml b/roles/geerlingguy.docker/molecule/default/molecule.yml deleted file mode 100644 index 7490710..0000000 --- a/roles/geerlingguy.docker/molecule/default/molecule.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -platforms: - - name: instance - image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro - privileged: true - pre_build_image: true -provisioner: - name: ansible - playbooks: - converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.docker/tasks/setup-RedHat.yml b/roles/geerlingguy.docker/tasks/setup-RedHat.yml deleted file mode 100644 index 9607238..0000000 --- a/roles/geerlingguy.docker/tasks/setup-RedHat.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: Ensure old versions of Docker are not installed. - package: - name: - - docker - - docker-common - - docker-engine - state: absent - -- name: Add Docker GPG key. - rpm_key: - key: "{{ docker_yum_gpg_key }}" - state: present - -- name: Add Docker repository. - get_url: - url: "{{ docker_yum_repo_url }}" - dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' - owner: root - group: root - mode: 0644 - -- name: Configure Docker Nightly repo. - ini_file: - dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' - section: 'docker-{{ docker_edition }}-nightly' - option: enabled - value: '{{ docker_yum_repo_enable_nightly }}' - mode: 0644 - -- name: Configure Docker Test repo. - ini_file: - dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' - section: 'docker-{{ docker_edition }}-test' - option: enabled - value: '{{ docker_yum_repo_enable_test }}' - mode: 0644 - -- name: Configure containerd on RHEL 8. - block: - - name: Ensure container-selinux is installed. - package: - name: container-selinux - state: present - - - name: Ensure containerd.io is installed. - package: - name: containerd.io - state: present - when: ansible_distribution_major_version | int == 8 diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml new file mode 100644 index 0000000..af2e53a --- /dev/null +++ b/roles/traefik/defaults/main.yml @@ -0,0 +1,17 @@ +traefik_folder_name: "{{ docker_files }}/traefik" +traefik_certs_directory: "{{ traefik_folder_name }}/certs" +traefik_metrics_port: 8082 +traefik_http_port: 80 +traefik_https_port: 443 +# Equivalent of docker-compose stop +traefik_stopped: no +# Equivalent of docker-compose restart +traefik_restarted: no +# If always, equivalent to up -d --force-recreate +traefik_recreated: smart +# If present, up (or restart/stop depending of the above) +# If absent, equivalent of docker-compose down +traefik_state: present +traefik_subdomain: proxy + +traefik_version: 2.4 diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml new file mode 100644 index 0000000..c8d563f --- /dev/null +++ b/roles/traefik/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: Create Traefik directory + file: + path: "{{ traefik_folder_name }}" + state: directory + owner: "{{ base_user_name }}" + group: "{{ base_user_name }}" + mode: 0755 + +- name: Create certs directory + file: + path: "{{ traefik_certs_directory }}" + state: directory + owner: "root" + group: "root" + mode: 0600 + +- name: Create certs file + file: + path: "{{ traefik_certs_directory }}/acme.json" + state: touch + modification_time: preserve + access_time: preserve + owner: "root" + group: "root" + mode: 0600 + +- name: Copy Traefik files + template: + src: "{{ item }}" + # Remove .j2 extension + dest: "{{ traefik_folder_name }}/{{ (item | splitext)[0] }}" + owner: "{{ base_user_name }}" + group: "{{ base_user_name }}" + mode: 0644 + loop: + - docker-compose.yml.j2 + - traefik.toml.j2 + - traefik_dynamic.toml.j2 + +- name: Ensure container is up to date + community.docker.docker_compose: + project_src: "{{ traefik_folder_name }}" + remove_orphans: yes + pull: yes + recreate: "{{ traefik_recreated }}" + restarted: "{{ traefik_restarted }}" + state: "{{ traefik_state }}" + stopped: "{{ traefik_stopped }}" diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..d8f81a9 --- /dev/null +++ b/roles/traefik/templates/docker-compose.yml.j2 @@ -0,0 +1,38 @@ +version: "3.7" + +networks: + proxy: + name: "{{ traefik_network }}" + +services: + traefik: + image: traefik:{{ traefik_version }} + container_name: traefik + ports: + - "{{ traefik_http_port }}:80" + - "{{ traefik_https_port}}:443" + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock + - ./traefik.toml:/traefik.toml + - ./traefik_dynamic.toml:/traefik_dynamic.toml + - {{ traefik_certs_directory }}:/certs + labels: + traefik.http.routers.traefik-metrics.entrypoints: websecure + traefik.http.routers.traefik-metrics.rule: "Host(`{{ traefik_subdomain }}.{{ domain_name }}`) && PathPrefix(`/metrics`)" + traefik.http.routers.traefik-metrics.service: traefik-metrics + traefik.http.routers.traefik-metrics.middlewares: traefik-metrics-auth@docker + # htpasswd string contains $, interpreted as variable, + # escape them with double $ + traefik.http.middlewares.traefik-metrics-auth.basicauth.users: "metrics:{{ traefik_metrics_htpasswd | replace("$", "$$") }}" + traefik.http.services.traefik-metrics.loadbalancer.server.port: "{{ traefik_metrics_port }}" + traefik.http.routers.traefik-api.rule: "Host(`{{ traefik_subdomain }}.{{ domain_name }}`)" + traefik.http.routers.traefik-api.service: api@internal + traefik.http.routers.traefik-api.middlewares: traefik-api-auth@docker + traefik.http.middlewares.traefik-api-auth.basicauth.users: "dashboard:{{ traefik_dashboard_htpasswd | replace("$", "$$") }}" + traefik.enable: true + environment: + GANDIV5_API_KEY: "{{ gandi_api_key }}" + networks: + - "{{ traefik_network }}" + restart: unless-stopped diff --git a/roles/traefik/templates/traefik.toml.j2 b/roles/traefik/templates/traefik.toml.j2 new file mode 100644 index 0000000..55e78e9 --- /dev/null +++ b/roles/traefik/templates/traefik.toml.j2 @@ -0,0 +1,50 @@ +[global] + sendAnonymousUsage = false + checkNewVersion = true + +[api] + +[entryPoints] + [entryPoints.web] + address = ":{{ traefik_http_port }}" + [entryPoints.web.http.redirections.entryPoint] + to = "websecure" + scheme = "https" + [entryPoints.websecure] + address = ":{{ traefik_https_port }}" + [entryPoints.websecure.http] + middlewares = ["hardening@file", "compression@file"] + [entryPoints.websecure.http.tls] + certResolver = "letsencrypt" + options = "tls12@file" + [entryPoints.metrics] + address = ":{{ traefik_metrics_port }}" + +[providers] + providersThrottleDuration = "2s" + [providers.docker] + watch = true + endpoint = "unix:///var/run/docker.sock" + exposedByDefault = false + network = "proxy" + [providers.file] + filename = "/traefik_dynamic.toml" + watch = true + +[log] + level = "INFO" + +[accessLog] + +[certificatesResolvers] + [certificatesResolvers.letsencrypt] + [certificatesResolvers.letsencrypt.acme] + email = "{{ letsencrypt_email }}" + storage = "/certs/acme.json" + [certificatesResolvers.letsencrypt.acme.dnsChallenge] + provider = "gandiv5" + delayBeforeCheck = 10 + +[metrics] + [metrics.prometheus] + entryPoint = "metrics" diff --git a/roles/traefik/templates/traefik_dynamic.toml.j2 b/roles/traefik/templates/traefik_dynamic.toml.j2 new file mode 100644 index 0000000..70c111f --- /dev/null +++ b/roles/traefik/templates/traefik_dynamic.toml.j2 @@ -0,0 +1,34 @@ +[tls.options] + [tls.options.tls12] + minVersion = "VersionTLS12" + cipherSuites = [ + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + ] + curvePreferences = ["CurveP521", "CurveP384", "CurveP256"] + +[http] + [http.middlewares.hardening.headers] + browserXssFilter = true + contentTypeNosniff = true + forceSTSHeader = true + frameDeny = true + stsIncludeSubdomains = true + stsPreload = true + customFrameOptionsValue = "SAMEORIGIN" + referrerPolicy = "same-origin" + featurePolicy = "vibrate 'self'" + stsSeconds = 315360000 + + [http.middlewares.compression.compress] + excludedContentTypes = ["text/event-stream"] + + [http.middlewares.allowFrameAndCORS.headers] + contentSecurityPolicy = "frame-ancestors *" + accessControlAllowHeaders = ["*"] + accessControlAllowMethods = ["GET", "POST", "OPTIONS"] + accessControlAllowOriginList = ["*"] + accessControlExposeHeaders = ["*"]