Add Traefik

master
Quentin Duchemin 2021-04-24 18:15:48 +02:00
parent 3ed115b410
commit e3a9a64675
Signed by: Chosto
GPG Key ID: 0547178FEEDE7D6B
29 changed files with 240 additions and 351 deletions

View File

@ -10,9 +10,9 @@
tags: ["ufw"] tags: ["ufw"]
- role: fail2ban - role: fail2ban
tags: ["fail2ban"] tags: ["fail2ban"]
- hosts: all
become: yes
roles:
- role: "node-exporter" - role: "node-exporter"
tags: ["node-exporter"] tags: ["node-exporter"]
- role: "docker"
tags: ["docker"]
- role: "traefik"
tags: ["docker", "traefik"]

View File

@ -1,10 +1,22 @@
---
base_user_name: chosto
ihl_base_users: ihl_base_users:
- name: chosto - name: "{{ base_user_name }}"
group: chosto group: "{{ base_user_name }}"
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6fs07sdt9PbzzQ6IA2tkbPLqspaWXAMLzUK/LtXQBhN/+q4Bxz4I4eUyF7regsWgvOObjKoMilGfOXi2Q8ZZIXZ3DBqSMJpYkwVC0qqU3YJfVLhNa1NU5m+QYqhmREu8HIIFty4jZRTmkAxjy5Zv8af4l3q0VEWUxGV0MoDsJYroao5UcOPKo/Qv75ZIy7x4KWLcXMM1jYLczjF0E6XR99aOWex1XuAvW5bDS9wC+fAN/nMRS7A6Wsvt2tyth9lR40fM0IaUjG+TjQ2CCbmp7zFBpa0LQcCktksSXpfd4Vj6eczHz7N+l1V+inbAd99s84K7LKoTH0tXv02c42XSK52pVBUzyif2EO85dgHJ3NFmTcNdRJ1v5bSRu3vm0Gcq0kgWjYZq2TCHUYOkm5WWdJuDLIbPLydaSr8LGfv+QqL6RHJnKBt5CZ5Nrrei/ZPTjZCm/OgCrmbMQQeoSpE8ZBEMSlN5An5+ZuaR7BPfCNFoQK/mcbA2cqs6ZiNUQdoeb93DAbsQMqDtCnevDf7hbiy282rRMkRYX5Cj6vt3jpUKS7vwoDMIKWYAOKASPZ2IgvC6Buj8aE4p24qR3xbiTHF4iJyxdo2B/x1pwT+kRmCdmCK5XnlkrQfrwP1Kkaiz88XOxkqfsvpRWd1JUUcipYbO+7zTvVQZkLnKZ2AzciQ== quentinduchemin@tuta.io - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6fs07sdt9PbzzQ6IA2tkbPLqspaWXAMLzUK/LtXQBhN/+q4Bxz4I4eUyF7regsWgvOObjKoMilGfOXi2Q8ZZIXZ3DBqSMJpYkwVC0qqU3YJfVLhNa1NU5m+QYqhmREu8HIIFty4jZRTmkAxjy5Zv8af4l3q0VEWUxGV0MoDsJYroao5UcOPKo/Qv75ZIy7x4KWLcXMM1jYLczjF0E6XR99aOWex1XuAvW5bDS9wC+fAN/nMRS7A6Wsvt2tyth9lR40fM0IaUjG+TjQ2CCbmp7zFBpa0LQcCktksSXpfd4Vj6eczHz7N+l1V+inbAd99s84K7LKoTH0tXv02c42XSK52pVBUzyif2EO85dgHJ3NFmTcNdRJ1v5bSRu3vm0Gcq0kgWjYZq2TCHUYOkm5WWdJuDLIbPLydaSr8LGfv+QqL6RHJnKBt5CZ5Nrrei/ZPTjZCm/OgCrmbMQQeoSpE8ZBEMSlN5An5+ZuaR7BPfCNFoQK/mcbA2cqs6ZiNUQdoeb93DAbsQMqDtCnevDf7hbiy282rRMkRYX5Cj6vt3jpUKS7vwoDMIKWYAOKASPZ2IgvC6Buj8aE4p24qR3xbiTHF4iJyxdo2B/x1pwT+kRmCdmCK5XnlkrQfrwP1Kkaiz88XOxkqfsvpRWd1JUUcipYbO+7zTvVQZkLnKZ2AzciQ== quentinduchemin@tuta.io
ihl_base_ssh_users: ihl_base_ssh_users:
- chosto - "{{ base_user_name }}"
docker_edition: 'ce'
docker_package_state: present
docker_service_state: started
docker_service_enabled: true
docker_restart_handler_state: restarted
docker_install_compose: true
docker_compose_version: "1.28.5"
docker_users:
- "{{ base_user_name }}"

View File

@ -1,7 +1,16 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
33343337653333343366613634323137303835383230363964333832666562633230656233636530 66363166326338646463393939653335373564616361303565363066633931333637656330616636
3462643333626535363437656337363239653533633830320a633762323565393235616431626361 3031633235313930666138646662643036376662613139340a396466303434386232663131346466
65313861666266313336626537383636666566383634363234613532373631343061323837633636 35653261386639623264646331363037336439373065323437663039333635633430323938363861
3762333033636462330a323362323034336365326432373030626634396265343365393162326538 6631656433626432320a303938333734373961333264663835316134326464643365393963613036
33663862303831646239383735353766616464386532346665316664376434666363633034396363 30306337373636366336373736633233393466323663306331343762336465373737383536393735
3763316133353034653439316538383563353739323132626164 35353837316264663461643733653536346537333731646436646566656538643661623530323536
62646665303566633461343739626332326334636531336264636533353431393436336333393564
30353062326434613663373730656431623638333537383031343837353231323665666432356166
31653432383261396664383863623864633633373431356363656131313862336364343061393730
38666236323237626536313739643063303838653636613037383465663163313061326532356239
32363966323363353233356631363033616462313036376663383833636331353763373132303031
38653866303636633163303064343239663330666537333833373630326335323261356534643062
30363463643162623736373233633661623530353037353430376535636361336534353936336136
61346235373034626563343637336166633531373939636366666666616338396339353535323032
623138313638333138323638336365643930

View File

@ -3,8 +3,16 @@ firewall_in_ports:
- "443" - "443"
- "{{ ssh_port }}" - "{{ ssh_port }}"
hostname: chosto hostname: "{{ base_user_name }}"
ssh_port: "2220" ssh_port: "2220"
prometheus_server_ip: "51.178.182.35" prometheus_server_ip: "51.178.182.35"
docker_files: "/home/{{ base_user_name }}/docker"
traefik_network: proxy
domain_name: new.chosto.me
letsencrypt_email: quentinduchemin@tuta.io

View File

@ -21,11 +21,5 @@ docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker
docker_apt_ignore_key_error: true docker_apt_ignore_key_error: true
docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
# Used only for RedHat/CentOS/Fedora.
docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo
docker_yum_repo_enable_nightly: '0'
docker_yum_repo_enable_test: '0'
docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg
# A list of users who will be added to the docker group. # A list of users who will be added to the docker group.
docker_users: [] docker_users: []

View File

@ -1,3 +1,3 @@
--- ---
- name: restart docker - name: Restart docker
service: "name=docker state={{ docker_restart_handler_state }}" service: "name=docker state={{ docker_restart_handler_state }}"

View File

@ -1,7 +1,4 @@
--- ---
- include_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: setup-Debian.yml - include_tasks: setup-Debian.yml
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
@ -9,7 +6,14 @@
package: package:
name: "{{ docker_package }}" name: "{{ docker_package }}"
state: "{{ docker_package_state }}" state: "{{ docker_package_state }}"
notify: restart docker notify: Restart docker
- name: Install Docker and Compose pip package
pip:
name: "{{ item }}"
loop:
- docker
- docker-compose
- name: Ensure Docker is started and enabled at boot. - name: Ensure Docker is started and enabled at boot.
service: service:

View File

@ -22,17 +22,6 @@
register: add_repository_key register: add_repository_key
ignore_errors: "{{ docker_apt_ignore_key_error }}" ignore_errors: "{{ docker_apt_ignore_key_error }}"
- name: Ensure curl is present (on older systems without SNI).
package: name=curl state=present
when: add_repository_key is failed
- name: Add Docker apt key (alternative for older systems without SNI).
shell: >
curl -sSL {{ docker_apt_gpg_key }} | sudo apt-key add -
args:
warn: false
when: add_repository_key is failed
- name: Add Docker repository. - name: Add Docker repository.
apt_repository: apt_repository:
repo: "{{ docker_apt_repository }}" repo: "{{ docker_apt_repository }}"

View File

@ -1,3 +0,0 @@
skip_list:
- '306'
- '106'

View File

@ -1,4 +0,0 @@
# These are supported funding model platforms
---
github: geerlingguy
patreon: geerlingguy

View File

@ -1,56 +0,0 @@
# Configuration for probot-stale - https://github.com/probot/stale
---
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 90
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 30
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- pinned
- security
- planned
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
pulls:
markComment: |-
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
unmarkComment: >-
This pull request is no longer marked for closure.
closeComment: >-
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
issues:
markComment: |-
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
unmarkComment: >-
This issue is no longer marked for closure.
closeComment: >-
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

View File

@ -1,72 +0,0 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "0 7 * * 0"
defaults:
run:
working-directory: 'geerlingguy.docker'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint ansible-lint
- name: Lint code.
run: |
yamllint .
ansible-lint
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- centos8
- centos7
- ubuntu2004
- ubuntu1804
- debian10
- debian9
- fedora31
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule[docker] docker
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

View File

@ -1,38 +0,0 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.docker'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-base
- name: Trigger a new import on Galaxy.
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

View File

@ -1,3 +0,0 @@
*.retry
*/__pycache__
*.pyc

View File

@ -1,11 +0,0 @@
---
extends: default
rules:
line-length:
max: 200
level: warning
ignore: |
.github/stale.yml
.travis.yml

View File

@ -1,2 +0,0 @@
install_date: Sun Mar 14 18:38:43 2021
version: 3.0.0

View File

@ -1,35 +0,0 @@
---
dependencies: []
galaxy_info:
role_name: docker
author: geerlingguy
description: Docker for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 7
- 8
- name: Fedora
versions:
- all
- name: Debian
versions:
- stretch
- buster
- name: Ubuntu
versions:
- xenial
- bionic
- focal
galaxy_tags:
- web
- system
- containers
- docker
- orchestration
- compose
- server

View File

@ -1,24 +0,0 @@
---
- name: Converge
hosts: all
become: true
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
- name: Wait for systemd to complete initialization. # noqa 303
command: systemctl is-system-running
register: systemctl_status
until: >
'running' in systemctl_status.stdout or
'degraded' in systemctl_status.stdout
retries: 30
delay: 5
when: ansible_service_mgr == 'systemd'
changed_when: false
failed_when: systemctl_status.rc > 1
roles:
- role: geerlingguy.docker

View File

@ -1,17 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

View File

@ -1,50 +0,0 @@
---
- name: Ensure old versions of Docker are not installed.
package:
name:
- docker
- docker-common
- docker-engine
state: absent
- name: Add Docker GPG key.
rpm_key:
key: "{{ docker_yum_gpg_key }}"
state: present
- name: Add Docker repository.
get_url:
url: "{{ docker_yum_repo_url }}"
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
owner: root
group: root
mode: 0644
- name: Configure Docker Nightly repo.
ini_file:
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
section: 'docker-{{ docker_edition }}-nightly'
option: enabled
value: '{{ docker_yum_repo_enable_nightly }}'
mode: 0644
- name: Configure Docker Test repo.
ini_file:
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
section: 'docker-{{ docker_edition }}-test'
option: enabled
value: '{{ docker_yum_repo_enable_test }}'
mode: 0644
- name: Configure containerd on RHEL 8.
block:
- name: Ensure container-selinux is installed.
package:
name: container-selinux
state: present
- name: Ensure containerd.io is installed.
package:
name: containerd.io
state: present
when: ansible_distribution_major_version | int == 8

View File

@ -0,0 +1,17 @@
traefik_folder_name: "{{ docker_files }}/traefik"
traefik_certs_directory: "{{ traefik_folder_name }}/certs"
traefik_metrics_port: 8082
traefik_http_port: 80
traefik_https_port: 443
# Equivalent of docker-compose stop
traefik_stopped: no
# Equivalent of docker-compose restart
traefik_restarted: no
# If always, equivalent to up -d --force-recreate
traefik_recreated: smart
# If present, up (or restart/stop depending of the above)
# If absent, equivalent of docker-compose down
traefik_state: present
traefik_subdomain: proxy
traefik_version: 2.4

View File

@ -0,0 +1,49 @@
---
- name: Create Traefik directory
file:
path: "{{ traefik_folder_name }}"
state: directory
owner: "{{ base_user_name }}"
group: "{{ base_user_name }}"
mode: 0755
- name: Create certs directory
file:
path: "{{ traefik_certs_directory }}"
state: directory
owner: "root"
group: "root"
mode: 0600
- name: Create certs file
file:
path: "{{ traefik_certs_directory }}/acme.json"
state: touch
modification_time: preserve
access_time: preserve
owner: "root"
group: "root"
mode: 0600
- name: Copy Traefik files
template:
src: "{{ item }}"
# Remove .j2 extension
dest: "{{ traefik_folder_name }}/{{ (item | splitext)[0] }}"
owner: "{{ base_user_name }}"
group: "{{ base_user_name }}"
mode: 0644
loop:
- docker-compose.yml.j2
- traefik.toml.j2
- traefik_dynamic.toml.j2
- name: Ensure container is up to date
community.docker.docker_compose:
project_src: "{{ traefik_folder_name }}"
remove_orphans: yes
pull: yes
recreate: "{{ traefik_recreated }}"
restarted: "{{ traefik_restarted }}"
state: "{{ traefik_state }}"
stopped: "{{ traefik_stopped }}"

View File

@ -0,0 +1,38 @@
version: "3.7"
networks:
proxy:
name: "{{ traefik_network }}"
services:
traefik:
image: traefik:{{ traefik_version }}
container_name: traefik
ports:
- "{{ traefik_http_port }}:80"
- "{{ traefik_https_port}}:443"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./traefik_dynamic.toml:/traefik_dynamic.toml
- {{ traefik_certs_directory }}:/certs
labels:
traefik.http.routers.traefik-metrics.entrypoints: websecure
traefik.http.routers.traefik-metrics.rule: "Host(`{{ traefik_subdomain }}.{{ domain_name }}`) && PathPrefix(`/metrics`)"
traefik.http.routers.traefik-metrics.service: traefik-metrics
traefik.http.routers.traefik-metrics.middlewares: traefik-metrics-auth@docker
# htpasswd string contains $, interpreted as variable,
# escape them with double $
traefik.http.middlewares.traefik-metrics-auth.basicauth.users: "metrics:{{ traefik_metrics_htpasswd | replace("$", "$$") }}"
traefik.http.services.traefik-metrics.loadbalancer.server.port: "{{ traefik_metrics_port }}"
traefik.http.routers.traefik-api.rule: "Host(`{{ traefik_subdomain }}.{{ domain_name }}`)"
traefik.http.routers.traefik-api.service: api@internal
traefik.http.routers.traefik-api.middlewares: traefik-api-auth@docker
traefik.http.middlewares.traefik-api-auth.basicauth.users: "dashboard:{{ traefik_dashboard_htpasswd | replace("$", "$$") }}"
traefik.enable: true
environment:
GANDIV5_API_KEY: "{{ gandi_api_key }}"
networks:
- "{{ traefik_network }}"
restart: unless-stopped

View File

@ -0,0 +1,50 @@
[global]
sendAnonymousUsage = false
checkNewVersion = true
[api]
[entryPoints]
[entryPoints.web]
address = ":{{ traefik_http_port }}"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":{{ traefik_https_port }}"
[entryPoints.websecure.http]
middlewares = ["hardening@file", "compression@file"]
[entryPoints.websecure.http.tls]
certResolver = "letsencrypt"
options = "tls12@file"
[entryPoints.metrics]
address = ":{{ traefik_metrics_port }}"
[providers]
providersThrottleDuration = "2s"
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false
network = "proxy"
[providers.file]
filename = "/traefik_dynamic.toml"
watch = true
[log]
level = "INFO"
[accessLog]
[certificatesResolvers]
[certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "{{ letsencrypt_email }}"
storage = "/certs/acme.json"
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "gandiv5"
delayBeforeCheck = 10
[metrics]
[metrics.prometheus]
entryPoint = "metrics"

View File

@ -0,0 +1,34 @@
[tls.options]
[tls.options.tls12]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
curvePreferences = ["CurveP521", "CurveP384", "CurveP256"]
[http]
[http.middlewares.hardening.headers]
browserXssFilter = true
contentTypeNosniff = true
forceSTSHeader = true
frameDeny = true
stsIncludeSubdomains = true
stsPreload = true
customFrameOptionsValue = "SAMEORIGIN"
referrerPolicy = "same-origin"
featurePolicy = "vibrate 'self'"
stsSeconds = 315360000
[http.middlewares.compression.compress]
excludedContentTypes = ["text/event-stream"]
[http.middlewares.allowFrameAndCORS.headers]
contentSecurityPolicy = "frame-ancestors *"
accessControlAllowHeaders = ["*"]
accessControlAllowMethods = ["GET", "POST", "OPTIONS"]
accessControlAllowOriginList = ["*"]
accessControlExposeHeaders = ["*"]