From a221097caccbea34b6534834d93d040bf994d485 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <christian.elberfeld@adesso.de>
Date: Sun, 8 Nov 2020 16:08:47 +0100
Subject: [PATCH] Migration auf traefik
---
common/docker_traefik/tasks/main.yml | 1 +
.../templates/dynamic/redirect-default.yml | 21 ++++++
site.yml | 73 +++++++++++++++----
.../templates/docker-compose.yml | 14 +++-
.../templates/docker-compose.yml | 13 +++-
.../templates/docker-compose.yml | 16 +++-
webserver/docker_jabber/tasks/main.yaml | 14 +---
.../docker_jabber/templates/certbot-hook.sh | 4 -
.../templates/docker-compose.yml | 41 +++++++++--
.../templates/docker-compose.yml | 22 ++++++
.../templates/docker-compose.yml | 12 +++
.../templates/docker-compose.yml | 16 +++-
12 files changed, 204 insertions(+), 43 deletions(-)
create mode 100644 common/docker_traefik/templates/dynamic/redirect-default.yml
delete mode 100644 webserver/docker_jabber/templates/certbot-hook.sh
diff --git a/common/docker_traefik/tasks/main.yml b/common/docker_traefik/tasks/main.yml
index 363e4aed..cb1c40d4 100644
--- a/common/docker_traefik/tasks/main.yml
+++ b/common/docker_traefik/tasks/main.yml
@@ -26,6 +26,7 @@
with_items:
- docker-compose.yml
- traefik.yml
+ - dynamic/redirect-default.yml
- dynamic/tls.yml
register: config
diff --git a/common/docker_traefik/templates/dynamic/redirect-default.yml b/common/docker_traefik/templates/dynamic/redirect-default.yml
new file mode 100644
index 00000000..4e22918b
--- /dev/null
+++ b/common/docker_traefik/templates/dynamic/redirect-default.yml
@@ -0,0 +1,21 @@
+http:
+ routers:
+ router-default:
+ entrypoints:
+ - websecure
+ rule: "Host(`{{ domain }}`)"
+ middlewares:
+ - redirect-default
+ service: service-default
+
+ services:
+ service-default:
+ loadBalancer:
+ servers:
+ - url: http://noop-dummy
+
+ middlewares:
+ redirect-default:
+ redirectRegex:
+ regex: "^https://{{ domain }}/(.*)"
+ replacement: "https://{{ domain_default }}/$1"
diff --git a/site.yml b/site.yml
index ebafcdbb..1d5f3928 100644
--- a/site.yml
+++ b/site.yml
@@ -48,19 +48,64 @@
roles:
- { role: common/borgbackup, tags: borgbackup }
- { role: common/docker, tags: docker }
- - { role: common/nginx, tags: nginx }
- { role: common/openvpn, tags: openvpn }
- - { role: common/docker_ldap, tags: ldap }
- - { role: webserver/docker_dokuwiki, tags: dokuwiki }
- - { role: webserver/docker_gitlab, tags: gitlab }
- - { role: webserver/docker_hackmd, tags: hackmd }
- - { role: webserver/docker_jabber, tags: jabber }
- - { role: webserver/docker_mail, tags: mail }
- - { role: webserver/docker_matterbridge, tags: matterbridge }
- - { role: webserver/docker_matrix, tags: matrix }
- - { role: webserver/docker_warpapi, tags: warpapi }
- - { role: webserver/docker_warpinfra, tags: warpinfra }
- - { role: webserver/docker_wordpress, tags: wordpress }
+ - {
+ role: common/docker_ldap, tags: ldap,
+ servicename: "ldap",
+ domain: "ldap.warpzone.ms"
+ }
+ - {
+ role: common/docker_traefik, tags: traefik,
+ servicename: traefik,
+ domain: "warpzone.ms",
+ domain_default: "www.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_dokuwiki, tags: dokuwiki,
+ servicename: "dokuwiki",
+ domain: "wiki.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_gitlab, tags: gitlab,
+ servicename: "gitlab",
+ domain: "gitlab.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_hackmd, tags: hackmd,
+ servicename: "mackmd",
+ domain: "md.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_jabber, tags: jabber,
+ servicename: "jabber",
+ domain: "jabber.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_mail, tags: mail
+ }
+ - {
+ role: webserver/docker_matterbridge, tags: matterbridge
+ }
+ - {
+ role: webserver/docker_matrix, tags: matrix,
+ servicename: "matrix",
+ domain: "matrix.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_warpapi, tags: warpapi,
+ servicename: "warpapi",
+ domain: "api.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_warpinfra, tags: warpinfra,
+ servicename: "warpinfra",
+ domain: "infra.warpzone.ms"
+ }
+ - {
+ role: webserver/docker_wordpress, tags: wordpress,
+ servicename: "wordpress",
+ domain: "www.warpzone.ms"
+ }
# Entfällt durch testserver
# - { role: docker_jabber_test, tags: jabber_test }
@@ -80,7 +125,9 @@
}
- {
role: common/docker_traefik, tags: traefik,
- servicename: traefik
+ servicename: traefik,
+ domain: "warpzone.ms",
+ domain-default: "www.warpzone.ms"
}
- {
role: verwaltung/docker_gitea, tags: gitea,
diff --git a/webserver/docker_dokuwiki/templates/docker-compose.yml b/webserver/docker_dokuwiki/templates/docker-compose.yml
index 71701336..735189a4 100644
--- a/webserver/docker_dokuwiki/templates/docker-compose.yml
+++ b/webserver/docker_dokuwiki/templates/docker-compose.yml
@@ -6,8 +6,18 @@ services:
build: .
image: "dokuwiki--{{ ansible_date_time.date }}--{{ ansible_date_time.hour }}-{{ ansible_date_time.minute }}-{{ ansible_date_time.second }}"
restart: always
- ports:
- - 127.0.0.1:42005:80
volumes:
- /srv/dokuwiki/data/:/var/www/html
- /srv/dokuwiki/pdftemplate/:/var/www/html/lib/plugins/dw2pdf/tpl/warpzone/
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+ - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+ networks:
+ - default
+ - web
+
+networks:
+ web:
+ external: true
diff --git a/webserver/docker_gitlab/templates/docker-compose.yml b/webserver/docker_gitlab/templates/docker-compose.yml
index d518bb76..947cdaee 100644
--- a/webserver/docker_gitlab/templates/docker-compose.yml
+++ b/webserver/docker_gitlab/templates/docker-compose.yml
@@ -10,8 +10,19 @@ services:
mem_limit: 4gb
ports:
- 0.0.0.0:444:22
- - 127.0.0.1:42001:80
volumes:
- /srv/gitlab/conf:/etc/gitlab
- /srv/gitlab/log:/var/log/gitlab
- /srv/gitlab/data:/var/opt/gitlab
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+ - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+ networks:
+ - default
+ - web
+
+networks:
+ web:
+ external: true
diff --git a/webserver/docker_hackmd/templates/docker-compose.yml b/webserver/docker_hackmd/templates/docker-compose.yml
index bfc0d0bd..bc428cba 100644
--- a/webserver/docker_hackmd/templates/docker-compose.yml
+++ b/webserver/docker_hackmd/templates/docker-compose.yml
@@ -8,8 +8,6 @@ services:
restart: always
depends_on:
- db
- ports:
- - 127.0.0.1:42007:3000
environment:
CMD_DB_URL: "mysql://hackmd:{{ mysql_user_pass }}@db:3306/hackmd"
CMD_SESSION_SECRET: "{{ hackmd_session_secret }}"
@@ -26,6 +24,14 @@ services:
CMD_LDAP_USERIDFIELD: "uid"
CMD_LDAP_USERNAMEFIELD: "uid"
CMD_EMAIL: "false"
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+ - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}.loadbalancer.server.port=3000
+ networks:
+ - default
+ - web
db:
@@ -39,3 +45,9 @@ services:
MYSQL_PASSWORD: "{{ mysql_user_pass }}"
MYSQL_DATABASE: "hackmd"
MYSQL_USER: "hackmd"
+ networks:
+ - default
+
+networks:
+ web:
+ external: true
diff --git a/webserver/docker_jabber/tasks/main.yaml b/webserver/docker_jabber/tasks/main.yaml
index aed4418b..9e2c6909 100644
--- a/webserver/docker_jabber/tasks/main.yaml
+++ b/webserver/docker_jabber/tasks/main.yaml
@@ -18,6 +18,7 @@
- "/srv/jabber/logs"
- "/srv/jabber/data"
- "/srv/jabber/etc"
+ - "/srv/jabber/certs"
# create files
- name: Docker Konfig-Datei erstellen
@@ -42,17 +43,4 @@
project_src: /srv/jabber/
state: present
-# Letsencrypt
-- name: LetsEncrypt Renewal Hook erstellen
- file:
- path: "/etc/letsencrypt/renewal-hooks/deploy"
- state: directory
- recurse: yes
-- name: LetsEncrypt Renewal Hook erstellen
- template:
- src: certbot-hook.sh
- dest: /etc/letsencrypt/renewal-hooks/deploy/jabber.sh
- mode: o+x
- register: letsencryptsh
- notify: restart nginx
diff --git a/webserver/docker_jabber/templates/certbot-hook.sh b/webserver/docker_jabber/templates/certbot-hook.sh
deleted file mode 100644
index 0b42d27c..00000000
--- a/webserver/docker_jabber/templates/certbot-hook.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-
-# Certbot Renewal Hook to reload jabber when a certificate is renewed
-# TODO: command per docker exec im container ausführen
diff --git a/webserver/docker_jabber/templates/docker-compose.yml b/webserver/docker_jabber/templates/docker-compose.yml
index dcf56173..82f44f2f 100644
--- a/webserver/docker_jabber/templates/docker-compose.yml
+++ b/webserver/docker_jabber/templates/docker-compose.yml
@@ -15,9 +15,38 @@ services:
- /srv/jabber/logs:/var/log/prosody
- /srv/jabber/data:/var/lib/prosody
# mount the certificates created by lets encrypt
- - /etc/letsencrypt/live/jabber.warpzone.ms/privkey.pem:/etc/prosody/certs/jabber.warpzone.ms.key
- - /etc/letsencrypt/live/jabber.warpzone.ms/fullchain.pem:/etc/prosody/certs/jabber.warpzone.ms.crt
- - /etc/letsencrypt/live/muc.jabber.warpzone.ms/privkey.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.key
- - /etc/letsencrypt/live/muc.jabber.warpzone.ms/fullchain.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.crt
- - /etc/letsencrypt/live/proxy.jabber.warpzone.ms/privkey.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.key
- - /etc/letsencrypt/live/proxy.jabber.warpzone.ms/fullchain.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.crt
+ # Der Certdumper erzeugt ein Zertifikat mit san-Einträgen
+ # In Jabber müssen diese jedoch als einzelne dateien vorliegen
+ - /srv/jabber/certs/key.pem:/etc/prosody/certs/jabber.warpzone.ms.key
+ - /srv/jabber/certs/cert.pem:/etc/prosody/certs/jabber.warpzone.ms.crt
+ - /srv/jabber/certs/key.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.key
+ - /srv/jabber/certs/cert.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.crt
+ - /srv/jabber/certs/key.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.key
+ - /srv/jabber/certs/cert.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.crt
+ networks:
+ - default
+
+ traefik-certdumper:
+ image: humenius/traefik-certs-dumper
+ command: --restart-containers jabber_app-1
+ volumes:
+ # mount the folder which contains Traefik's `acme.json' file
+ - /srv/traefik/acme.json:/traefik/acme.json:ro
+ # mount SSL folder
+ - /srv/jabber/certs:/output:rw
+ # Docker API for Container restart
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ environment:
+ - DOMAIN=jabber.warpzone.ms
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.rule=(Host(`{{ domain }}`) || Host(`muc.{{ domain }}`) || Host(`proxy.{{ domain }}`))
+ - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}.loadbalancer.server.port=0
+ networks:
+ - default
+ - web
+
+networks:
+ web:
+ external: true
\ No newline at end of file
diff --git a/webserver/docker_matrix/templates/docker-compose.yml b/webserver/docker_matrix/templates/docker-compose.yml
index 2a00afb2..dea9d1d5 100644
--- a/webserver/docker_matrix/templates/docker-compose.yml
+++ b/webserver/docker_matrix/templates/docker-compose.yml
@@ -13,6 +13,8 @@ services:
POSTGRES_USER: synapse
POSTGRES_PASSWORD: "{{ postgres_user_pass }}"
POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=C --lc-ctype=C
+ networks:
+ - default
synapse:
@@ -32,6 +34,14 @@ services:
- /srv/matrix/rest_auth_provider.py:/usr/local/lib/python3.7/site-packages/rest_auth_provider.py
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+ - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8008
+ networks:
+ - default
+ - web
ma1sd:
@@ -42,3 +52,15 @@ services:
volumes:
- /srv/matrix/ma1sd-config/:/etc/ma1sd
- /srv/matrix/ma1sd-data/:/var/ma1sd
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}-ma1sd.rule=((Host(`{{ domain }}`) && PathPrefix(`/_matrix/client/r0/login`)) || (Host(`{{ domain }}`) && PathPrefix(`/_matrix/identity`)))
+ - traefik.http.routers.{{ servicename }}-login.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}-login.loadbalancer.server.port=8090
+ networks:
+ - default
+ - web
+
+networks:
+ web:
+ external: true
diff --git a/webserver/docker_warpapi/templates/docker-compose.yml b/webserver/docker_warpapi/templates/docker-compose.yml
index 63de4a38..d6e0e16f 100644
--- a/webserver/docker_warpapi/templates/docker-compose.yml
+++ b/webserver/docker_warpapi/templates/docker-compose.yml
@@ -11,3 +11,15 @@ services:
- 127.0.0.1:42010:5000
volumes:
- /srv/warpapi/warpapi/:/opt/warpapi
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+ - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}.loadbalancer.server.port=5000
+ networks:
+ - default
+ - web
+
+networks:
+ web:
+ external: true
diff --git a/webserver/docker_wordpress/templates/docker-compose.yml b/webserver/docker_wordpress/templates/docker-compose.yml
index 396e6b99..2fbefe15 100644
--- a/webserver/docker_wordpress/templates/docker-compose.yml
+++ b/webserver/docker_wordpress/templates/docker-compose.yml
@@ -14,6 +14,8 @@ services:
MYSQL_PASSWORD: "{{ mysql_user_pass }}"
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
+ networks:
+ - default
app:
@@ -22,9 +24,19 @@ services:
volumes:
- /srv/wordpress/config/uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
- /srv/wordpress/data:/var/www/html
- ports:
- - 127.0.0.1:42006:80
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: "{{ mysql_user_pass }}"
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+ - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+ - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+ networks:
+ - default
+ - web
+
+networks:
+ web:
+ external: true
--
GitLab