Verwaltungsserver: Nginx durch Traefik ersetzt

1f24b067 · Christian Elberfeld · 8bd56839 · 1f24b067 · 1f24b067 · 1f24b067
Commit 1f24b067 authored 4 years ago by Christian Elberfeld
--- a/common/docker/tasks/main.yml
+++ b/common/docker/tasks/main.yml
@@ -12,3 +12,7 @@
      - python 
      - python-pip
+- name: Create internal Network 'web'
+  docker_network:
+    name: web
+    internal: yes
--- a/common/docker_ldap/templates/docker-compose.yml
+++ b/common/docker_ldap/templates/docker-compose.yml
@@ -31,19 +31,29 @@ services:
      - LDAP_TLS_VERIFY_CLIENT=never
      - LDAP_REPLICATION=true
      - LDAP_REPLICATION_HOSTS=#PYTHON2BASH:['ldap://webserver-sync','ldap://warpsrvint-sync','ldap://verwaltung-sync']
+    networks:
+      - default
  phpldapadmin:
    image: osixia/phpldapadmin:0.9.0
    restart: always
    depends_on:
      - openldap
-    ports:
-      - 127.0.0.1:42004:80
    environment:
      - PHPLDAPADMIN_LDAP_HOSTS=openldap
      - PHPLDAPADMIN_HTTPS=false
      - PHPLDAPADMIN_TRUST_PROXY_SSL=true
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 
+    networks:
+      - default
+      - web
  syncreplexporter:
    build: . 
    image: "syncreplexporter--{{ ansible_date_time.date }}--{{ ansible_date_time.hour }}-{{ ansible_date_time.minute }}-{{ ansible_date_time.second }}"
@@ -54,3 +64,10 @@ services:
      - /srv/ldap/syncrepl_exporter.yml:/syncrepl_exporter.yml
    ports:
      - {{ int_ip4 }}:9328:9328
+    networks:
+      - default
+networks:
+  web:
+    external: true    
--- a/common/docker_traefik/tasks/main.yml
+++ b/common/docker_traefik/tasks/main.yml
+- include: ../functions/get_secret.yml
+  with_items:
+    - { path: "/srv/traefik/letsencrypt_notification_email",  length: -1 }
+- name: "create folder struct for {{ servicename }}"
+  file:
+    path: "{{ item }}"
+    state: "directory"
+  with_items:
+    - "/srv/traefik"
+    - "/srv/traefik/dynamic"
+- name: "Create CertStore if needed and set permissions /srv/traefik/acme.json"
+  file:
+    path: "/srv/traefik/acme.json"
+    owner: root
+    group: root
+    mode: '600'
+    state: touch
+- name: Docker Compose Konfig-Datei erstellen
+  template:
+    src: "{{ item }}"
+    dest: "/srv/traefik/{{ item }}"
+  with_items:
+    - docker-compose.yml
+    - traefik.yml 
+    - dynamic/tls.yml
+  register: config
+- name: "stop {{ servicename}} docker"
+  docker_service:
+    project_src: "/srv/traefik"
+    state: absent
+  when: config.changed
+- name: "start {{ servicename}} docker"
+  docker_compose:
+    project_src: "/srv/traefik"
+    state: present
\ No newline at end of file
--- a/common/docker_traefik/templates/docker-compose.yml
+++ b/common/docker_traefik/templates/docker-compose.yml
+version: '2.4'
+services:
+    app:
+        image: traefik:v2.2
+        restart: always
+        ports:
+            - "80:80"
+            - "443:443"
+            - "{{ int_ip4 }}:8080:8080"
+        volumes:
+            - "/srv/traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
+            - "/srv/traefik/dynamic:/etc/traefik/dynamic:ro"
+            - "/srv/traefik/acme.json:/acme.json"
+            - /var/run/docker.sock:/var/run/docker.sock
+        networks:
+            - default
+            - web
+        healthcheck:
+            test: ['CMD', 'traefik', 'healthcheck']
+            interval: 30s
+            timeout: 10s
+            retries: 3
+# for debugging only            
+#    whoami:
+#        image: containous/whoami
+#        labels:
+#            - traefik.enable=true
+#            - traefik.http.routers.{{ servicename }}.rule=Host(`{ domain }`)
+#            - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+#            - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+#        networks:
+#            - web
+networks:
+    web:
+        external: true
--- a/common/docker_traefik/templates/dynamic/tls.yml
+++ b/common/docker_traefik/templates/dynamic/tls.yml
+# TLS Options 
+tls:
+    options:
+        default:
+            sniStrict: true
+            preferServerCipherSuites: true
+            minVersion: "VersionTLS12"
+            curvePreferences:
+                - "secp521r1"
+                - "secp384r1"
+            cipherSuites:
+                - "TLS_AES_128_GCM_SHA256"
+                - "TLS_AES_256_GCM_SHA384"
+                - "TLS_CHACHA20_POLY1305_SHA256"
+                - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+                - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+                - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
\ No newline at end of file
--- a/common/docker_traefik/templates/traefik.yml
+++ b/common/docker_traefik/templates/traefik.yml
+# Global settings
+global:
+    checkNewVersion: true
+# Entrypoints 
+entryPoints:
+    # HTTP, redirect all to HTTPS
+    web:
+        address: ":80"
+        http:
+            redirections:
+                entryPoint:
+                    to: "websecure"
+                    scheme: "https"
+                    permanent: true   
+    # HTTPS, get certificates from letsencrypt
+    websecure:
+        address: ":443"
+        http:
+            tls:
+                certResolver: "letsencrypt"
+# Discover configuration via docker 
+# use network 'web' for interconnect  
+providers:
+    docker:
+        watch: true
+        endpoint: "unix:///var/run/docker.sock"
+        network: "web"
+        exposedByDefault: false
+    file:
+        directory: "/etc/traefik/dynamic"
+        watch: true
+# Traefik API and dashboard 
+api:
+    insecure: true
+    dashboard: true
+    debug: false
+# Enable Ping endpoint for docker healthcheck 
+ping: {}
+# Enable prometheus metrics
+metrics: 
+    prometheus: 
+        addEntryPointsLabels: true 
+        addServicesLabels: true 
+# Logging 
+log:
+    level: "INFO"
+    format: "common"
+# get certificates from letsEncrypt 
+certificatesResolvers:
+    letsencrypt:
+        acme:
+            email: "{{ letsencrypt_notification_email }}"
+            storage: "/acme.json"
+            tlsChallenge: true
--- a/common/nginx/includes/verwaltung-git.warpzone.ms
+++ b/common/nginx/includes/verwaltung-git.warpzone.ms
-	location /  {
-        	proxy_set_header        Host $host;
-        	proxy_set_header        X-Real-IP $remote_addr;
-	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-        	proxy_set_header        X-Forwarded-Proto $scheme;
-	        proxy_pass      http://127.0.0.1:42001/;
-        	proxy_redirect  off;
-    }
--- a/common/nginx/includes/verwaltung-ldap.warpzone.ms
+++ b/common/nginx/includes/verwaltung-ldap.warpzone.ms
-    location /  {
-        	proxy_set_header        Host $host;
-        	proxy_set_header        X-Real-IP $remote_addr;
-	        proxy_pass      http://127.0.0.1:42004/;
-        	proxy_redirect  off;
-    }
--- a/common/nginx/includes/verwaltung.warpzone.ms
+++ b/common/nginx/includes/verwaltung.warpzone.ms
-    client_max_body_size 10G; 
-	location /  {
-        	proxy_set_header        Host $host;
-        	proxy_set_header        X-Real-IP $remote_addr;
-	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-        	proxy_set_header        X-Forwarded-Proto $scheme;
-	        proxy_pass      http://127.0.0.1:42002/;
-        	proxy_redirect  off;
-    }
--- a/site.yml
+++ b/site.yml
@@ -71,16 +71,43 @@
  roles:
    - { role: common/borgbackup, tags: borgbackup }
    - { role: common/docker, tags: docker }
-    - { role: common/nginx, tags: nginx }
    - { role: common/openvpn, tags: openvpn }
-    - { role: common/docker_ldap, tags: ldap }
+    - { 
-    - { role: verwaltung/docker_gitea, tags: gitea }
+        role: common/docker_ldap, tags: ldap,
-    - { role: verwaltung/docker_jameica, tags: jameicavnc }
+        servicename: "ldap",
-    - { role: verwaltung/docker_nextcloud, tags: nextcloud }
+        domain: "verwaltung-ldap.warpzone.ms"
-    - { role: verwaltung/docker_mysql, tags: mysql }
+      }
-    - { role: verwaltung/user, tags: user }
+    - { 
-    - { role: verwaltung/jameica, tags: jameica }
+        role: common/docker_traefik, tags: traefik,
-    - { role: verwaltung/x2goserver, tags: x2goserver }
+        servicename: traefik 
+      }      
+    - { 
+        role: verwaltung/docker_gitea, tags: gitea,
+        servicename: "gitea",
+        domain: "verwaltung-git.warpzone.ms"
+      }
+    - { 
+        role: verwaltung/docker_jameica, tags: jameicavnc,
+        servicename: "jameicavnc",
+        domain: "verwaltung-jameica.warpzone.ms"
+      }
+    - { 
+        role: verwaltung/docker_nextcloud, tags: nextcloud,
+        servicename: "nextcloud",
+        domain: "verwaltung.warpzone.ms" 
+      }
+    - { 
+        role: verwaltung/docker_mysql, tags: mysql 
+      }
+    - { 
+        role: verwaltung/user, tags: user 
+      }
+    - { 
+        role: verwaltung/jameica, tags: jameica 
+      }
+    - { 
+        role: verwaltung/x2goserver, tags: x2goserver 
+      }

--- a/verwaltung/docker_gitea/templates/docker-compose.yml
+++ b/verwaltung/docker_gitea/templates/docker-compose.yml
@@ -9,7 +9,6 @@ services:
    depends_on:
      - db
    ports:
-      - 127.0.0.1:42001:42001
      - 0.0.0.0:444:444
    volumes:
      - /srv/gitea/data:/data
@@ -27,6 +26,15 @@ services:
      DB_NAME: "gitea"
      DB_USER: "gitea"
      DB_PASSWD: "{{ mysql_user_pw }}"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=42001
+    networks:
+      - default
+      - web
  db:
    image: mariadb:10.5.6
@@ -38,3 +46,10 @@ services:
      MYSQL_PASSWORD: "{{ mysql_user_pw }}"
      MYSQL_DATABASE: "gitea"
      MYSQL_USER: "gitea"
+    networks:
+      - default
+networks:
+  web:
+    external: true    
--- a/verwaltung/docker_jameica/tasks/main.yml
+++ b/verwaltung/docker_jameica/tasks/main.yml
@@ -20,6 +20,7 @@
    - "Dockerfile"
    - "jameica.conf"
    - "jameica.sh"
+    - "nginx.conf"
 - name: start jameica docker
  docker_compose:

--- a/verwaltung/docker_jameica/templates/docker-compose.yml
+++ b/verwaltung/docker_jameica/templates/docker-compose.yml
@@ -9,18 +9,17 @@ services:
      DISPLAY_WIDTH: 1440
      DISPLAY_HEIGHT: 900
      RUN_XTERM: "no"
-    ports:
-      - 127.0.0.1:42005:8080
    volumes:
      - /srv/jameica:/jameica/
      - /srv/data-jameica:/jameica-data/
      - /srv/jameica-vnc/work:/jameica-work/
+    networks:
+      - default
  ldap_auth:
    image: pinepain/ldap-auth-proxy:0.2.0
    restart: always
-    ports:
-      - 127.0.0.1:52005:8888
    environment:
      LOG_LEVEL: "info"
      LISTEN: ":8888"
@@ -32,4 +31,28 @@ services:
      LDAP_USER_FILTER: "(&(uid=%s)(memberof=CN=vorstand,OU=groups,DC=warpzone,DC=ms))"
      #LDAP_GROUP_FILTER: "(&(objectClass=groupOfUniqueNames)(member=uid=%s,ou=Users,o=${OID},dc=jumpcloud,dc=com))"
      HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn"
+    networks:
+      - default
+  nginx:
+    image: nginx:1.19
+    restart: always
+    depends_on:
+      - vnc
+      - ldap_auth
+    volumes:
+      - /srv/jameica-vnc/nginx.conf:/etc/nginx/conf.d/default.conf:ro      
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+    networks:
+      - default
+      - web
+networks:
+  web:
+    external: true    
\ No newline at end of file
--- a/common/nginx/includes/verwaltung-jameica.warpzone.ms
+++ b/common/nginx/includes/verwaltung-jameica.warpzone.ms
+server {
+    listen 80;
+    listen [::]:80;
+    server_name verwaltung-jameica.warpzone.ms;
+    root /dev/null;
+    index index.html;
    location = / {
       return 301 https://$host/vnc.html;
@@ -27,7 +34,7 @@
 	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        	proxy_set_header        X-Forwarded-Proto $scheme;
-	        proxy_pass      http://127.0.0.1:42005/;
+	        proxy_pass      http://vnc:8080/;
        	proxy_redirect  off;
    }
@@ -35,7 +42,7 @@
    location = /auth-proxy {
        internal;
-        proxy_pass http://127.0.0.1:52005/auth;
+        proxy_pass http://ldap_auth:8888/auth;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
@@ -46,3 +53,5 @@
        proxy_set_header X-Ldap-Group "*";
    }
+}
\ No newline at end of file
--- a/verwaltung/docker_nextcloud/templates/docker-compose.yml
+++ b/verwaltung/docker_nextcloud/templates/docker-compose.yml
@@ -6,6 +6,9 @@ services:
    image: redis:6.0.8
    restart: always
+    networks:
+      - default
  mysql:
@@ -18,13 +21,14 @@ services:
      MYSQL_PASSWORD: "{{ mysql_user_pass }}"
      MYSQL_DATABASE: nextcloud
      MYSQL_USER: nextcloud
+    networks:
+      - default
  app:
    image: nextcloud:20.0.0-apache
    restart: always
-    ports:
-      - 127.0.0.1:42002:80
    volumes:
      - /srv/nextcloud/data/:/var/www/html/
      - /srv/nextcloud/tmp/:/tmp/nextcloudtemp/
@@ -38,8 +42,16 @@ services:
      MYSQL_HOST: mysql
      NEXTCLOUD_ADMIN_USER: "admin"
      NEXTCLOUD_ADMIN_PASSWORD: "{{nextcloud_admin_pass}}"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 
+    networks:
+      - default      
+      - web  
  # Build from Howto: https://nerdblog.steinkopf.net/2018/07/nextcloud-volltext-index-mit-docker-und-elasticsearch/
  elasticsearch:
@@ -49,4 +61,10 @@ services:
      - /srv/nextcloud/elasticsearch_data:/usr/share/elasticsearch/data
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
+    networks:
+      - default
+networks:
+  web:
+    external: true