From a15c67f92b4a44843689bbe33d6679f74fdc3b6f Mon Sep 17 00:00:00 2001 From: Christian Elberfeld <elberfeld@web.de> Date: Sun, 6 Nov 2022 02:30:37 +0100 Subject: [PATCH] interne Services auf https umgestellt --- common/docker_traefik/tasks/main.yml | 16 +++--- .../templates/docker-compose.yml | 10 ++-- .../templates/dynamic/redirect-default.yml | 1 + .../docker_traefik/templates/dynamic/tls.yml | 11 +++- common/docker_traefik/templates/traefik.yml | 3 +- host_vars/ogg | 7 +-- .../templates/docker-compose.yml | 14 +++++- .../templates/docker-compose.yml | 14 +++++- .../templates/docker-compose.yml | 13 ++++- intern/docker_openhab/tasks/main.yml | 50 +++++++++---------- .../templates/docker-compose.yml | 37 ++++++++------ intern/docker_unifi/tasks/main.yml | 20 +++++--- .../docker_unifi/templates/docker-compose.yml | 25 +++++++++- site.yml | 25 +++++++--- 14 files changed, 168 insertions(+), 78 deletions(-) diff --git a/common/docker_traefik/tasks/main.yml b/common/docker_traefik/tasks/main.yml index 7eb248ae..4785cfad 100644 --- a/common/docker_traefik/tasks/main.yml +++ b/common/docker_traefik/tasks/main.yml @@ -1,19 +1,19 @@ - include: ../functions/get_secret.yml with_items: - - { path: "/srv/traefik/letsencrypt_notification_email", length: -1 } + - { path: "{{ basedir }}/letsencrypt_notification_email", length: -1 } - name: "create folder struct for {{ servicename }}" file: path: "{{ item }}" state: "directory" with_items: - - "/srv/traefik" - - "/srv/traefik/dynamic" + - "{{ basedir }}" + - "{{ basedir }}/dynamic" -- name: "Create CertStore if needed and set permissions /srv/traefik/acme.json" +- name: "Create CertStore if needed and set permissions" file: - path: "/srv/traefik/acme.json" + path: "{{ basedir }}/acme.json" owner: root group: root mode: '600' @@ -22,7 +22,7 @@ - name: Docker Compose Konfig-Datei erstellen template: src: "{{ item }}" - dest: "/srv/traefik/{{ item }}" + dest: "{{ basedir }}/{{ item }}" with_items: - docker-compose.yml - traefik.yml @@ -32,12 +32,12 @@ - name: "stop {{ servicename}} docker" docker_compose: - project_src: "/srv/traefik" + project_src: "{{ basedir }}" state: absent when: config.changed - name: "start {{ servicename}} docker" docker_compose: - project_src: "/srv/traefik" + project_src: "{{ basedir }}" state: present \ No newline at end of file diff --git a/common/docker_traefik/templates/docker-compose.yml b/common/docker_traefik/templates/docker-compose.yml index 1282b233..abf80734 100644 --- a/common/docker_traefik/templates/docker-compose.yml +++ b/common/docker_traefik/templates/docker-compose.yml @@ -8,14 +8,18 @@ services: ports: - "80:80" - "443:443" -{% if inventory_hostname == 'webserver' %} - "8448:8448" +{% if matrix_federation is defined and matrix_federation == true %} - "8448:8448" {% endif %} - - "{{ int_ip4 }}:8080:8080" + - "{{ int_ip4 }}:8081:8080" volumes: - "/srv/traefik/traefik.yml:/etc/traefik/traefik.yml:ro" - "/srv/traefik/dynamic:/etc/traefik/dynamic:ro" - "/srv/traefik/acme.json:/acme.json" - - /var/run/docker.sock:/var/run/docker.sock + - "/var/run/docker.sock:/var/run/docker.sock" +{% if certFile is defined %} + - "{{ basedir }}/{{ certFile }}:/{{ certFile }}:ro" + - "{{ basedir }}/{{ keyFile }}:/{{ keyFile }}:ro" +{% endif %} networks: - default - web diff --git a/common/docker_traefik/templates/dynamic/redirect-default.yml b/common/docker_traefik/templates/dynamic/redirect-default.yml index 4e22918b..c196f525 100644 --- a/common/docker_traefik/templates/dynamic/redirect-default.yml +++ b/common/docker_traefik/templates/dynamic/redirect-default.yml @@ -19,3 +19,4 @@ http: redirectRegex: regex: "^https://{{ domain }}/(.*)" replacement: "https://{{ domain_default }}/$1" + diff --git a/common/docker_traefik/templates/dynamic/tls.yml b/common/docker_traefik/templates/dynamic/tls.yml index ee770ba4..787dabae 100644 --- a/common/docker_traefik/templates/dynamic/tls.yml +++ b/common/docker_traefik/templates/dynamic/tls.yml @@ -1,6 +1,16 @@ # TLS Options tls: + +{% if certFile is defined %} + + # use local certificate + certificates: + - certFile: "/{{ certFile }}" + keyFile: "/{{ keyFile }}" + +{% endif %} + options: default: sniStrict: true @@ -17,4 +27,3 @@ tls: - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - \ No newline at end of file diff --git a/common/docker_traefik/templates/traefik.yml b/common/docker_traefik/templates/traefik.yml index e6b0e61c..9c0e2027 100644 --- a/common/docker_traefik/templates/traefik.yml +++ b/common/docker_traefik/templates/traefik.yml @@ -24,7 +24,8 @@ entryPoints: tls: certResolver: "letsencrypt" -{% if inventory_hostname == 'webserver' %} + +{% if matrix_federation is defined and matrix_federation == true %} # additional entrypoint for matrix-federation matrix_federation: diff --git a/host_vars/ogg b/host_vars/ogg index b432b226..5bb1f550 100644 --- a/host_vars/ogg +++ b/host_vars/ogg @@ -38,10 +38,11 @@ administratorenteam: - "void" - "sandhome" -# Docker konfigurationen +# Docker konfigurationen docker: - # Interne Docker-Netzwerke - + # Interne Docker-Netzwerke + internal_networks: + - web # Monitoring aktivieren alert: diff --git a/intern/docker_esphome/templates/docker-compose.yml b/intern/docker_esphome/templates/docker-compose.yml index 573d2c76..82e7f116 100644 --- a/intern/docker_esphome/templates/docker-compose.yml +++ b/intern/docker_esphome/templates/docker-compose.yml @@ -6,9 +6,19 @@ services: image: esphome/esphome:2022.10 restart: always - # listen on Port 6052 - network_mode: host volumes: - "{{ basedir }}/config/:/config" environment: ESPHOME_DASHBOARD_USE_PING: "true" + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=6052 + networks: + - default + - web + +networks: + web: + external: true diff --git a/intern/docker_heimdall/templates/docker-compose.yml b/intern/docker_heimdall/templates/docker-compose.yml index 0159cede..b3742bde 100644 --- a/intern/docker_heimdall/templates/docker-compose.yml +++ b/intern/docker_heimdall/templates/docker-compose.yml @@ -12,5 +12,15 @@ services: - TZ=Europe/Berlin volumes: - "{{ basedir }}/config:/config" - ports: - - "{{ heimdall_port }}:80" + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 + networks: + - default + - web + +networks: + web: + external: true diff --git a/intern/docker_nodered/templates/docker-compose.yml b/intern/docker_nodered/templates/docker-compose.yml index b33f4553..7f1a9109 100644 --- a/intern/docker_nodered/templates/docker-compose.yml +++ b/intern/docker_nodered/templates/docker-compose.yml @@ -11,10 +11,19 @@ services: app: image: nodered/node-red:2.2.3 restart: always - ports: - - "{{ nodered_port }}:1880" volumes: - "{{ basedir }}/data:/data" environment: - TZ=Europe/Berlin + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=1880 + networks: + - default + - web +networks: + web: + external: true diff --git a/intern/docker_openhab/tasks/main.yml b/intern/docker_openhab/tasks/main.yml index 2df44d2f..61b3194f 100644 --- a/intern/docker_openhab/tasks/main.yml +++ b/intern/docker_openhab/tasks/main.yml @@ -2,9 +2,9 @@ - include: ../functions/get_secret.yml with_items: - - { path: /srv/openhab/openweathermap_apikey, length: -1 } - - { path: /srv/openhab/influxdb_password, length: 12 } - - { path: /srv/openhab/influxdb_token, length: 32 } + - { path: "{{ basedir }}/openweathermap_apikey", length: -1 } + - { path: "{{ basedir }}/influxdb_password", length: 12 } + - { path: "{{ basedir }}/influxdb_token", length: 32 } - name: pakete installieren @@ -13,43 +13,43 @@ name: - logrotate + - name: openhab LogRotate config erstellen template: src: logrotate dest: /etc/logrotate.d/openhab -- name: Get a timestamp - command: "date +%Y%m%d%H%M%S" - register: timestamp -- name: create folder struct for openhab +- name: "create folder struct for {{ basedir }}" file: path: "{{ item }}" state: "directory" with_items: - - /srv/openhab/ - - /srv/openhab/addons/ - - /srv/openhab/conf/ - - /srv/openhab/conf/items/ - - /srv/openhab/conf/services/ - - /srv/openhab/conf/persistence/ - - /srv/openhab/conf/rules/ - - /srv/openhab/conf/things/ - - /srv/openhab/userdata/ - - /srv/openhab/influxdb/ + - "{{ basedir }}" + - "{{ basedir }}/addons/" + - "{{ basedir }}/conf/" + - "{{ basedir }}/conf/items/" + - "{{ basedir }}/conf/services/" + - "{{ basedir }}/conf/persistence/" + - "{{ basedir }}/conf/rules/" + - "{{ basedir }}/conf/things/" + - "{{ basedir }}/userdata/" + - "{{ basedir }}/influxdb/" + -- name: Docker-Konfig-Dateien erstellen +- name: "copy config files for {{ basedir }}" template: src: "{{ item }}" - dest: "/srv/openhab/{{ item }}" + dest: "{{ basedir }}/{{ item }}" with_items: - docker-compose.yml register: docker_config_files -- name: Openhab-Konfig-Dateien erstellen + +- name: "copy config files for {{ basedir }} 2" template: src: "{{ item }}" - dest: "/srv/openhab/{{ item }}" + dest: "{{ basedir }}/{{ item }}" with_items: - conf/items/groups.items - conf/items/mqtt.items @@ -71,15 +71,15 @@ - conf/things/weather.things - conf/things/wled.things + - name: stop openhab docker docker_compose: - project_src: /srv/openhab/ + project_src: "{{ basedir }}" state: absent when: docker_config_files.changed + - name: start openhab docker docker_compose: - project_src: /srv/openhab/ + project_src: "{{ basedir }}" state: present - - diff --git a/intern/docker_openhab/templates/docker-compose.yml b/intern/docker_openhab/templates/docker-compose.yml index 9285510c..248b6fa4 100644 --- a/intern/docker_openhab/templates/docker-compose.yml +++ b/intern/docker_openhab/templates/docker-compose.yml @@ -1,5 +1,4 @@ - version: "3" services: @@ -8,25 +7,28 @@ services: image: openhab/openhab:3.3.0-debian restart: always - privileged: true - network_mode: host - cap_add: - - NET_ADMIN - - NET_RAW # The command node is very important. It overrides # the "gosu openhab tini -s ./start.sh" command from Dockerfile and runs as root! command: "tini -s ./start.sh server" volumes: - - /boot/cmdline.txt:/boot/cmdline.txt:ro - - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro - - /srv/openhab/addons:/openhab/addons - - /srv/openhab/conf:/openhab/conf - - /srv/openhab/userdata:/openhab/userdata + - "/boot/cmdline.txt:/boot/cmdline.txt:ro" + - "/etc/localtime:/etc/localtime:ro" + - "/etc/timezone:/etc/timezone:ro" + - "{{ basedir }}/addons:/openhab/addons" + - "{{ basedir }}/conf:/openhab/conf" + - "{{ basedir }}/userdata:/openhab/userdata" environment: - OPENHAB_HTTP_PORT: 8081 - OPENHAB_HTTPS_PORT: 8444 + OPENHAB_HTTP_PORT: 8080 + OPENHAB_HTTPS_PORT: 8443 EXTRA_JAVA_OPTS: "-Duser.timezone=Europe/Berlin" + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8080 + networks: + - default + - web influxdb: @@ -36,7 +38,7 @@ services: ports: - {{ int_ip4 }}:{{ influxdb_port }}:8086 volumes: - - /srv/openhab/influxdb:/var/lib/influxdb2 + - "{{ basedir }}/influxdb:/var/lib/influxdb2" environment: DOCKER_INFLUXDB_INIT_MODE: setup DOCKER_INFLUXDB_INIT_USERNAME: openhab @@ -44,5 +46,10 @@ services: DOCKER_INFLUXDB_INIT_ORG: openhab DOCKER_INFLUXDB_INIT_BUCKET: openhab DOCKER_INFLUXDB_INIT_ADMIN_TOKEN: {{ influxdb_token }} + networks: + - default +networks: + web: + external: true diff --git a/intern/docker_unifi/tasks/main.yml b/intern/docker_unifi/tasks/main.yml index d36fae19..1f9e11ca 100644 --- a/intern/docker_unifi/tasks/main.yml +++ b/intern/docker_unifi/tasks/main.yml @@ -1,21 +1,25 @@ --- -- name: create folder struct for unifi +- name: "create folder struct for {{ basedir }}" file: - path: "/srv/unifi" + path: "{{ basedir }}" state: "directory" -- name: create folder struct for unifi +- name: "create folder struct for {{ basedir }}" file: - path: "/srv/unifi/data" + path: "{{ basedir }}/data" state: "directory" -- name: create docker-compose file - template: src=docker-compose.yml dest=/srv/unifi/docker-compose.yml +- name: "create config files for {{ basedir }}" + template: + src: "{{ item }}" + dest: "{{ basedir }}/{{ item }}" + with_items: + - docker-compose.yml -- name: start unifi docker +- name: "start {{ basedir }} docker" docker_compose: - project_src: /srv/unifi/ + project_src: "{{ basedir }}" state: present diff --git a/intern/docker_unifi/templates/docker-compose.yml b/intern/docker_unifi/templates/docker-compose.yml index 449c1506..ab25a3c5 100644 --- a/intern/docker_unifi/templates/docker-compose.yml +++ b/intern/docker_unifi/templates/docker-compose.yml @@ -7,10 +7,31 @@ services: image: linuxserver/unifi-controller:7.2.95 restart: always - network_mode: host + ports: + - 8443:8443 + - 3478:3478/udp + - 10001:10001/udp + - 8080:8080 + - 1900:1900/udp + - 6789:6789 volumes: - - /srv/unifi/data:/config + - "{{ basedir }}/data:/config" environment: PGID: 1001 PUID: 1001 MEM_LIMIT: 256M + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.serversTransport={{ servicename }} + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8443 + - traefik.http.services.{{ servicename }}.loadbalancer.server.scheme=https + - traefik.http.serversTransports.{{ servicename }}.insecureSkipVerify=true + networks: + - default + - web + +networks: + web: + external: true diff --git a/site.yml b/site.yml index a5c3e2eb..acebadc7 100644 --- a/site.yml +++ b/site.yml @@ -41,17 +41,26 @@ servicename: dockerstats, basedir: /srv/dockerstats } + - { + role: common/docker_traefik, tags: traefik, + servicename: traefik, + basedir: /srv/traefik, + domain: "warpzone.lan", + domain_default: "services.warpzone.lan", + certFile: "warpzone+internal+services.pem", + keyFile: "warpzone+internal+services.key" + } - { role: intern/docker_esphome, tags: esphome, servicename: esphome, basedir: /srv/esphome, - esphome_port: 6052 + domain: "esphome.warpzone.lan" } - { role: intern/docker_heimdall, tags: heimdall, servicename: heimdall, basedir: /srv/heimdall, - heimdall_port: 80 + domain: "services.warpzone.lan" } - { role: intern/docker_mqtt, tags: mqtt, @@ -64,18 +73,20 @@ role: intern/docker_nodered, tags: nodered, servicename: nodered, basedir: /srv/nodered, - nodered_port: 1880 + domain: "nodered.warpzone.lan" } - { role: intern/docker_openhab, tags: openhab, servicename: openhab, + basedir: /srv/openhab, + domain: "openhab.warpzone.lan", influxdb_port: 28086 } - { role: intern/docker_unifi, tags: unifi, servicename: unifi, - unifi_port1: 8080, - unifi_port2: 8443 + basedir: /srv/unifi, + domain: "unifi.warpzone.lan" } @@ -101,8 +112,10 @@ - { role: common/docker_traefik, tags: traefik, servicename: traefik, + basedir: /srv/traefik, domain: "warpzone.ms", - domain_default: "www.warpzone.ms" + domain_default: "www.warpzone.ms", + matrix_federation: true } - { role: webserver/docker_autodiscover, tags: autodiscover, -- GitLab