From a15c67f92b4a44843689bbe33d6679f74fdc3b6f Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <elberfeld@web.de>
Date: Sun, 6 Nov 2022 02:30:37 +0100
Subject: [PATCH] interne Services auf https umgestellt

---
 common/docker_traefik/tasks/main.yml          | 16 +++---
 .../templates/docker-compose.yml              | 10 ++--
 .../templates/dynamic/redirect-default.yml    |  1 +
 .../docker_traefik/templates/dynamic/tls.yml  | 11 +++-
 common/docker_traefik/templates/traefik.yml   |  3 +-
 host_vars/ogg                                 |  7 +--
 .../templates/docker-compose.yml              | 14 +++++-
 .../templates/docker-compose.yml              | 14 +++++-
 .../templates/docker-compose.yml              | 13 ++++-
 intern/docker_openhab/tasks/main.yml          | 50 +++++++++----------
 .../templates/docker-compose.yml              | 37 ++++++++------
 intern/docker_unifi/tasks/main.yml            | 20 +++++---
 .../docker_unifi/templates/docker-compose.yml | 25 +++++++++-
 site.yml                                      | 25 +++++++---
 14 files changed, 168 insertions(+), 78 deletions(-)

diff --git a/common/docker_traefik/tasks/main.yml b/common/docker_traefik/tasks/main.yml
index 7eb248ae..4785cfad 100644
--- a/common/docker_traefik/tasks/main.yml
+++ b/common/docker_traefik/tasks/main.yml
@@ -1,19 +1,19 @@
        
 - include: ../functions/get_secret.yml
   with_items:
-    - { path: "/srv/traefik/letsencrypt_notification_email",  length: -1 }
+    - { path: "{{ basedir }}/letsencrypt_notification_email",  length: -1 }
 
 - name: "create folder struct for {{ servicename }}"
   file:
     path: "{{ item }}"
     state: "directory"
   with_items:
-    - "/srv/traefik"
-    - "/srv/traefik/dynamic"
+    - "{{ basedir }}"
+    - "{{ basedir }}/dynamic"
 
-- name: "Create CertStore if needed and set permissions /srv/traefik/acme.json"
+- name: "Create CertStore if needed and set permissions"
   file:
-    path: "/srv/traefik/acme.json"
+    path: "{{ basedir }}/acme.json"
     owner: root
     group: root
     mode: '600'
@@ -22,7 +22,7 @@
 - name: Docker Compose Konfig-Datei erstellen
   template:
     src: "{{ item }}"
-    dest: "/srv/traefik/{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
   with_items:
     - docker-compose.yml
     - traefik.yml 
@@ -32,12 +32,12 @@
 
 - name: "stop {{ servicename}} docker"
   docker_compose:
-    project_src: "/srv/traefik"
+    project_src: "{{ basedir }}"
     state: absent
   when: config.changed
 
 - name: "start {{ servicename}} docker"
   docker_compose:
-    project_src: "/srv/traefik"
+    project_src: "{{ basedir }}"
     state: present
     
\ No newline at end of file
diff --git a/common/docker_traefik/templates/docker-compose.yml b/common/docker_traefik/templates/docker-compose.yml
index 1282b233..abf80734 100644
--- a/common/docker_traefik/templates/docker-compose.yml
+++ b/common/docker_traefik/templates/docker-compose.yml
@@ -8,14 +8,18 @@ services:
         ports:
             - "80:80"
             - "443:443"
-{% if inventory_hostname == 'webserver' %}            - "8448:8448"
+{% if matrix_federation is defined and matrix_federation == true %}            - "8448:8448"
 {% endif %}
-            - "{{ int_ip4 }}:8080:8080"
+            - "{{ int_ip4 }}:8081:8080"
         volumes:
             - "/srv/traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
             - "/srv/traefik/dynamic:/etc/traefik/dynamic:ro"
             - "/srv/traefik/acme.json:/acme.json"
-            - /var/run/docker.sock:/var/run/docker.sock
+            - "/var/run/docker.sock:/var/run/docker.sock"
+{% if certFile is defined %}
+            - "{{ basedir }}/{{ certFile }}:/{{ certFile }}:ro"
+            - "{{ basedir }}/{{ keyFile }}:/{{ keyFile }}:ro"
+{% endif %}
         networks:
             - default
             - web
diff --git a/common/docker_traefik/templates/dynamic/redirect-default.yml b/common/docker_traefik/templates/dynamic/redirect-default.yml
index 4e22918b..c196f525 100644
--- a/common/docker_traefik/templates/dynamic/redirect-default.yml
+++ b/common/docker_traefik/templates/dynamic/redirect-default.yml
@@ -19,3 +19,4 @@ http:
             redirectRegex:
                 regex: "^https://{{ domain }}/(.*)"
                 replacement: "https://{{ domain_default }}/$1"
+
diff --git a/common/docker_traefik/templates/dynamic/tls.yml b/common/docker_traefik/templates/dynamic/tls.yml
index ee770ba4..787dabae 100644
--- a/common/docker_traefik/templates/dynamic/tls.yml
+++ b/common/docker_traefik/templates/dynamic/tls.yml
@@ -1,6 +1,16 @@
 
 # TLS Options 
 tls:
+
+{% if certFile is defined %}
+
+    # use local certificate 
+    certificates:
+        - certFile: "/{{ certFile }}"
+          keyFile: "/{{ keyFile }}"
+
+{% endif %}
+
     options:
         default:
             sniStrict: true
@@ -17,4 +27,3 @@ tls:
                 - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
                 - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 
-                
\ No newline at end of file
diff --git a/common/docker_traefik/templates/traefik.yml b/common/docker_traefik/templates/traefik.yml
index e6b0e61c..9c0e2027 100644
--- a/common/docker_traefik/templates/traefik.yml
+++ b/common/docker_traefik/templates/traefik.yml
@@ -24,7 +24,8 @@ entryPoints:
             tls:
                 certResolver: "letsencrypt"
 
-{% if inventory_hostname == 'webserver' %}
+
+{% if matrix_federation is defined and matrix_federation == true %}
 
     # additional entrypoint for matrix-federation 
     matrix_federation:
diff --git a/host_vars/ogg b/host_vars/ogg
index b432b226..5bb1f550 100644
--- a/host_vars/ogg
+++ b/host_vars/ogg
@@ -38,10 +38,11 @@ administratorenteam:
   - "void"
   - "sandhome"
 
-# Docker konfigurationen
+# Docker konfigurationen 
 docker:
-  # Interne Docker-Netzwerke
-
+  # Interne Docker-Netzwerke 
+  internal_networks:
+    - web
 
 # Monitoring aktivieren
 alert:
diff --git a/intern/docker_esphome/templates/docker-compose.yml b/intern/docker_esphome/templates/docker-compose.yml
index 573d2c76..82e7f116 100644
--- a/intern/docker_esphome/templates/docker-compose.yml
+++ b/intern/docker_esphome/templates/docker-compose.yml
@@ -6,9 +6,19 @@ services:
 
     image: esphome/esphome:2022.10
     restart: always
-    # listen on Port 6052
-    network_mode: host
     volumes:
       - "{{ basedir }}/config/:/config"
     environment:
       ESPHOME_DASHBOARD_USE_PING: "true"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=6052
+    networks:
+      - default
+      - web
+
+networks:
+  web:
+    external: true
diff --git a/intern/docker_heimdall/templates/docker-compose.yml b/intern/docker_heimdall/templates/docker-compose.yml
index 0159cede..b3742bde 100644
--- a/intern/docker_heimdall/templates/docker-compose.yml
+++ b/intern/docker_heimdall/templates/docker-compose.yml
@@ -12,5 +12,15 @@ services:
       - TZ=Europe/Berlin
     volumes:
       - "{{ basedir }}/config:/config"
-    ports:
-      - "{{ heimdall_port }}:80"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+    networks:
+      - default
+      - web
+
+networks:
+  web:
+    external: true
diff --git a/intern/docker_nodered/templates/docker-compose.yml b/intern/docker_nodered/templates/docker-compose.yml
index b33f4553..7f1a9109 100644
--- a/intern/docker_nodered/templates/docker-compose.yml
+++ b/intern/docker_nodered/templates/docker-compose.yml
@@ -11,10 +11,19 @@ services:
   app:
     image: nodered/node-red:2.2.3
     restart: always
-    ports:
-      - "{{ nodered_port }}:1880"
     volumes:
       - "{{ basedir }}/data:/data"
     environment:
       - TZ=Europe/Berlin
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=1880
+    networks:
+      - default
+      - web
 
+networks:
+  web:
+    external: true
diff --git a/intern/docker_openhab/tasks/main.yml b/intern/docker_openhab/tasks/main.yml
index 2df44d2f..61b3194f 100644
--- a/intern/docker_openhab/tasks/main.yml
+++ b/intern/docker_openhab/tasks/main.yml
@@ -2,9 +2,9 @@
 
 - include: ../functions/get_secret.yml
   with_items:
-   - { path: /srv/openhab/openweathermap_apikey, length: -1 }
-   - { path: /srv/openhab/influxdb_password,     length: 12 }
-   - { path: /srv/openhab/influxdb_token,        length: 32 }
+   - { path: "{{ basedir }}/openweathermap_apikey", length: -1 }
+   - { path: "{{ basedir }}/influxdb_password",     length: 12 }
+   - { path: "{{ basedir }}/influxdb_token",        length: 32 }
 
 
 - name: pakete installieren
@@ -13,43 +13,43 @@
     name:
       - logrotate
 
+
 - name: openhab LogRotate config erstellen 
   template: 
     src: logrotate 
     dest: /etc/logrotate.d/openhab
 
-- name: Get a timestamp
-  command: "date +%Y%m%d%H%M%S"
-  register: timestamp
 
-- name: create folder struct for openhab
+- name: "create folder struct for {{ basedir }}"
   file: 
     path: "{{ item }}"
     state: "directory"
   with_items:
-    - /srv/openhab/
-    - /srv/openhab/addons/
-    - /srv/openhab/conf/
-    - /srv/openhab/conf/items/
-    - /srv/openhab/conf/services/
-    - /srv/openhab/conf/persistence/
-    - /srv/openhab/conf/rules/
-    - /srv/openhab/conf/things/
-    - /srv/openhab/userdata/
-    - /srv/openhab/influxdb/
+    - "{{ basedir }}"
+    - "{{ basedir }}/addons/"
+    - "{{ basedir }}/conf/"
+    - "{{ basedir }}/conf/items/"
+    - "{{ basedir }}/conf/services/"
+    - "{{ basedir }}/conf/persistence/"
+    - "{{ basedir }}/conf/rules/"
+    - "{{ basedir }}/conf/things/"
+    - "{{ basedir }}/userdata/"
+    - "{{ basedir }}/influxdb/"
+
 
-- name: Docker-Konfig-Dateien erstellen
+- name: "copy config files for {{ basedir }}"
   template:
     src: "{{ item }}"
-    dest: "/srv/openhab/{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
   with_items:
     - docker-compose.yml
   register: docker_config_files
 
-- name: Openhab-Konfig-Dateien erstellen
+
+- name: "copy config files for {{ basedir }} 2"
   template:
     src: "{{ item }}"
-    dest: "/srv/openhab/{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
   with_items:
     - conf/items/groups.items
     - conf/items/mqtt.items
@@ -71,15 +71,15 @@
     - conf/things/weather.things
     - conf/things/wled.things
 
+
 - name: stop openhab docker
   docker_compose:
-    project_src: /srv/openhab/
+    project_src: "{{ basedir }}"
     state: absent
   when: docker_config_files.changed 
 
+
 - name: start openhab docker
   docker_compose:
-    project_src: /srv/openhab/
+    project_src: "{{ basedir }}"
     state: present
-
-
diff --git a/intern/docker_openhab/templates/docker-compose.yml b/intern/docker_openhab/templates/docker-compose.yml
index 9285510c..248b6fa4 100644
--- a/intern/docker_openhab/templates/docker-compose.yml
+++ b/intern/docker_openhab/templates/docker-compose.yml
@@ -1,5 +1,4 @@
 
-
 version: "3"
 
 services:
@@ -8,25 +7,28 @@ services:
 
     image: openhab/openhab:3.3.0-debian
     restart: always
-    privileged: true
-    network_mode: host
-    cap_add:
-      - NET_ADMIN
-      - NET_RAW
     # The command node is very important. It overrides
     # the "gosu openhab tini -s ./start.sh" command from Dockerfile and runs as root!
     command: "tini -s ./start.sh server"
     volumes:
-      - /boot/cmdline.txt:/boot/cmdline.txt:ro
-      - /etc/localtime:/etc/localtime:ro
-      - /etc/timezone:/etc/timezone:ro
-      - /srv/openhab/addons:/openhab/addons
-      - /srv/openhab/conf:/openhab/conf
-      - /srv/openhab/userdata:/openhab/userdata
+      - "/boot/cmdline.txt:/boot/cmdline.txt:ro"
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/etc/timezone:/etc/timezone:ro"
+      - "{{ basedir }}/addons:/openhab/addons"
+      - "{{ basedir }}/conf:/openhab/conf"
+      - "{{ basedir }}/userdata:/openhab/userdata"
     environment:
-      OPENHAB_HTTP_PORT: 8081
-      OPENHAB_HTTPS_PORT: 8444
+      OPENHAB_HTTP_PORT: 8080
+      OPENHAB_HTTPS_PORT: 8443
       EXTRA_JAVA_OPTS: "-Duser.timezone=Europe/Berlin"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8080
+    networks:
+      - default
+      - web
 
   
   influxdb:
@@ -36,7 +38,7 @@ services:
     ports:
       - {{ int_ip4 }}:{{ influxdb_port }}:8086
     volumes:
-      - /srv/openhab/influxdb:/var/lib/influxdb2
+      - "{{ basedir }}/influxdb:/var/lib/influxdb2"
     environment:
       DOCKER_INFLUXDB_INIT_MODE: setup
       DOCKER_INFLUXDB_INIT_USERNAME: openhab
@@ -44,5 +46,10 @@ services:
       DOCKER_INFLUXDB_INIT_ORG: openhab
       DOCKER_INFLUXDB_INIT_BUCKET: openhab
       DOCKER_INFLUXDB_INIT_ADMIN_TOKEN: {{ influxdb_token }}
+    networks:
+      - default
 
 
+networks:
+  web:
+    external: true
diff --git a/intern/docker_unifi/tasks/main.yml b/intern/docker_unifi/tasks/main.yml
index d36fae19..1f9e11ca 100644
--- a/intern/docker_unifi/tasks/main.yml
+++ b/intern/docker_unifi/tasks/main.yml
@@ -1,21 +1,25 @@
 
 ---
 
-- name: create folder struct for unifi
+- name: "create folder struct for {{ basedir }}"
   file: 
-    path: "/srv/unifi" 
+    path: "{{ basedir }}" 
     state: "directory"
 
-- name: create folder struct for unifi
+- name: "create folder struct for {{ basedir }}"
   file: 
-    path: "/srv/unifi/data" 
+    path: "{{ basedir }}/data" 
     state: "directory"
 
-- name: create docker-compose file 
-  template: src=docker-compose.yml dest=/srv/unifi/docker-compose.yml 
+- name: "create config files for {{ basedir }}"
+  template: 
+    src: "{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
+  with_items:
+    - docker-compose.yml 
 
-- name: start unifi docker
+- name: "start {{ basedir }} docker"
   docker_compose:
-    project_src: /srv/unifi/
+    project_src: "{{ basedir }}"
     state: present
 
diff --git a/intern/docker_unifi/templates/docker-compose.yml b/intern/docker_unifi/templates/docker-compose.yml
index 449c1506..ab25a3c5 100644
--- a/intern/docker_unifi/templates/docker-compose.yml
+++ b/intern/docker_unifi/templates/docker-compose.yml
@@ -7,10 +7,31 @@ services:
 
     image: linuxserver/unifi-controller:7.2.95
     restart: always
-    network_mode: host
+    ports:
+      - 8443:8443
+      - 3478:3478/udp
+      - 10001:10001/udp
+      - 8080:8080
+      - 1900:1900/udp 
+      - 6789:6789 
     volumes:
-      - /srv/unifi/data:/config 
+      - "{{ basedir }}/data:/config"
     environment:
       PGID: 1001
       PUID: 1001
       MEM_LIMIT: 256M
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.serversTransport={{ servicename }}
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8443
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.scheme=https
+      - traefik.http.serversTransports.{{ servicename }}.insecureSkipVerify=true
+    networks:
+      - default
+      - web
+
+networks:
+  web:
+    external: true
diff --git a/site.yml b/site.yml
index a5c3e2eb..acebadc7 100644
--- a/site.yml
+++ b/site.yml
@@ -41,17 +41,26 @@
         servicename: dockerstats, 
         basedir: /srv/dockerstats 
       }
+    - { 
+        role: common/docker_traefik, tags: traefik,
+        servicename: traefik,
+        basedir: /srv/traefik,
+        domain: "warpzone.lan",
+        domain_default: "services.warpzone.lan", 
+        certFile: "warpzone+internal+services.pem",
+        keyFile: "warpzone+internal+services.key"
+      }   
     - { 
         role: intern/docker_esphome, tags: esphome, 
         servicename: esphome, 
         basedir: /srv/esphome,
-        esphome_port: 6052 
+        domain: "esphome.warpzone.lan"
       }
     - { 
         role: intern/docker_heimdall, tags: heimdall, 
         servicename: heimdall, 
         basedir: /srv/heimdall,
-        heimdall_port: 80 
+        domain: "services.warpzone.lan"
       }
     - { 
         role: intern/docker_mqtt, tags: mqtt, 
@@ -64,18 +73,20 @@
         role: intern/docker_nodered, tags: nodered, 
         servicename: nodered,
         basedir: /srv/nodered,
-        nodered_port: 1880
+        domain: "nodered.warpzone.lan"
       }
     - { 
         role: intern/docker_openhab, tags: openhab, 
         servicename: openhab, 
+        basedir: /srv/openhab,
+        domain: "openhab.warpzone.lan",
         influxdb_port: 28086
       }
     - { 
         role: intern/docker_unifi, tags: unifi, 
         servicename: unifi,
-        unifi_port1: 8080,
-        unifi_port2: 8443  
+        basedir: /srv/unifi,
+        domain: "unifi.warpzone.lan"
       }
 
 
@@ -101,8 +112,10 @@
     - { 
         role: common/docker_traefik, tags: traefik,
         servicename: traefik,
+        basedir: /srv/traefik,
         domain: "warpzone.ms",
-        domain_default: "www.warpzone.ms" 
+        domain_default: "www.warpzone.ms", 
+        matrix_federation: true
       }   
     - { 
         role: webserver/docker_autodiscover, tags: autodiscover,
-- 
GitLab