Add tls support via lets-encrypt

inventory/m2.ini

@@ -0,0 +1,7 @@
+[main]
+m2.kadet.net
+
+[main:vars]
+ansible_user=kadet
+main_domain=kadet.net
+swarm_addr=2a01:4f8:c2c:db18::1

inventory/vagrant.ini

@@ -4,4 +4,7 @@
 [main:vars]
 ansible_user=vagrant
 ansible_ssh_private_key_file=./.vagrant/machines/default/virtualbox/private_key
-ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+main_domain=kadet.local
+swarm_addr=eth0
+lets_encrypt_url=https://acme-staging-v02.api.letsencrypt.org/directory

services/cojedzie/stack.yml

@@ -15,6 +15,8 @@ services:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}-api.rule=(Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`)) && PathPrefix(`/api/`)
         - traefik.http.routers.{{ service }}-api.priority=100
+        - traefik.http.routers.{{ service }}-api.tls=true
+        - traefik.http.routers.{{ service }}-api.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}-api.loadbalancer.server.port=8080
 
   update-job:
@@ -55,6 +57,8 @@ services:
       labels:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}-front.rule=Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`)
+        - traefik.http.routers.{{ service }}-front.tls=true
+        - traefik.http.routers.{{ service }}-front.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}-front.loadbalancer.server.port=3000
 
 volumes:

services/gitea/stack.yml

@@ -29,4 +29,6 @@ services:
       labels:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}.rule=Host(`git.{{ main_domain }}`)
+        - traefik.http.routers.{{ service }}.tls=true
+        - traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}.loadbalancer.server.port=3000

services/portainer/stack.yml

@@ -29,6 +29,8 @@ services:
       labels:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}.rule=Host(`{{ service }}.{{ main_domain }}`)
+        - traefik.http.routers.{{ service }}.tls=true
+        - traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}.loadbalancer.server.port=9000
 
 networks:

services/traefik/config/dynamic/alcoholic-calendar.yaml

@@ -4,3 +4,5 @@ http:
     alcoholic-calendar:
       rule: Host(`alcoholic.{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt

services/traefik/config/dynamic/dashboard.yaml

@@ -6,6 +6,8 @@ http:
     dashboard:
       rule: Host(`traefik.{{ main_domain }}`)
       service: api@internal
+      tls:
+        certresolver: lets-encrypt
 {% if dashboard_users is defined %}
       middlewares:
         - dashboard_auth

services/traefik/config/dynamic/nginx.yaml

@@ -4,3 +4,5 @@ http:
     nginx:
       rule: Host(`{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt

services/traefik/config/dynamic/paa.yaml

@@ -4,3 +4,5 @@ http:
     paa:
       rule: Host(`paa.{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt

services/traefik/config/dynamic/pastebin.yaml

@@ -4,3 +4,5 @@ http:
     pastebin:
       rule: Host(`bin.{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt

services/traefik/config/traefik.yaml

@@ -9,6 +9,12 @@ global:
 entryPoints:
   web:       
     address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+
   websecure: 
     address: :443
 
@@ -59,3 +65,11 @@ providers:
     swarmMode: true
     exposedByDefault: false
     network: "traefik"
+
+certificatesResolvers:
+  lets-encrypt:
+    acme:
+      caServer: "{{ lets_encrypt_url|default('https://acme-v02.api.letsencrypt.org/directory') }}"
+      email: "kacper@kadet.net"
+      storage: "/etc/traefik/acme/lets-encrypt.json"
+      tlsChallenge: {}

services/traefik/stack.yml

@@ -5,9 +5,9 @@ services:
     image: traefik:v2.4
     ports:
       - 80:80
-      - 8080:8080
       - 443:443
     volumes:
+      - ./config/acme:/etc/traefik/acme
       - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
       - ./config/dynamic:/etc/traefik/dynamic:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro

services/traefik/tasks/config.yml

@@ -1,6 +1,6 @@
 ---
 - name: 'Copy static config for "{{ service }}"'
-  copy:
+  template:
     src: "{{ service_path }}/config/traefik.yaml"
     dest: "{{ remote_service_path }}/config/traefik.yaml"
   tags:
@@ -14,6 +14,14 @@
   tags:
     - config
 
+- name: 'Ensure acme config directory exists'
+  file:
+    path: "{{ remote_service_path }}/config/acme"
+    state: directory
+    owner: "{{ ansible_user }}"
+  tags:
+    - config
+
 - name: 'Copy dynamic config'
   template:
     src: "{{ file }}"

vars/environment.yml

@@ -8,7 +8,6 @@ ansible_python_interpreter: /usr/bin/python3
 pip_package: python3-pip
 pip_executable: pip3
 
-swarm_addr: eth0
 swarm_global_networks:
  - name: traefik
 swarm_host_address: "{{ ansible_docker0.ipv4.address }}"

vars/services.yml

@@ -8,11 +8,8 @@ remote_services_root: /var/services
 remote_service_path: "{{ remote_services_root }}/{{ service }}"
 
 compose_version: "3.7"
-
 ingress_network: traefik
 
-main_domain: kadet.local
-
 database_mysql_host: "{{ swarm_host_address }}"
 
 services_to_restart: []