kadet.net/servers
1
0
Fork 0
Code Releases Activity

Add tls support via lets-encrypt

Browse Source
This commit is contained in:
Kacper Donat 2021-04-10 23:11:33 +02:00
parent 928d0fcb60
commit b22dc1c5b4
15 changed files with 53 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
inventory/m2.ini Normal file
View File

@ -0,0 +1,7 @@
[main]
m2.kadet.net
[main:vars]
ansible_user=kadet
main_domain=kadet.net
swarm_addr=2a01:4f8:c2c:db18::1

5
inventory/vagrant.ini
View File

@ -4,4 +4,7 @@
[main:vars] [main:vars]
ansible_user=vagrant ansible_user=vagrant
ansible_ssh_private_key_file=./.vagrant/machines/default/virtualbox/private_key ansible_ssh_private_key_file=./.vagrant/machines/default/virtualbox/private_key
ansible_ssh_common_args='-o StrictHostKeyChecking=no' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
main_domain=kadet.local
swarm_addr=eth0
lets_encrypt_url=https://acme-staging-v02.api.letsencrypt.org/directory

4
services/cojedzie/stack.yml
View File

@ -15,6 +15,8 @@ services:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.{{ service }}-api.rule=(Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`)) && PathPrefix(`/api/`) - traefik.http.routers.{{ service }}-api.rule=(Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`)) && PathPrefix(`/api/`)
- traefik.http.routers.{{ service }}-api.priority=100 - traefik.http.routers.{{ service }}-api.priority=100
- traefik.http.routers.{{ service }}-api.tls=true
- traefik.http.routers.{{ service }}-api.tls.certresolver=lets-encrypt
- traefik.http.services.{{ service }}-api.loadbalancer.server.port=8080 - traefik.http.services.{{ service }}-api.loadbalancer.server.port=8080
update-job: update-job:
@ -55,6 +57,8 @@ services:
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.{{ service }}-front.rule=Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`) - traefik.http.routers.{{ service }}-front.rule=Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`)
- traefik.http.routers.{{ service }}-front.tls=true
- traefik.http.routers.{{ service }}-front.tls.certresolver=lets-encrypt
- traefik.http.services.{{ service }}-front.loadbalancer.server.port=3000 - traefik.http.services.{{ service }}-front.loadbalancer.server.port=3000
volumes: volumes:

2
services/gitea/stack.yml
View File

@ -29,4 +29,6 @@ services:
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.{{ service }}.rule=Host(`git.{{ main_domain }}`) - traefik.http.routers.{{ service }}.rule=Host(`git.{{ main_domain }}`)
- traefik.http.routers.{{ service }}.tls=true
- traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
- traefik.http.services.{{ service }}.loadbalancer.server.port=3000 - traefik.http.services.{{ service }}.loadbalancer.server.port=3000

2
services/portainer/stack.yml
View File

@ -29,6 +29,8 @@ services:
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.{{ service }}.rule=Host(`{{ service }}.{{ main_domain }}`) - traefik.http.routers.{{ service }}.rule=Host(`{{ service }}.{{ main_domain }}`)
- traefik.http.routers.{{ service }}.tls=true
- traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
- traefik.http.services.{{ service }}.loadbalancer.server.port=9000 - traefik.http.services.{{ service }}.loadbalancer.server.port=9000
networks: networks:

2
services/traefik/config/dynamic/alcoholic-calendar.yaml
View File

@ -4,3 +4,5 @@ http:
alcoholic-calendar: alcoholic-calendar:
rule: Host(`alcoholic.{{ main_domain }}`) rule: Host(`alcoholic.{{ main_domain }}`)
service: legacy@docker service: legacy@docker
tls:
certresolver: lets-encrypt

2
services/traefik/config/dynamic/dashboard.yaml
View File

@ -6,6 +6,8 @@ http:
dashboard: dashboard:
rule: Host(`traefik.{{ main_domain }}`) rule: Host(`traefik.{{ main_domain }}`)
service: api@internal service: api@internal
tls:
certresolver: lets-encrypt
{% if dashboard_users is defined %} {% if dashboard_users is defined %}
middlewares: middlewares:
- dashboard_auth - dashboard_auth

2
services/traefik/config/dynamic/nginx.yaml
View File

@ -4,3 +4,5 @@ http:
nginx: nginx:
rule: Host(`{{ main_domain }}`) rule: Host(`{{ main_domain }}`)
service: legacy@docker service: legacy@docker
tls:
certresolver: lets-encrypt

2
services/traefik/config/dynamic/paa.yaml
View File

@ -4,3 +4,5 @@ http:
paa: paa:
rule: Host(`paa.{{ main_domain }}`) rule: Host(`paa.{{ main_domain }}`)
service: legacy@docker service: legacy@docker
tls:
certresolver: lets-encrypt

2
services/traefik/config/dynamic/pastebin.yaml
View File

@ -4,3 +4,5 @@ http:
pastebin: pastebin:
rule: Host(`bin.{{ main_domain }}`) rule: Host(`bin.{{ main_domain }}`)
service: legacy@docker service: legacy@docker
tls:
certresolver: lets-encrypt

14
services/traefik/config/traefik.yaml
View File

@ -9,6 +9,12 @@ global:
entryPoints: entryPoints:
web: web:
address: :80 address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure: websecure:
address: :443 address: :443
@ -59,3 +65,11 @@ providers:
swarmMode: true swarmMode: true
exposedByDefault: false exposedByDefault: false
network: "traefik" network: "traefik"
certificatesResolvers:
lets-encrypt:
acme:
caServer: "{{ lets_encrypt_url|default('https://acme-v02.api.letsencrypt.org/directory') }}"
email: "kacper@kadet.net"
storage: "/etc/traefik/acme/lets-encrypt.json"
tlsChallenge: {}

2
services/traefik/stack.yml
View File

@ -5,9 +5,9 @@ services:
image: traefik:v2.4 image: traefik:v2.4
ports: ports:
- 80:80 - 80:80
- 8080:8080
- 443:443 - 443:443
volumes: volumes:
- ./config/acme:/etc/traefik/acme
- ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
- ./config/dynamic:/etc/traefik/dynamic:ro - ./config/dynamic:/etc/traefik/dynamic:ro
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro

10
services/traefik/tasks/config.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: 'Copy static config for "{{ service }}"' - name: 'Copy static config for "{{ service }}"'
copy: template:
src: "{{ service_path }}/config/traefik.yaml" src: "{{ service_path }}/config/traefik.yaml"
dest: "{{ remote_service_path }}/config/traefik.yaml" dest: "{{ remote_service_path }}/config/traefik.yaml"
tags: tags:
@ -14,6 +14,14 @@
tags: tags:
- config - config
- name: 'Ensure acme config directory exists'
file:
path: "{{ remote_service_path }}/config/acme"
state: directory
owner: "{{ ansible_user }}"
tags:
- config
- name: 'Copy dynamic config' - name: 'Copy dynamic config'
template: template:
src: "{{ file }}" src: "{{ file }}"

1
vars/environment.yml
View File

@ -8,7 +8,6 @@ ansible_python_interpreter: /usr/bin/python3
pip_package: python3-pip pip_package: python3-pip
pip_executable: pip3 pip_executable: pip3
swarm_addr: eth0
swarm_global_networks: swarm_global_networks:
- name: traefik - name: traefik
swarm_host_address: "{{ ansible_docker0.ipv4.address }}" swarm_host_address: "{{ ansible_docker0.ipv4.address }}"

3
vars/services.yml
View File

@ -8,11 +8,8 @@ remote_services_root: /var/services
remote_service_path: "{{ remote_services_root }}/{{ service }}" remote_service_path: "{{ remote_services_root }}/{{ service }}"
compose_version: "3.7" compose_version: "3.7"
ingress_network: traefik ingress_network: traefik
main_domain: kadet.local
database_mysql_host: "{{ swarm_host_address }}" database_mysql_host: "{{ swarm_host_address }}"
services_to_restart: [] services_to_restart: []