WIP ingress configuration
- Traefik is advertising http/2 along with TLS
it then forwards the unencrypted h2 to the php server
which is then giving up.
(╯°□°)╯︵ ┻━┻
Diff
kaarana/database.tf | 6 ++++--
kaarana/traefik.tf | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
kaarana/traefik.toml | 45 +++++++++++++++++++++++++++++++++++++++++++++
kaarana/wordpress.tf | 19 +++++++++++++++++++
4 files changed, 121 insertions(+), 2 deletions(-)
@@ -18,8 +18,10 @@
resource "docker_container" "mysql" {
image = "${docker_image.db.latest}"
name = "kaarana-mariadb"
image = "${docker_image.db.latest}"
name = "kaarana-mariadb"
restart = "always"
must_run = true
env = [
"MYSQL_ROOT_PASSWORD=${var.root_db_password}",
@@ -9,3 +9,56 @@
internal = true
}
resource "docker_container" "traefik" {
name = "traefik"
image = "${docker_image.traefik.latest}"
env = [
"GODEBUG=http2client=0",
]
upload {
content = "${file("${path.module}/traefik.toml")}"
file = "/etc/traefik/traefik.toml"
}
volumes {
host_path = "/var/run/docker.sock"
container_path = "/var/run/docker.sock"
read_only = true
}
volumes {
host_path = "/mnt/disk/traefik"
container_path = "/acme"
}
ports {
internal = 443
external = 8443
ip = "139.59.22.234"
}
ports {
internal = 80
external = 80
ip = "139.59.22.234"
}
memory = 256
restart = "always"
destroy_grace_seconds = 10
must_run = true
networks_advanced = [
{
name = "bridge"
},
{
name = "traefik"
},
]
}
@@ -1,0 +1,45 @@
[providers.docker]
exposedByDefault = false
network = "traefik"
defaultRule = ""
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secure]
address = ":443"
[http.middlewares]
[http.middlewares.everything.redirectScheme]
scheme = "https"
[tcp.routers]
[tcp.routers.forwardtohome]
entryPoints = ["web-secure"]
rule = "HostSNI(`emby.bb8.fun`, `git.captnemo.in`)"
service = "homeserver"
[tcp.routers.forwardtohome.tls]
passthrough = true
[tcp.services]
[tcp.services.homeserver.loadBalancer]
[[tcp.services.homeserver.loadBalancer.servers]]
address = "10.8.0.14:443"
[certificatesResolvers.default.acme]
email = "certs@captnemo.in"
storage = "/acme/acme.json"
[certificatesResolvers.default.acme.httpChallenge]
entryPoint = "web"
[tls.options]
[tls.options.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
@@ -1,7 +1,23 @@
resource "docker_container" "wp" {
image = "${docker_image.wp.latest}"
name = "kaarana-wordpress"
restart = "always"
must_run = true
labels {
"traefik.enable" = "true"
"traefik.tcp.routers.kaarana.rule" = "HostSNI(`kaarana.captnemo.in`)"
"traefik.tcp.routers.kaarana.tls" = "true"
"traefik.tcp.services.wordpress.loadbalancer.server.port" = "80"
"traefik.tcp.routers.kaarana.tls.certResolver" = "default"
"traefik.tcp.routers.kaarana.tls.domains[0].main" = "kaarana.captnemo.in"
}
env = [
"WORDPRESS_DB_HOST=${local.db_hostname}",
"WORDPRESS_DB_USER=${local.username}",
@@ -29,6 +45,9 @@
name = "bridge"
},
{
name = "traefik"
},
]
}