🏡 index : github.com/captn3m0/nebula.git

author Nemo <me@captnemo.in> 2019-09-21 7:55:55.0 +05:30:00
committer Nemo <me@captnemo.in> 2019-09-21 7:55:55.0 +05:30:00
commit
cce99c0b6ab6f34426e5746fbe952d12882b795e [patch]
tree
e7043bce866508ed550566d19edba232e7362153
parent
42ab949caf7c84b667f63ee6fff8ba52b64b88ca
download
cce99c0b6ab6f34426e5746fbe952d12882b795e.tar.gz

WIP ingress configuration

- Traefik is advertising http/2 along with TLS
  it then forwards the unencrypted h2 to the php server
  which is then giving up.

(╯°□°)╯︵ ┻━┻

Diff

 kaarana/database.tf  |  6 ++++--
 kaarana/traefik.tf   | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 kaarana/traefik.toml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 kaarana/wordpress.tf | 19 +++++++++++++++++++
 4 files changed, 121 insertions(+), 2 deletions(-)

diff --git a/kaarana/database.tf b/kaarana/database.tf
index 48e7473..17756db 100644
--- a/kaarana/database.tf
+++ a/kaarana/database.tf
@@ -18,8 +18,10 @@
// Run a small mySQL container in this subnet

resource "docker_container" "mysql" {

  image = "${docker_image.db.latest}"
  name  = "kaarana-mariadb"
  image    = "${docker_image.db.latest}"
  name     = "kaarana-mariadb"
  restart  = "always"
  must_run = true

  env = [

    "MYSQL_ROOT_PASSWORD=${var.root_db_password}",
diff --git a/kaarana/traefik.tf b/kaarana/traefik.tf
index 59107a6..adf5ab0 100644
--- a/kaarana/traefik.tf
+++ a/kaarana/traefik.tf
@@ -9,3 +9,56 @@

  internal = true
}

resource "docker_container" "traefik" {

  name  = "traefik"
  image = "${docker_image.traefik.latest}"

  # Do not offer HTTP2
  # https://community.containo.us/t/traefikv2-http-2-0/1199
  env = [

    "GODEBUG=http2client=0",
  ]

  upload {

    content = "${file("${path.module}/traefik.toml")}"
    file    = "/etc/traefik/traefik.toml"
  }

  volumes {

    host_path      = "/var/run/docker.sock"
    container_path = "/var/run/docker.sock"
    read_only      = true
  }

  volumes {

    host_path      = "/mnt/disk/traefik"
    container_path = "/acme"
  }

  ports {

    internal = 443
    external = 8443
    ip       = "139.59.22.234"
  }

  ports {

    internal = 80
    external = 80
    ip       = "139.59.22.234"
  }

  memory                = 256
  restart               = "always"
  destroy_grace_seconds = 10
  must_run              = true

  networks_advanced = [

    {
      name = "bridge"
    },
    {
      name = "traefik"
    },
  ]
}
diff --git a/kaarana/traefik.toml b/kaarana/traefik.toml
new file mode 100644
index 0000000..43f3a45 100644
--- /dev/null
+++ a/kaarana/traefik.toml
@@ -1,0 +1,45 @@
# This configures docker service discovery
[providers.docker]
exposedByDefault = false
network = "traefik"
defaultRule = ""

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web-secure]
    address = ":443"

[http.middlewares]
  [http.middlewares.everything.redirectScheme]
    scheme = "https"

[tcp.routers]
  [tcp.routers.forwardtohome]
    entryPoints = ["web-secure"]
    rule = "HostSNI(`emby.bb8.fun`, `git.captnemo.in`)"
    service = "homeserver"
    [tcp.routers.forwardtohome.tls]
    passthrough = true

[tcp.services]
  [tcp.services.homeserver.loadBalancer]
    [[tcp.services.homeserver.loadBalancer.servers]]
      address = "10.8.0.14:443"

[certificatesResolvers.default.acme]
  email = "certs@captnemo.in"
  storage = "/acme/acme.json"
  [certificatesResolvers.default.acme.httpChallenge]
    # used during the challenge
    entryPoint = "web"


[tls.options]
  [tls.options.foo]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_GCM_SHA384"
    ]
diff --git a/kaarana/wordpress.tf b/kaarana/wordpress.tf
index abb5701..d5483f3 100644
--- a/kaarana/wordpress.tf
+++ a/kaarana/wordpress.tf
@@ -1,7 +1,23 @@
resource "docker_container" "wp" {

  image = "${docker_image.wp.latest}"
  name  = "kaarana-wordpress"

  restart  = "always"
  must_run = true

  labels {

    "traefik.enable"                   = "true"

    "traefik.tcp.routers.kaarana.rule" = "HostSNI(`kaarana.captnemo.in`)"

    "traefik.tcp.routers.kaarana.tls"  = "true"


    # "traefik.tcp.routers.kaarana.tls.options"                 = "foo"
    "traefik.tcp.services.wordpress.loadbalancer.server.port" = "80"


    # "traefik.tcp.routers.kaarana.entrypoints"                 = "web-secure"
    "traefik.tcp.routers.kaarana.tls.certResolver"    = "default"

    "traefik.tcp.routers.kaarana.tls.domains[0].main" = "kaarana.captnemo.in"

  }

  env = [

    "WORDPRESS_DB_HOST=${local.db_hostname}",
    "WORDPRESS_DB_USER=${local.username}",
@@ -29,6 +45,9 @@
      // TODO: Once configuration/plugins have stabilized
      // remove internet access from wordpress
      name = "bridge"
    },
    {
      name = "traefik"
    },
  ]
}