From 30853ee5aa006ae6941c5f03adf12f83bc199ed1 Mon Sep 17 00:00:00 2001
From: Nemo <me@captnemo.in>
Date: Mon, 30 Jul 2018 12:12:58 +0530
Subject: [PATCH] Refactor traefik expose labels via variables

- no need to pass explicit traefik labels now
---
 miniflux.tf                 |  8 +++-----
 monicahq.tf                 |  8 +++-----
 requestbin.tf               |  8 +++-----
 modules/container/locals.tf | 17 +++++++++++++++++
 modules/container/main.tf   | 26 ++++++++++++++++++++------
 modules/container/vars.tf   | 26 ++++++++++++++++++++++++++
 6 files changed, 68 insertions(+), 25 deletions(-)

diff --git a/miniflux.tf b/miniflux.tf
index a804d92..6e44ed3 100644
--- a/miniflux.tf
+++ a/miniflux.tf
@@ -1,13 +1,11 @@
 module "miniflux-container" {
   name   = "miniflux"
   source = "modules/container"
   image  = "miniflux/miniflux:2.0.10"
 
-  labels = "${merge(
-    var.traefik-common-labels, map(
-      "traefik.port", 8080,
-      "traefik.frontend.rule","Host:rss.captnemo.in"
-  ))}"
+  expose-web = true
+  web-port   = 8080
+  web-domain = "rss.captnemo.in"
 
   networks = "${list(module.docker.traefik-network-id,module.db.postgres-network-id)}"
 
diff --git a/monicahq.tf b/monicahq.tf
index 1ff2eae..d3df47a 100644
--- a/monicahq.tf
+++ a/monicahq.tf
@@ -1,13 +1,11 @@
 module "monicahq-container" {
   name   = "monica"
   source = "modules/container"
   image  = "monicahq/monicahq:latest"
 
-  labels = "${merge(
-    var.traefik-common-labels, map(
-      "traefik.port", 80,
-      "traefik.frontend.rule","Host:monica.${var.root-domain}"
-  ))}"
+  // Default is port 80
+  expose-web = true
+  web-domain = "monica.${var.root-domain}"
 
   networks = "${list(module.docker.traefik-network-id,module.db.postgres-network-id)}"
 
diff --git a/requestbin.tf b/requestbin.tf
index 948a6ae..ebfd84a 100644
--- a/requestbin.tf
+++ a/requestbin.tf
@@ -1,13 +1,11 @@
 module "requestbin" {
   name   = "requestbin"
   source = "./modules/container"
   image  = "jankysolutions/requestbin:latest"
 
-  labels = "${merge(
-    var.traefik-common-labels, map(
-      "traefik.port", 8000,
-      "traefik.frontend.rule","Host:requestbin.${var.root-domain}"
-  ))}"
+  // Default is port 80
+  expose-web = true
+  web-domain = "requestbin.${var.root-domain}"
 
   networks = "${list(module.docker.traefik-network-id)}"
 
diff --git a/modules/container/locals.tf b/modules/container/locals.tf
new file mode 100644
index 0000000..1cb8155 100644
--- /dev/null
+++ a/modules/container/locals.tf
@@ -1,0 +1,17 @@
+locals {
+  traefik-common-labels {
+    "traefik.enable" = "true"
+
+    // HSTS
+    "traefik.frontend.headers.SSLTemporaryRedirect" = "true"
+    "traefik.frontend.headers.STSSeconds"           = "2592000"
+    "traefik.frontend.headers.STSIncludeSubdomains" = "false"
+
+    // X-Powered-By, Server headers
+    "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}"
+    "traefik.frontend.headers.contentTypeNosniff"    = "true"
+    "traefik.frontend.headers.browserXSSFilter"      = "true"
+
+    "traefik.docker.network" = "traefik"
+  }
+}
diff --git a/modules/container/main.tf b/modules/container/main.tf
index b539842..e67b3af 100644
--- a/modules/container/main.tf
+++ a/modules/container/main.tf
@@ -8,16 +8,22 @@
 }
 
 resource "docker_container" "container" {
-  name                  = "${var.name}"
-  image                 = "${docker_image.image.latest}"
-  ports                 = "${var.ports}"
-  restart               = "${var.restart}"
-  env                   = "${var.env}"
-  command               = "${var.command}"
-  entrypoint            = "${var.entrypoint}"
-  user                  = "${var.user}"
-  networks              = ["${var.networks}"]
-  labels                = "${var.labels}"
+  name       = "${var.name}"
+  image      = "${docker_image.image.latest}"
+  ports      = "${var.ports}"
+  restart    = "${var.restart}"
+  env        = "${var.env}"
+  command    = "${var.command}"
+  entrypoint = "${var.entrypoint}"
+  user       = "${var.user}"
+  networks   = ["${var.networks}"]
+
+  labels = "${merge(var.labels, var.expose-web ?
+    merge(local.traefik-common-labels, map(
+      "traefik.port", var.web-port,
+      "traefik.frontend.rule", "Host:${var.web-domain}",
+    )) : map())}"
+
   destroy_grace_seconds = "${var.destroy_grace_seconds}"
   must_run              = "${var.must_run}"
 }
diff --git a/modules/container/vars.tf b/modules/container/vars.tf
index edd44c4..d987f54 100644
--- a/modules/container/vars.tf
+++ a/modules/container/vars.tf
@@ -59,3 +59,29 @@
   description = "labels"
   default     = {}
 }
+
+variable "xpoweredby" {
+  default = "X-Powered-By:Allomancy||X-Server:Blackbox"
+}
+
+variable "expose-web" {
+  description = "Whether to expose the application on the web"
+  default     = "false"
+}
+
+variable "web-port" {
+  description = "Port to expose using traefik"
+  default     = "80"
+  type        = "string"
+}
+
+variable "web-domain" {
+  description = "Domain to use while exposing the application"
+  default     = ""
+  type        = "string"
+}
+
+variable "web-basicauth" {
+  description = "Whether to add basic auth check on the application"
+  default     = "false"
+}
--
rgit 0.1.5