From cce99c0b6ab6f34426e5746fbe952d12882b795e Mon Sep 17 00:00:00 2001
From: Nemo <me@captnemo.in>
Date: Sat, 21 Sep 2019 07:55:55 +0530
Subject: [PATCH] WIP ingress configuration
- Traefik is advertising http/2 along with TLS
it then forwards the unencrypted h2 to the php server
which is then giving up.
(╯°□°)╯︵ â”»â”â”»
---
kaarana/database.tf | 6 ++++--
kaarana/traefik.tf | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
kaarana/traefik.toml | 45 +++++++++++++++++++++++++++++++++++++++++++++
kaarana/wordpress.tf | 19 +++++++++++++++++++
4 files changed, 121 insertions(+), 2 deletions(-)
diff --git a/kaarana/database.tf b/kaarana/database.tf
index 48e7473..17756db 100644
--- a/kaarana/database.tf
+++ a/kaarana/database.tf
@@ -18,8 +18,10 @@
// Run a small mySQL container in this subnet
resource "docker_container" "mysql" {
- image = "${docker_image.db.latest}"
- name = "kaarana-mariadb"
+ image = "${docker_image.db.latest}"
+ name = "kaarana-mariadb"
+ restart = "always"
+ must_run = true
env = [
"MYSQL_ROOT_PASSWORD=${var.root_db_password}",
diff --git a/kaarana/traefik.tf b/kaarana/traefik.tf
index 59107a6..adf5ab0 100644
--- a/kaarana/traefik.tf
+++ a/kaarana/traefik.tf
@@ -9,3 +9,56 @@
internal = true
}
+
+resource "docker_container" "traefik" {
+ name = "traefik"
+ image = "${docker_image.traefik.latest}"
+
+ # Do not offer HTTP2
+ # https://community.containo.us/t/traefikv2-http-2-0/1199
+ env = [
+ "GODEBUG=http2client=0",
+ ]
+
+ upload {
+ content = "${file("${path.module}/traefik.toml")}"
+ file = "/etc/traefik/traefik.toml"
+ }
+
+ volumes {
+ host_path = "/var/run/docker.sock"
+ container_path = "/var/run/docker.sock"
+ read_only = true
+ }
+
+ volumes {
+ host_path = "/mnt/disk/traefik"
+ container_path = "/acme"
+ }
+
+ ports {
+ internal = 443
+ external = 8443
+ ip = "139.59.22.234"
+ }
+
+ ports {
+ internal = 80
+ external = 80
+ ip = "139.59.22.234"
+ }
+
+ memory = 256
+ restart = "always"
+ destroy_grace_seconds = 10
+ must_run = true
+
+ networks_advanced = [
+ {
+ name = "bridge"
+ },
+ {
+ name = "traefik"
+ },
+ ]
+}
diff --git a/kaarana/traefik.toml b/kaarana/traefik.toml
new file mode 100644
index 0000000..43f3a45 100644
--- /dev/null
+++ a/kaarana/traefik.toml
@@ -1,0 +1,45 @@
+# This configures docker service discovery
+[providers.docker]
+exposedByDefault = false
+network = "traefik"
+defaultRule = ""
+
+[entryPoints]
+ [entryPoints.web]
+ address = ":80"
+
+ [entryPoints.web-secure]
+ address = ":443"
+
+[http.middlewares]
+ [http.middlewares.everything.redirectScheme]
+ scheme = "https"
+
+[tcp.routers]
+ [tcp.routers.forwardtohome]
+ entryPoints = ["web-secure"]
+ rule = "HostSNI(`emby.bb8.fun`, `git.captnemo.in`)"
+ service = "homeserver"
+ [tcp.routers.forwardtohome.tls]
+ passthrough = true
+
+[tcp.services]
+ [tcp.services.homeserver.loadBalancer]
+ [[tcp.services.homeserver.loadBalancer.servers]]
+ address = "10.8.0.14:443"
+
+[certificatesResolvers.default.acme]
+ email = "certs@captnemo.in"
+ storage = "/acme/acme.json"
+ [certificatesResolvers.default.acme.httpChallenge]
+ # used during the challenge
+ entryPoint = "web"
+
+
+[tls.options]
+ [tls.options.foo]
+ minVersion = "VersionTLS12"
+ cipherSuites = [
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384"
+ ]
diff --git a/kaarana/wordpress.tf b/kaarana/wordpress.tf
index abb5701..d5483f3 100644
--- a/kaarana/wordpress.tf
+++ a/kaarana/wordpress.tf
@@ -1,7 +1,23 @@
resource "docker_container" "wp" {
image = "${docker_image.wp.latest}"
name = "kaarana-wordpress"
+ restart = "always"
+ must_run = true
+
+ labels {
+ "traefik.enable" = "true"
+ "traefik.tcp.routers.kaarana.rule" = "HostSNI(`kaarana.captnemo.in`)"
+ "traefik.tcp.routers.kaarana.tls" = "true"
+
+ # "traefik.tcp.routers.kaarana.tls.options" = "foo"
+ "traefik.tcp.services.wordpress.loadbalancer.server.port" = "80"
+
+ # "traefik.tcp.routers.kaarana.entrypoints" = "web-secure"
+ "traefik.tcp.routers.kaarana.tls.certResolver" = "default"
+ "traefik.tcp.routers.kaarana.tls.domains[0].main" = "kaarana.captnemo.in"
+ }
+
env = [
"WORDPRESS_DB_HOST=${local.db_hostname}",
"WORDPRESS_DB_USER=${local.username}",
@@ -29,6 +45,9 @@
// TODO: Once configuration/plugins have stabilized
// remove internet access from wordpress
name = "bridge"
+ },
+ {
+ name = "traefik"
},
]
}
--
rgit 0.1.5