From 0727981d595fe24fd3f887d152a5036451456242 Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 6 Jan 2018 13:10:29 +0530 Subject: [PATCH] Switches to locals for common traefik variables commit 3fc9b585f1992e51cf10867c67501c3d6eed45cb Author: Nemo Date: Sat Jan 6 13:09:21 2018 +0530 minor comments commit 57ffe866a34bd1bea45aee8b7bd12bd6058850c4 Author: Nemo Date: Wed Jan 3 14:42:11 2018 +0530 minor changesg commit 9e7e169ed59ebd42c6b9ec63d3a69280fb357d58 Author: Nemo Date: Tue Jan 2 22:26:01 2018 +0530 Adds note about traefik bug commit 7b521e20bce246b9aff541a65da420e574b5fe5c Author: Nemo Date: Tue Jan 2 22:22:24 2018 +0530 [refactor] Use traefik_common_labels everywhere commit 63225a89e2c2c8147528c65208500f8d9578a34d Author: Nemo Date: Tue Dec 26 19:17:21 2017 +0530 More attempts commit 69040999db55e184a1204d21c96d08fe5dad722f Author: Nemo Date: Tue Dec 26 19:02:50 2017 +0530 fix trailing comma commit 99a3637308ed0491dfa81d6a32934e45e9562fc8 Author: Nemo Date: Tue Dec 26 18:57:57 2017 +0530 Attempt at using locals for labels - See https://stackoverflow.com/questions/47973324/how-to-use-locals-in-terraform-to-repeat-and-merge-blocks and HELP --- docker/locals.tf | 15 ++++ docker/main.tf | 197 +++++++++++++++++----------------------------- docker/traefik.tf | 1 - 3 files changed, 89 insertions(+), 124 deletions(-) create mode 100644 docker/locals.tf diff --git a/docker/locals.tf b/docker/locals.tf new file mode 100644 index 0000000..10ffd80 --- /dev/null +++ b/docker/locals.tf @@ -0,0 +1,15 @@ +locals { + traefik_common_labels { + "traefik.enable" = "true" + // HSTS + "traefik.frontend.headers.SSLTemporaryRedirect" = "true" + "traefik.frontend.headers.STSSeconds" = "2592000" + "traefik.frontend.headers.STSIncludeSubdomains" = "false" + // X-Powered-By, Server headers + "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" + // X-Frame-Options + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + "traefik.frontend.headers.contentTypeNosniff" = "true" + "traefik.frontend.headers.browserXSSFilter" = "true" + } +} diff --git a/docker/main.tf b/docker/main.tf index 2fbe344..bb51646 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -2,18 +2,12 @@ resource docker_container "transmission" { name = "transmission" image = "${docker_image.transmission.latest}" - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 9091 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 9091, + ))}" ports { internal = 51413 @@ -68,20 +62,14 @@ resource "docker_container" "emby" { container_path = "/media" } - labels { - "traefik.frontend.rule" = "Host:emby.in.${var.domain},emby.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8096 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:emby.in.${var.domain},emby.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8096, + ))}" memory = 2048 restart = "unless-stopped" @@ -117,18 +105,12 @@ resource "docker_container" "couchpotato" { container_path = "/movies" } - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 5050 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 5050, + ))}" memory = 256 restart = "unless-stopped" @@ -175,17 +157,13 @@ resource "docker_container" "airsonic" { container_path = "/airsonic/podcasts" } - labels { - "traefik.frontend.rule" = "Host:airsonic.in.${var.domain},airsonic.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 4040 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:airsonic.in.${var.domain},airsonic.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.port", 4040, + ))}" } resource "docker_container" "headerdebug" { @@ -198,17 +176,13 @@ resource "docker_container" "headerdebug" { memory = 16 - labels { - "traefik.frontend.rule" = "Host:debug.in.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 8080 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:debug.in.${var.domain},debug.${var.domain}", + "traefik.port", 8080, + "traefik.enable", "true", + ))}" } resource "docker_container" "sickrage" { @@ -236,19 +210,13 @@ resource "docker_container" "sickrage" { container_path = "/tv" } - labels { - "traefik.frontend.passHostHeader" = "false" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8081 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.passHostHeader", "false", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8081, + ))}" env = [ "PUID=1004", @@ -286,18 +254,12 @@ resource "docker_container" "headphones" { file = "/config/config.ini" } - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8181 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8181, + ))}" # lounge:tatooine env = [ @@ -396,19 +358,18 @@ resource "docker_container" "wiki" { container_path = "/data" } - labels { - "traefik.frontend.rule" = "Host:wiki.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 9999 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}||Referrer-Policy:${var.refpolicy}||X-Frame-Options:${var.xfo_allow}" - } + // The last header is a workaround for double header traefik bug + // This might be actually breaking iframe till the 1.5 Final release. + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:wiki.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.port", 9999, + "traefik.frontend.headers.customResponseHeaders", "${var.xpoweredby}||Referrer-Policy:${var.refpolicy}||X-Frame-Options:${var.xfo_allow}", + ))}" links = ["mongorocks"] - env = [ "WIKI_ADMIN_EMAIL=me@captnemo.in", "SESSION_SECRET=${var.wiki_session_secret}", @@ -429,20 +390,15 @@ resource "docker_container" "muximux" { container_path = "/config" } - labels { - "traefik.frontend.rule" = "Host:home.in.${var.domain},home.${var.domain}" - "traefik.frontend.passHostHeader" = "false" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 80 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.frameDeny" = "true" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.port", 80, + "traefik.frontend.headers.frameDeny", "true", + "traefik.frontend.passHostHeader", "false", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.frontend.rule", "Host:home.in.${var.domain},home.${var.domain}", + ))}" # lounge:tatooine env = [ @@ -490,17 +446,12 @@ resource "docker_container" "cadvisor" { container_path = "/var/run" } - labels { - "traefik.frontend.rule" = "Host:cadvisor.${var.domain}" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8080 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - } + labels = "${merge( + local.traefik_common_labels, + map( + + "traefik.frontend.passHostHeader", "true", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8080, + ))}" } diff --git a/docker/traefik.tf b/docker/traefik.tf index 3ac678a..678ad37 100644 --- a/docker/traefik.tf +++ b/docker/traefik.tf @@ -9,7 +9,6 @@ resource "docker_container" "traefik" { ip = "${var.ips["eth0"]}" } - # Admin Backend ports { internal = 1111 external = 1111