Refactor traefik expose labels via variables

- no need to pass explicit traefik labels now

miniflux.tf

@@ -3,11 +3,9 @@ module "miniflux-container" {
   source = "modules/container"
   image  = "miniflux/miniflux:2.0.10"
 
-  labels = "${merge(
-    var.traefik-common-labels, map(
-      "traefik.port", 8080,
-      "traefik.frontend.rule","Host:rss.captnemo.in"
-  ))}"
+  expose-web = true
+  web-port   = 8080
+  web-domain = "rss.captnemo.in"
 
   networks = "${list(module.docker.traefik-network-id,module.db.postgres-network-id)}"
 

modules/container/locals.tf

@@ -0,0 +1,17 @@
+locals {
+  traefik-common-labels {
+    "traefik.enable" = "true"
+
+    // HSTS
+    "traefik.frontend.headers.SSLTemporaryRedirect" = "true"
+    "traefik.frontend.headers.STSSeconds"           = "2592000"
+    "traefik.frontend.headers.STSIncludeSubdomains" = "false"
+
+    // X-Powered-By, Server headers
+    "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}"
+    "traefik.frontend.headers.contentTypeNosniff"    = "true"
+    "traefik.frontend.headers.browserXSSFilter"      = "true"
+
+    "traefik.docker.network" = "traefik"
+  }
+}

modules/container/main.tf

@@ -8,16 +8,22 @@ resource "docker_image" "image" {
 }
 
 resource "docker_container" "container" {
-  name                  = "${var.name}"
-  image                 = "${docker_image.image.latest}"
-  ports                 = "${var.ports}"
-  restart               = "${var.restart}"
-  env                   = "${var.env}"
-  command               = "${var.command}"
-  entrypoint            = "${var.entrypoint}"
-  user                  = "${var.user}"
-  networks              = ["${var.networks}"]
-  labels                = "${var.labels}"
+  name       = "${var.name}"
+  image      = "${docker_image.image.latest}"
+  ports      = "${var.ports}"
+  restart    = "${var.restart}"
+  env        = "${var.env}"
+  command    = "${var.command}"
+  entrypoint = "${var.entrypoint}"
+  user       = "${var.user}"
+  networks   = ["${var.networks}"]
+
+  labels = "${merge(var.labels, var.expose-web ?
+    merge(local.traefik-common-labels, map(
+      "traefik.port", var.web-port,
+      "traefik.frontend.rule", "Host:${var.web-domain}",
+    )) : map())}"
+
   destroy_grace_seconds = "${var.destroy_grace_seconds}"
   must_run              = "${var.must_run}"
 }

modules/container/vars.tf

@@ -59,3 +59,29 @@ variable "labels" {
   description = "labels"
   default     = {}
 }
+
+variable "xpoweredby" {
+  default = "X-Powered-By:Allomancy||X-Server:Blackbox"
+}
+
+variable "expose-web" {
+  description = "Whether to expose the application on the web"
+  default     = "false"
+}
+
+variable "web-port" {
+  description = "Port to expose using traefik"
+  default     = "80"
+  type        = "string"
+}
+
+variable "web-domain" {
+  description = "Domain to use while exposing the application"
+  default     = ""
+  type        = "string"
+}
+
+variable "web-basicauth" {
+  description = "Whether to add basic auth check on the application"
+  default     = "false"
+}

monicahq.tf

@@ -3,11 +3,9 @@ module "monicahq-container" {
   source = "modules/container"
   image  = "monicahq/monicahq:latest"
 
-  labels = "${merge(
-    var.traefik-common-labels, map(
-      "traefik.port", 80,
-      "traefik.frontend.rule","Host:monica.${var.root-domain}"
-  ))}"
+  // Default is port 80
+  expose-web = true
+  web-domain = "monica.${var.root-domain}"
 
   networks = "${list(module.docker.traefik-network-id,module.db.postgres-network-id)}"
 

requestbin.tf

@@ -3,11 +3,9 @@ module "requestbin" {
   source = "./modules/container"
   image  = "jankysolutions/requestbin:latest"
 
-  labels = "${merge(
-    var.traefik-common-labels, map(
-      "traefik.port", 8000,
-      "traefik.frontend.rule","Host:requestbin.${var.root-domain}"
-  ))}"
+  // Default is port 80
+  expose-web = true
+  web-domain = "requestbin.${var.root-domain}"
 
   networks = "${list(module.docker.traefik-network-id)}"