diff --git a/kaarana/database.tf b/kaarana/database.tf index 48e7473..17756db 100644 --- a/kaarana/database.tf +++ b/kaarana/database.tf @@ -18,8 +18,10 @@ resource "docker_network" "kaarana-db" { // Run a small mySQL container in this subnet resource "docker_container" "mysql" { - image = "${docker_image.db.latest}" - name = "kaarana-mariadb" + image = "${docker_image.db.latest}" + name = "kaarana-mariadb" + restart = "always" + must_run = true env = [ "MYSQL_ROOT_PASSWORD=${var.root_db_password}", diff --git a/kaarana/traefik.tf b/kaarana/traefik.tf index 59107a6..adf5ab0 100644 --- a/kaarana/traefik.tf +++ b/kaarana/traefik.tf @@ -9,3 +9,56 @@ resource "docker_network" "traefik" { internal = true } + +resource "docker_container" "traefik" { + name = "traefik" + image = "${docker_image.traefik.latest}" + + # Do not offer HTTP2 + # https://community.containo.us/t/traefikv2-http-2-0/1199 + env = [ + "GODEBUG=http2client=0", + ] + + upload { + content = "${file("${path.module}/traefik.toml")}" + file = "/etc/traefik/traefik.toml" + } + + volumes { + host_path = "/var/run/docker.sock" + container_path = "/var/run/docker.sock" + read_only = true + } + + volumes { + host_path = "/mnt/disk/traefik" + container_path = "/acme" + } + + ports { + internal = 443 + external = 8443 + ip = "139.59.22.234" + } + + ports { + internal = 80 + external = 80 + ip = "139.59.22.234" + } + + memory = 256 + restart = "always" + destroy_grace_seconds = 10 + must_run = true + + networks_advanced = [ + { + name = "bridge" + }, + { + name = "traefik" + }, + ] +} diff --git a/kaarana/traefik.toml b/kaarana/traefik.toml new file mode 100644 index 0000000..43f3a45 --- /dev/null +++ b/kaarana/traefik.toml @@ -0,0 +1,45 @@ +# This configures docker service discovery +[providers.docker] +exposedByDefault = false +network = "traefik" +defaultRule = "" + +[entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web-secure] + address = ":443" + +[http.middlewares] + [http.middlewares.everything.redirectScheme] + scheme = "https" + +[tcp.routers] + [tcp.routers.forwardtohome] + entryPoints = ["web-secure"] + rule = "HostSNI(`emby.bb8.fun`, `git.captnemo.in`)" + service = "homeserver" + [tcp.routers.forwardtohome.tls] + passthrough = true + +[tcp.services] + [tcp.services.homeserver.loadBalancer] + [[tcp.services.homeserver.loadBalancer.servers]] + address = "10.8.0.14:443" + +[certificatesResolvers.default.acme] + email = "certs@captnemo.in" + storage = "/acme/acme.json" + [certificatesResolvers.default.acme.httpChallenge] + # used during the challenge + entryPoint = "web" + + +[tls.options] + [tls.options.foo] + minVersion = "VersionTLS12" + cipherSuites = [ + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384" + ] diff --git a/kaarana/wordpress.tf b/kaarana/wordpress.tf index abb5701..d5483f3 100644 --- a/kaarana/wordpress.tf +++ b/kaarana/wordpress.tf @@ -2,6 +2,22 @@ resource "docker_container" "wp" { image = "${docker_image.wp.latest}" name = "kaarana-wordpress" + restart = "always" + must_run = true + + labels { + "traefik.enable" = "true" + "traefik.tcp.routers.kaarana.rule" = "HostSNI(`kaarana.captnemo.in`)" + "traefik.tcp.routers.kaarana.tls" = "true" + + # "traefik.tcp.routers.kaarana.tls.options" = "foo" + "traefik.tcp.services.wordpress.loadbalancer.server.port" = "80" + + # "traefik.tcp.routers.kaarana.entrypoints" = "web-secure" + "traefik.tcp.routers.kaarana.tls.certResolver" = "default" + "traefik.tcp.routers.kaarana.tls.domains[0].main" = "kaarana.captnemo.in" + } + env = [ "WORDPRESS_DB_HOST=${local.db_hostname}", "WORDPRESS_DB_USER=${local.username}", @@ -30,5 +46,8 @@ resource "docker_container" "wp" { // remove internet access from wordpress name = "bridge" }, + { + name = "traefik" + }, ] }