WIP ingress configuration
- Traefik is advertising http/2 along with TLS it then forwards the unencrypted h2 to the php server which is then giving up. (╯°□°)╯︵ ┻━┻
This commit is contained in:
parent
42ab949caf
commit
cce99c0b6a
|
@ -18,8 +18,10 @@ resource "docker_network" "kaarana-db" {
|
||||||
// Run a small mySQL container in this subnet
|
// Run a small mySQL container in this subnet
|
||||||
|
|
||||||
resource "docker_container" "mysql" {
|
resource "docker_container" "mysql" {
|
||||||
image = "${docker_image.db.latest}"
|
image = "${docker_image.db.latest}"
|
||||||
name = "kaarana-mariadb"
|
name = "kaarana-mariadb"
|
||||||
|
restart = "always"
|
||||||
|
must_run = true
|
||||||
|
|
||||||
env = [
|
env = [
|
||||||
"MYSQL_ROOT_PASSWORD=${var.root_db_password}",
|
"MYSQL_ROOT_PASSWORD=${var.root_db_password}",
|
||||||
|
|
|
@ -9,3 +9,56 @@ resource "docker_network" "traefik" {
|
||||||
|
|
||||||
internal = true
|
internal = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "docker_container" "traefik" {
|
||||||
|
name = "traefik"
|
||||||
|
image = "${docker_image.traefik.latest}"
|
||||||
|
|
||||||
|
# Do not offer HTTP2
|
||||||
|
# https://community.containo.us/t/traefikv2-http-2-0/1199
|
||||||
|
env = [
|
||||||
|
"GODEBUG=http2client=0",
|
||||||
|
]
|
||||||
|
|
||||||
|
upload {
|
||||||
|
content = "${file("${path.module}/traefik.toml")}"
|
||||||
|
file = "/etc/traefik/traefik.toml"
|
||||||
|
}
|
||||||
|
|
||||||
|
volumes {
|
||||||
|
host_path = "/var/run/docker.sock"
|
||||||
|
container_path = "/var/run/docker.sock"
|
||||||
|
read_only = true
|
||||||
|
}
|
||||||
|
|
||||||
|
volumes {
|
||||||
|
host_path = "/mnt/disk/traefik"
|
||||||
|
container_path = "/acme"
|
||||||
|
}
|
||||||
|
|
||||||
|
ports {
|
||||||
|
internal = 443
|
||||||
|
external = 8443
|
||||||
|
ip = "139.59.22.234"
|
||||||
|
}
|
||||||
|
|
||||||
|
ports {
|
||||||
|
internal = 80
|
||||||
|
external = 80
|
||||||
|
ip = "139.59.22.234"
|
||||||
|
}
|
||||||
|
|
||||||
|
memory = 256
|
||||||
|
restart = "always"
|
||||||
|
destroy_grace_seconds = 10
|
||||||
|
must_run = true
|
||||||
|
|
||||||
|
networks_advanced = [
|
||||||
|
{
|
||||||
|
name = "bridge"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name = "traefik"
|
||||||
|
},
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
# This configures docker service discovery
|
||||||
|
[providers.docker]
|
||||||
|
exposedByDefault = false
|
||||||
|
network = "traefik"
|
||||||
|
defaultRule = ""
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.web]
|
||||||
|
address = ":80"
|
||||||
|
|
||||||
|
[entryPoints.web-secure]
|
||||||
|
address = ":443"
|
||||||
|
|
||||||
|
[http.middlewares]
|
||||||
|
[http.middlewares.everything.redirectScheme]
|
||||||
|
scheme = "https"
|
||||||
|
|
||||||
|
[tcp.routers]
|
||||||
|
[tcp.routers.forwardtohome]
|
||||||
|
entryPoints = ["web-secure"]
|
||||||
|
rule = "HostSNI(`emby.bb8.fun`, `git.captnemo.in`)"
|
||||||
|
service = "homeserver"
|
||||||
|
[tcp.routers.forwardtohome.tls]
|
||||||
|
passthrough = true
|
||||||
|
|
||||||
|
[tcp.services]
|
||||||
|
[tcp.services.homeserver.loadBalancer]
|
||||||
|
[[tcp.services.homeserver.loadBalancer.servers]]
|
||||||
|
address = "10.8.0.14:443"
|
||||||
|
|
||||||
|
[certificatesResolvers.default.acme]
|
||||||
|
email = "certs@captnemo.in"
|
||||||
|
storage = "/acme/acme.json"
|
||||||
|
[certificatesResolvers.default.acme.httpChallenge]
|
||||||
|
# used during the challenge
|
||||||
|
entryPoint = "web"
|
||||||
|
|
||||||
|
|
||||||
|
[tls.options]
|
||||||
|
[tls.options.foo]
|
||||||
|
minVersion = "VersionTLS12"
|
||||||
|
cipherSuites = [
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
|
"TLS_RSA_WITH_AES_256_GCM_SHA384"
|
||||||
|
]
|
|
@ -2,6 +2,22 @@ resource "docker_container" "wp" {
|
||||||
image = "${docker_image.wp.latest}"
|
image = "${docker_image.wp.latest}"
|
||||||
name = "kaarana-wordpress"
|
name = "kaarana-wordpress"
|
||||||
|
|
||||||
|
restart = "always"
|
||||||
|
must_run = true
|
||||||
|
|
||||||
|
labels {
|
||||||
|
"traefik.enable" = "true"
|
||||||
|
"traefik.tcp.routers.kaarana.rule" = "HostSNI(`kaarana.captnemo.in`)"
|
||||||
|
"traefik.tcp.routers.kaarana.tls" = "true"
|
||||||
|
|
||||||
|
# "traefik.tcp.routers.kaarana.tls.options" = "foo"
|
||||||
|
"traefik.tcp.services.wordpress.loadbalancer.server.port" = "80"
|
||||||
|
|
||||||
|
# "traefik.tcp.routers.kaarana.entrypoints" = "web-secure"
|
||||||
|
"traefik.tcp.routers.kaarana.tls.certResolver" = "default"
|
||||||
|
"traefik.tcp.routers.kaarana.tls.domains[0].main" = "kaarana.captnemo.in"
|
||||||
|
}
|
||||||
|
|
||||||
env = [
|
env = [
|
||||||
"WORDPRESS_DB_HOST=${local.db_hostname}",
|
"WORDPRESS_DB_HOST=${local.db_hostname}",
|
||||||
"WORDPRESS_DB_USER=${local.username}",
|
"WORDPRESS_DB_USER=${local.username}",
|
||||||
|
@ -30,5 +46,8 @@ resource "docker_container" "wp" {
|
||||||
// remove internet access from wordpress
|
// remove internet access from wordpress
|
||||||
name = "bridge"
|
name = "bridge"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name = "traefik"
|
||||||
|
},
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue