diff --git a/cloudflare/main.tf b/cloudflare/main.tf index 4e2f6e6..f7346e2 100644 --- a/cloudflare/main.tf +++ b/cloudflare/main.tf @@ -13,6 +13,13 @@ resource "cloudflare_record" "home" { type = "A" } +resource "cloudflare_record" "docker" { + domain = "${var.domain}" + name = "docker.in" + value = "10.8.0.14" + type = "A" +} + resource "cloudflare_record" "internet" { domain = "${var.domain}" name = "@" diff --git a/docker/db.tf b/docker/db.tf new file mode 100644 index 0000000..ea713a3 --- /dev/null +++ b/docker/db.tf @@ -0,0 +1,47 @@ +resource "docker_container" "mongorocks" { + name = "mongorocks" + image = "${docker_image.mongorocks.latest}" + + restart = "unless-stopped" + destroy_grace_seconds = 30 + must_run = true + memory = 256 + + volumes { + volume_name = "${docker_volume.mongorocks_data_volume.name}" + container_path = "/data/db" + host_path = "${docker_volume.mongorocks_data_volume.mountpoint}" + } + + env = [ + "AUTH=no", + "DATABASE=wiki", + "OPLOG_SIZE=50", + ] +} + +resource "docker_container" "mariadb" { + name = "mariadb" + image = "${docker_image.mariadb.latest}" + + volumes { + volume_name = "${docker_volume.mariadb_volume.name}" + container_path = "/var/lib/mysql" + host_path = "${docker_volume.mariadb_volume.mountpoint}" + } + + ports { + internal = 3306 + external = 3306 + ip = "192.168.1.111" + } + + memory = 512 + restart = "unless-stopped" + destroy_grace_seconds = 10 + must_run = true + + env = [ + "MYSQL_ROOT_PASSWORD=${var.mysql_root_password}", + ] +} diff --git a/docker/main.tf b/docker/main.tf index 5eb3766..957d797 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -11,7 +11,8 @@ resource docker_container "transmission" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } ports { @@ -65,7 +66,8 @@ resource docker_container "gitea" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } ports { @@ -92,32 +94,6 @@ resource docker_container "gitea" { must_run = true } -resource "docker_container" "mariadb" { - name = "mariadb" - image = "${docker_image.mariadb.latest}" - - volumes { - volume_name = "${docker_volume.mariadb_volume.name}" - container_path = "/var/lib/mysql" - host_path = "${docker_volume.mariadb_volume.mountpoint}" - } - - ports { - internal = 3306 - external = 3306 - ip = "192.168.1.111" - } - - memory = 512 - restart = "unless-stopped" - destroy_grace_seconds = 10 - must_run = true - - env = [ - "MYSQL_ROOT_PASSWORD=${var.mysql_root_password}", - ] -} - resource "docker_container" "emby" { name = "emby" image = "${docker_image.emby.latest}" @@ -143,7 +119,8 @@ resource "docker_container" "emby" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } memory = 2048 @@ -189,7 +166,8 @@ resource "docker_container" "couchpotato" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } memory = 256 @@ -207,79 +185,6 @@ resource "docker_container" "couchpotato" { links = ["transmission"] } -resource "docker_container" "traefik" { - name = "traefik" - image = "${docker_image.traefik.latest}" - - # Admin Backend - ports { - internal = 1111 - external = 1111 - ip = "192.168.1.111" - } - - # Local Web Server - ports { - internal = 80 - external = 8888 - ip = "192.168.1.111" - } - - # Local Web Server - ports { - internal = 80 - external = 80 - ip = "192.168.1.111" - } - - # Local Web Server (HTTPS) - ports { - internal = 443 - external = 443 - ip = "192.168.1.111" - } - - # Proxied via sydney.captnemo.in - ports { - internal = 443 - external = 443 - ip = "10.8.0.14" - } - - ports { - internal = 80 - external = 80 - ip = "10.8.0.14" - } - - upload { - content = "${file("${path.module}/conf/traefik.toml")}" - file = "/etc/traefik/traefik.toml" - } - - volumes { - host_path = "/var/run/docker.sock" - container_path = "/var/run/docker.sock" - read_only = true - } - - volumes { - host_path = "/mnt/xwing/config/acme" - container_path = "/acme" - } - - memory = 256 - restart = "unless-stopped" - destroy_grace_seconds = 10 - must_run = true - - env = [ - "CLOUDFLARE_EMAIL=${var.cloudflare_email}", - "CLOUDFLARE_API_KEY=${var.cloudflare_key}" - ] -} - - resource "docker_container" "airsonic" { name = "airsonic" image = "${docker_image.airsonic.latest}" @@ -318,7 +223,8 @@ resource "docker_container" "airsonic" { "traefik.frontend.headers.SSLTemporaryRedirect" = "true" "traefik.frontend.headers.STSSeconds" = "2592000" "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } } @@ -341,7 +247,8 @@ resource "docker_container" "headerdebug" { "traefik.frontend.headers.SSLTemporaryRedirect" = "true" "traefik.frontend.headers.STSSeconds" = "2592000" "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } } @@ -380,7 +287,8 @@ resource "docker_container" "sickrage" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } env = [ @@ -428,7 +336,8 @@ resource "docker_container" "headphones" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } # lounge:tatooine @@ -482,7 +391,8 @@ resource "docker_container" "ubooquity" { "traefik.read.frontend.headers.STSIncludeSubdomains" = "false" "traefik.read.frontend.headers.contentTypeNosniff" = "true" "traefik.read.frontend.headers.browserXSSFilter" = "true" - "traefik.read.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.read.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } upload { @@ -535,7 +445,9 @@ resource "docker_container" "wiki" { "traefik.frontend.headers.SSLTemporaryRedirect" = "true" "traefik.frontend.headers.STSSeconds" = "2592000" "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + "traefik.frontend.headers.referrerPolicy" = "${var.refpolicy}" } links = ["mongorocks"] @@ -546,28 +458,6 @@ resource "docker_container" "wiki" { ] } -resource "docker_container" "mongorocks" { - name = "mongorocks" - image = "${docker_image.mongorocks.latest}" - - restart = "unless-stopped" - destroy_grace_seconds = 30 - must_run = true - memory = 256 - - volumes { - volume_name = "${docker_volume.mongorocks_data_volume.name}" - container_path = "/data/db" - host_path = "${docker_volume.mongorocks_data_volume.mountpoint}" - } - - env = [ - "AUTH=no", - "DATABASE=wiki", - "OPLOG_SIZE=50", - ] -} - resource "docker_container" "muximux" { name = "muximux" image = "${docker_image.muximux.latest}" @@ -594,7 +484,8 @@ resource "docker_container" "muximux" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" + "traefik.frontend.headers.frameDeny" = "true" } # lounge:tatooine @@ -654,6 +545,7 @@ resource "docker_container" "cadvisor" { "traefik.frontend.headers.STSIncludeSubdomains" = "false" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + "traefik.frontend.headers.customresponseheaders" = "${var.xpoweredby}" } } diff --git a/docker/traefik.tf b/docker/traefik.tf new file mode 100644 index 0000000..2997ae3 --- /dev/null +++ b/docker/traefik.tf @@ -0,0 +1,71 @@ +resource "docker_container" "traefik" { + name = "traefik" + image = "${docker_image.traefik.latest}" + + # Admin Backend + ports { + internal = 1111 + external = 1111 + ip = "192.168.1.111" + } + + # Local Web Server + ports { + internal = 80 + external = 8888 + ip = "192.168.1.111" + } + + # Local Web Server + ports { + internal = 80 + external = 80 + ip = "192.168.1.111" + } + + # Local Web Server (HTTPS) + ports { + internal = 443 + external = 443 + ip = "192.168.1.111" + } + + # Proxied via sydney.captnemo.in + ports { + internal = 443 + external = 443 + ip = "10.8.0.14" + } + + ports { + internal = 80 + external = 80 + ip = "10.8.0.14" + } + + upload { + content = "${file("${path.module}/conf/traefik.toml")}" + file = "/etc/traefik/traefik.toml" + } + + volumes { + host_path = "/var/run/docker.sock" + container_path = "/var/run/docker.sock" + read_only = true + } + + volumes { + host_path = "/mnt/xwing/config/acme" + container_path = "/acme" + } + + memory = 256 + restart = "unless-stopped" + destroy_grace_seconds = 10 + must_run = true + + env = [ + "CLOUDFLARE_EMAIL=${var.cloudflare_email}", + "CLOUDFLARE_API_KEY=${var.cloudflare_key}" + ] +} diff --git a/docker/variables.tf b/docker/variables.tf index 18b4782..56ebe2c 100644 --- a/docker/variables.tf +++ b/docker/variables.tf @@ -31,11 +31,11 @@ variable "hsts_max_age" { } variable "xfo_allow" { - default = "ALLOW-FROM https://muximux.bb8.fun/" + default = "ALLOW-FROM https://home.bb8.fun/" } variable "xpoweredby" { - default = "X-Powered-By:Allomancy,X-Server:Blackbox" + default = "X-Powered-By:Allomancy||X-Server:Blackbox" } variable "refpolicy" {