diff --git a/docker/locals.tf b/docker/locals.tf new file mode 100644 index 0000000..10ffd80 --- /dev/null +++ b/docker/locals.tf @@ -0,0 +1,15 @@ +locals { + traefik_common_labels { + "traefik.enable" = "true" + // HSTS + "traefik.frontend.headers.SSLTemporaryRedirect" = "true" + "traefik.frontend.headers.STSSeconds" = "2592000" + "traefik.frontend.headers.STSIncludeSubdomains" = "false" + // X-Powered-By, Server headers + "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" + // X-Frame-Options + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + "traefik.frontend.headers.contentTypeNosniff" = "true" + "traefik.frontend.headers.browserXSSFilter" = "true" + } +} diff --git a/docker/main.tf b/docker/main.tf index 2fbe344..bb51646 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -2,18 +2,12 @@ resource docker_container "transmission" { name = "transmission" image = "${docker_image.transmission.latest}" - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 9091 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 9091, + ))}" ports { internal = 51413 @@ -68,20 +62,14 @@ resource "docker_container" "emby" { container_path = "/media" } - labels { - "traefik.frontend.rule" = "Host:emby.in.${var.domain},emby.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8096 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:emby.in.${var.domain},emby.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8096, + ))}" memory = 2048 restart = "unless-stopped" @@ -117,18 +105,12 @@ resource "docker_container" "couchpotato" { container_path = "/movies" } - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 5050 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 5050, + ))}" memory = 256 restart = "unless-stopped" @@ -175,17 +157,13 @@ resource "docker_container" "airsonic" { container_path = "/airsonic/podcasts" } - labels { - "traefik.frontend.rule" = "Host:airsonic.in.${var.domain},airsonic.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 4040 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:airsonic.in.${var.domain},airsonic.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.port", 4040, + ))}" } resource "docker_container" "headerdebug" { @@ -198,17 +176,13 @@ resource "docker_container" "headerdebug" { memory = 16 - labels { - "traefik.frontend.rule" = "Host:debug.in.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 8080 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:debug.in.${var.domain},debug.${var.domain}", + "traefik.port", 8080, + "traefik.enable", "true", + ))}" } resource "docker_container" "sickrage" { @@ -236,19 +210,13 @@ resource "docker_container" "sickrage" { container_path = "/tv" } - labels { - "traefik.frontend.passHostHeader" = "false" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8081 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.passHostHeader", "false", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8081, + ))}" env = [ "PUID=1004", @@ -286,18 +254,12 @@ resource "docker_container" "headphones" { file = "/config/config.ini" } - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8181 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8181, + ))}" # lounge:tatooine env = [ @@ -396,19 +358,18 @@ resource "docker_container" "wiki" { container_path = "/data" } - labels { - "traefik.frontend.rule" = "Host:wiki.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 9999 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}||Referrer-Policy:${var.refpolicy}||X-Frame-Options:${var.xfo_allow}" - } + // The last header is a workaround for double header traefik bug + // This might be actually breaking iframe till the 1.5 Final release. + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:wiki.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.port", 9999, + "traefik.frontend.headers.customResponseHeaders", "${var.xpoweredby}||Referrer-Policy:${var.refpolicy}||X-Frame-Options:${var.xfo_allow}", + ))}" links = ["mongorocks"] - env = [ "WIKI_ADMIN_EMAIL=me@captnemo.in", "SESSION_SECRET=${var.wiki_session_secret}", @@ -429,20 +390,15 @@ resource "docker_container" "muximux" { container_path = "/config" } - labels { - "traefik.frontend.rule" = "Host:home.in.${var.domain},home.${var.domain}" - "traefik.frontend.passHostHeader" = "false" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 80 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.frameDeny" = "true" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.port", 80, + "traefik.frontend.headers.frameDeny", "true", + "traefik.frontend.passHostHeader", "false", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.frontend.rule", "Host:home.in.${var.domain},home.${var.domain}", + ))}" # lounge:tatooine env = [ @@ -490,17 +446,12 @@ resource "docker_container" "cadvisor" { container_path = "/var/run" } - labels { - "traefik.frontend.rule" = "Host:cadvisor.${var.domain}" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8080 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - } + labels = "${merge( + local.traefik_common_labels, + map( + + "traefik.frontend.passHostHeader", "true", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8080, + ))}" } diff --git a/docker/traefik.tf b/docker/traefik.tf index 3ac678a..678ad37 100644 --- a/docker/traefik.tf +++ b/docker/traefik.tf @@ -9,7 +9,6 @@ resource "docker_container" "traefik" { ip = "${var.ips["eth0"]}" } - # Admin Backend ports { internal = 1111 external = 1111