From 99a3637308ed0491dfa81d6a32934e45e9562fc8 Mon Sep 17 00:00:00 2001 From: Nemo Date: Tue, 26 Dec 2017 18:57:57 +0530 Subject: [PATCH 1/7] Attempt at using locals for labels - See https://stackoverflow.com/questions/47973324/how-to-use-locals-in-terraform-to-repeat-and-merge-blocks and HELP --- docker/locals.tf | 10 ++++++++++ docker/main.tf | 33 ++++++++++++++++----------------- 2 files changed, 26 insertions(+), 17 deletions(-) create mode 100644 docker/locals.tf diff --git a/docker/locals.tf b/docker/locals.tf new file mode 100644 index 0000000..ed9ed11 --- /dev/null +++ b/docker/locals.tf @@ -0,0 +1,10 @@ +locals { + traefik_common_labels { + "traefik.frontend.passHostHeader" = "true" + "traefik.frontend.headers.SSLTemporaryRedirect" = "true" + "traefik.frontend.headers.STSSeconds" = "2592000" + "traefik.frontend.headers.STSIncludeSubdomains" = "false" + "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + } +} diff --git a/docker/main.tf b/docker/main.tf index 2fbe344..33ea6e2 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -176,14 +176,14 @@ resource "docker_container" "airsonic" { } labels { - "traefik.frontend.rule" = "Host:airsonic.in.${var.domain},airsonic.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 4040 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" + "traefik.frontend.rule" = "Host:airsonic.in.bb8.fun,airsonic.bb8.fun" + "traefik.frontend.passHostHeader" = "false" + "traefik.port" = 4040 + "traefik.enable" = "true" + "traefik.frontend.headers.SSLTemporaryRedirect" = "true" + "traefik.frontend.headers.STSSeconds" = "2592000" + "traefik.frontend.headers.STSIncludeSubdomains" = "false" + "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } } @@ -199,15 +199,14 @@ resource "docker_container" "headerdebug" { memory = 16 labels { - "traefik.frontend.rule" = "Host:debug.in.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 8080 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:debug.in.bb8.fun", + "traefik.port", 8080, + "traefik.enable", "true", + ) + )}" } } -- 2.40.1 From 69040999db55e184a1204d21c96d08fe5dad722f Mon Sep 17 00:00:00 2001 From: Nemo Date: Tue, 26 Dec 2017 19:02:50 +0530 Subject: [PATCH 2/7] fix trailing comma --- docker/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/main.tf b/docker/main.tf index 33ea6e2..c506706 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -204,7 +204,7 @@ resource "docker_container" "headerdebug" { map( "traefik.frontend.rule", "Host:debug.in.bb8.fun", "traefik.port", 8080, - "traefik.enable", "true", + "traefik.enable", "true" ) )}" } -- 2.40.1 From 63225a89e2c2c8147528c65208500f8d9578a34d Mon Sep 17 00:00:00 2001 From: Nemo Date: Tue, 26 Dec 2017 19:17:21 +0530 Subject: [PATCH 3/7] More attempts --- docker/locals.tf | 6 +++--- docker/traefik.tf | 7 +++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docker/locals.tf b/docker/locals.tf index ed9ed11..954fbe6 100644 --- a/docker/locals.tf +++ b/docker/locals.tf @@ -1,10 +1,10 @@ locals { - traefik_common_labels { + traefik_common_labels = { "traefik.frontend.passHostHeader" = "true" "traefik.frontend.headers.SSLTemporaryRedirect" = "true" "traefik.frontend.headers.STSSeconds" = "2592000" "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + # "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" + # "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" } } diff --git a/docker/traefik.tf b/docker/traefik.tf index 3ac678a..24987f3 100644 --- a/docker/traefik.tf +++ b/docker/traefik.tf @@ -9,11 +9,10 @@ resource "docker_container" "traefik" { ip = "${var.ips["eth0"]}" } - # Admin Backend ports { - internal = 1111 - external = 1111 - ip = "${var.ips["tun0"]}" + internal = 1111 + external = 1111 + ip = "${var.ips["tun0"]}" } # Local Web Server -- 2.40.1 From 7b521e20bce246b9aff541a65da420e574b5fe5c Mon Sep 17 00:00:00 2001 From: Nemo Date: Tue, 2 Jan 2018 22:22:24 +0530 Subject: [PATCH 4/7] [refactor] Use traefik_common_labels everywhere --- docker/locals.tf | 17 ++-- docker/main.tf | 194 +++++++++++++++++----------------------------- docker/traefik.tf | 6 +- 3 files changed, 85 insertions(+), 132 deletions(-) diff --git a/docker/locals.tf b/docker/locals.tf index 954fbe6..ae04779 100644 --- a/docker/locals.tf +++ b/docker/locals.tf @@ -1,10 +1,13 @@ locals { - traefik_common_labels = { - "traefik.frontend.passHostHeader" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - # "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - # "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + traefik_common_labels { + "traefik.enable" = "true" + "traefik.frontend.passHostHeader" = "true" + "traefik.frontend.headers.SSLTemporaryRedirect" = "true" + "traefik.frontend.headers.STSSeconds" = "2592000" + "traefik.frontend.headers.STSIncludeSubdomains" = "false" + "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" + "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" + "traefik.frontend.headers.contentTypeNosniff" = "true" + "traefik.frontend.headers.browserXSSFilter" = "true" } } diff --git a/docker/main.tf b/docker/main.tf index c506706..94c10ef 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -2,18 +2,11 @@ resource docker_container "transmission" { name = "transmission" image = "${docker_image.transmission.latest}" - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 9091 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.port", 9091, + ))}" ports { internal = 51413 @@ -68,20 +61,14 @@ resource "docker_container" "emby" { container_path = "/media" } - labels { - "traefik.frontend.rule" = "Host:emby.in.${var.domain},emby.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8096 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:emby.in.${var.domain},emby.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8096, + ))}" memory = 2048 restart = "unless-stopped" @@ -117,18 +104,12 @@ resource "docker_container" "couchpotato" { container_path = "/movies" } - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 5050 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 5050, + ))}" memory = 256 restart = "unless-stopped" @@ -175,17 +156,13 @@ resource "docker_container" "airsonic" { container_path = "/airsonic/podcasts" } - labels { - "traefik.frontend.rule" = "Host:airsonic.in.bb8.fun,airsonic.bb8.fun" - "traefik.frontend.passHostHeader" = "false" - "traefik.port" = 4040 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:airsonic.in.${var.domain},airsonic.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.port", 4040, + ))}" } resource "docker_container" "headerdebug" { @@ -198,16 +175,13 @@ resource "docker_container" "headerdebug" { memory = 16 - labels { - "${merge( - local.traefik_common_labels, - map( - "traefik.frontend.rule", "Host:debug.in.bb8.fun", - "traefik.port", 8080, - "traefik.enable", "true" - ) - )}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:debug.in.${var.domain},debug.${var.domain}", + "traefik.port", 8080, + "traefik.enable", "true", + ))}" } resource "docker_container" "sickrage" { @@ -235,19 +209,13 @@ resource "docker_container" "sickrage" { container_path = "/tv" } - labels { - "traefik.frontend.passHostHeader" = "false" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8081 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.passHostHeader", "false", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8081, + ))}" env = [ "PUID=1004", @@ -285,18 +253,12 @@ resource "docker_container" "headphones" { file = "/config/config.ini" } - labels { - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8181 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8181, + ))}" # lounge:tatooine env = [ @@ -395,19 +357,17 @@ resource "docker_container" "wiki" { container_path = "/data" } - labels { - "traefik.frontend.rule" = "Host:wiki.${var.domain}" - "traefik.frontend.passHostHeader" = "true" - "traefik.port" = 9999 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}||Referrer-Policy:${var.refpolicy}||X-Frame-Options:${var.xfo_allow}" - } + // The last header is a workaround for double header traefik bug + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.frontend.rule", "Host:wiki.${var.domain}", + "traefik.frontend.passHostHeader", "true", + "traefik.port", 9999, + "traefik.frontend.headers.customResponseHeaders", "${var.xpoweredby}||Referrer-Policy:${var.refpolicy}||X-Frame-Options:${var.xfo_allow}", + ))}" links = ["mongorocks"] - env = [ "WIKI_ADMIN_EMAIL=me@captnemo.in", "SESSION_SECRET=${var.wiki_session_secret}", @@ -428,20 +388,15 @@ resource "docker_container" "muximux" { container_path = "/config" } - labels { - "traefik.frontend.rule" = "Host:home.in.${var.domain},home.${var.domain}" - "traefik.frontend.passHostHeader" = "false" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 80 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - "traefik.frontend.headers.frameDeny" = "true" - } + labels = "${merge( + local.traefik_common_labels, + map( + "traefik.port", 80, + "traefik.frontend.headers.frameDeny", "true", + "traefik.frontend.passHostHeader", "false", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.frontend.rule", "Host:home.in.${var.domain},home.${var.domain}", + ))}" # lounge:tatooine env = [ @@ -489,17 +444,12 @@ resource "docker_container" "cadvisor" { container_path = "/var/run" } - labels { - "traefik.frontend.rule" = "Host:cadvisor.${var.domain}" - "traefik.frontend.auth.basic" = "${var.basic_auth}" - "traefik.port" = 8080 - "traefik.enable" = "true" - "traefik.frontend.headers.SSLTemporaryRedirect" = "true" - "traefik.frontend.headers.STSSeconds" = "2592000" - "traefik.frontend.headers.STSIncludeSubdomains" = "false" - "traefik.frontend.headers.contentTypeNosniff" = "true" - "traefik.frontend.headers.browserXSSFilter" = "true" - "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" - "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" - } + labels = "${merge( + local.traefik_common_labels, + map( + + "traefik.frontend.passHostHeader", "true", + "traefik.frontend.auth.basic", "${var.basic_auth}", + "traefik.port", 8080, + ))}" } diff --git a/docker/traefik.tf b/docker/traefik.tf index 24987f3..678ad37 100644 --- a/docker/traefik.tf +++ b/docker/traefik.tf @@ -10,9 +10,9 @@ resource "docker_container" "traefik" { } ports { - internal = 1111 - external = 1111 - ip = "${var.ips["tun0"]}" + internal = 1111 + external = 1111 + ip = "${var.ips["tun0"]}" } # Local Web Server -- 2.40.1 From 9e7e169ed59ebd42c6b9ec63d3a69280fb357d58 Mon Sep 17 00:00:00 2001 From: Nemo Date: Tue, 2 Jan 2018 22:26:01 +0530 Subject: [PATCH 5/7] Adds note about traefik bug --- docker/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/main.tf b/docker/main.tf index 94c10ef..2521d1f 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -358,6 +358,7 @@ resource "docker_container" "wiki" { } // The last header is a workaround for double header traefik bug + // This might be actually breaking iframe till the 1.5 Final release. labels = "${merge( local.traefik_common_labels, -- 2.40.1 From 57ffe866a34bd1bea45aee8b7bd12bd6058850c4 Mon Sep 17 00:00:00 2001 From: Nemo Date: Wed, 3 Jan 2018 14:42:11 +0530 Subject: [PATCH 6/7] minor changesg --- docker/locals.tf | 1 - docker/main.tf | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/locals.tf b/docker/locals.tf index ae04779..ef49019 100644 --- a/docker/locals.tf +++ b/docker/locals.tf @@ -1,7 +1,6 @@ locals { traefik_common_labels { "traefik.enable" = "true" - "traefik.frontend.passHostHeader" = "true" "traefik.frontend.headers.SSLTemporaryRedirect" = "true" "traefik.frontend.headers.STSSeconds" = "2592000" "traefik.frontend.headers.STSIncludeSubdomains" = "false" diff --git a/docker/main.tf b/docker/main.tf index 2521d1f..bb51646 100644 --- a/docker/main.tf +++ b/docker/main.tf @@ -5,6 +5,7 @@ resource docker_container "transmission" { labels = "${merge( local.traefik_common_labels, map( + "traefik.frontend.auth.basic", "${var.basic_auth}", "traefik.port", 9091, ))}" -- 2.40.1 From 3fc9b585f1992e51cf10867c67501c3d6eed45cb Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 6 Jan 2018 13:09:21 +0530 Subject: [PATCH 7/7] minor comments --- docker/locals.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker/locals.tf b/docker/locals.tf index ef49019..10ffd80 100644 --- a/docker/locals.tf +++ b/docker/locals.tf @@ -1,10 +1,13 @@ locals { traefik_common_labels { "traefik.enable" = "true" + // HSTS "traefik.frontend.headers.SSLTemporaryRedirect" = "true" "traefik.frontend.headers.STSSeconds" = "2592000" "traefik.frontend.headers.STSIncludeSubdomains" = "false" + // X-Powered-By, Server headers "traefik.frontend.headers.customResponseHeaders" = "${var.xpoweredby}" + // X-Frame-Options "traefik.frontend.headers.customFrameOptionsValue" = "${var.xfo_allow}" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" -- 2.40.1