diff --git a/contrib/compose_helpers.j2 b/contrib/compose_helpers.j2 index 90bda88..45df3df 100644 --- a/contrib/compose_helpers.j2 +++ b/contrib/compose_helpers.j2 @@ -6,23 +6,38 @@ default: - subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, subnet_index) }} {% endmacro %} -{% macro traefik_labels(host, service="", port="", auth=false) %} +{% macro traefik_labels(host, port='', path_prefix='', auth=false, wildcard=false) %} +{% set name = host ~ (wildcard * '-*') ~ path_prefix -%} +{% set tls_base = domain %} +{% if wildcard -%} + {% set tls_base = host ~ '.' ~ domain %} +{%- endif -%} + traefik.enable=true -- traefik.http.routers.{{ host }}.rule=Host(`{{ host }}.{{ domain }}`) -- traefik.http.routers.{{ host }}.entrypoints=web -- traefik.http.routers.{{ host }}-tls.rule=Host(`{{ host }}.{{ domain }}`) -- traefik.http.routers.{{ host }}-tls.entrypoints=websecure -- traefik.http.routers.{{ host }}-tls.tls=true -- traefik.http.routers.{{ host }}-tls.tls.certresolver=letsencrypt -- traefik.http.routers.{{ host }}-tls.tls.domains.0.main={{ domain }} -- traefik.http.routers.{{ host }}-tls.tls.domains.0.sans=*.{{ domain }} -{% if service -%} -- traefik.http.routers.{{ host }}.service={{ service }} -{% endif %} +- traefik.http.routers.r-{{ name }}.rule={{ host_rule(host, path_prefix, wildcard) }} +- traefik.http.routers.r-{{ name }}.entrypoints=websecure +- traefik.http.routers.r-{{ name }}.tls=true +- traefik.http.routers.r-{{ name }}.tls.certresolver=letsencrypt +- traefik.http.routers.r-{{ name }}.tls.domains.0.main={{ tls_base }} +- traefik.http.routers.r-{{ name }}.tls.domains.0.sans=*.{{ tls_base }} {% if port -%} -- traefik.http.services.{{ host }}.loadbalancer.server.port={{ port }} +- traefik.http.routers.r-{{ name }}.service=svc-{{ name }} +- traefik.http.services.svc-{{ name }}.loadbalancer.server.port={{ port }} {% endif %} {% if auth -%} -- traefik.http.routers.{{ host }}-tls.middlewares=authentik@docker +- traefik.http.routers.r-{{ name }}.middlewares=authentik@docker {% endif %} {% endmacro %} + +{% macro host_rule(host, path_prefix="", wildcard=false) %} +{% if wildcard %} +{# regular a.host prevents warnings from 'No domain found in rule HostRegexp' #} +{# TODO: figure out this stupidity properly #} +Host(`a.{{ host }}.{{ domain }}`) || HostRegexp(`^.+\.{{ host }}\.{{ domain | replace('.', '\.') }}$`) +{%- else %} +Host(`{{ host }}.{{ domain }}`) +{%- endif %} +{% if path_prefix -%} + && PathPrefix(`{{ path_prefix }}`) +{%- endif %} +{% endmacro %} diff --git a/group_vars/alpina/vars.yml b/group_vars/alpina/vars.yml index b1856d5..e09aaa9 100644 --- a/group_vars/alpina/vars.yml +++ b/group_vars/alpina/vars.yml @@ -5,8 +5,6 @@ alpina_svc_path: ~/alpina base_volume_path: /mnt/dock media_volume_path: /mnt/media -traefik_subnet: 172.16.122.0 - # Authentik authentik_db_password: "{{ vault_authentik_db_password }}" authentik_secret_key: "{{ vault_authentik_secret_key }}" diff --git a/roles/alpina/templates/apps/arrstack/docker-compose.yml.j2 b/roles/alpina/templates/apps/arrstack/docker-compose.yml.j2 index c2a8570..2384982 100644 --- a/roles/alpina/templates/apps/arrstack/docker-compose.yml.j2 +++ b/roles/alpina/templates/apps/arrstack/docker-compose.yml.j2 @@ -2,8 +2,6 @@ networks: {{ helpers.default_network(249) | indent(2) }} - traefik_traefik: - external: true services: gluetun: @@ -16,9 +14,6 @@ services: env_file: - .env.gluetun restart: unless-stopped - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/arrstack/gluetun:/gluetun @@ -49,9 +44,6 @@ services: restart: unless-stopped depends_on: - qbittorrent - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/arrstack/config/prowlarr:/config @@ -63,9 +55,6 @@ services: restart: unless-stopped depends_on: - qbittorrent - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/arrstack/config/sonarr:/config - {{ base_volume_path }}/arrstack/downloads:/downloads @@ -79,9 +68,6 @@ services: restart: unless-stopped depends_on: - qbittorrent - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/arrstack/config/radarr:/config - {{ base_volume_path }}/arrstack/downloads:/downloads diff --git a/roles/alpina/templates/apps/gitea/docker-compose.yml.j2 b/roles/alpina/templates/apps/gitea/docker-compose.yml.j2 index cf0fc76..ca8998f 100644 --- a/roles/alpina/templates/apps/gitea/docker-compose.yml.j2 +++ b/roles/alpina/templates/apps/gitea/docker-compose.yml.j2 @@ -2,8 +2,6 @@ networks: {{ helpers.default_network(199) | indent(2) }} - traefik_traefik: - external: true services: server: @@ -14,9 +12,6 @@ services: restart: unless-stopped env_file: - .env.gitea - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/gitea/gitea:/data depends_on: @@ -27,7 +22,5 @@ services: restart: unless-stopped env_file: - .env.db - networks: - - default volumes: - {{ base_volume_path }}/gitea/postgres:/var/lib/postgresql/data diff --git a/roles/alpina/templates/apps/jellyfin/docker-compose.yml.j2 b/roles/alpina/templates/apps/jellyfin/docker-compose.yml.j2 index 519a053..53f9d2d 100644 --- a/roles/alpina/templates/apps/jellyfin/docker-compose.yml.j2 +++ b/roles/alpina/templates/apps/jellyfin/docker-compose.yml.j2 @@ -2,8 +2,6 @@ networks: {{ helpers.default_network(197) | indent(2) }} - traefik_traefik: - external: true services: jellyfin: @@ -14,9 +12,6 @@ services: restart: unless-stopped env_file: - .env.jellyfin - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/jellyfin/config:/config - {{ base_volume_path }}/jellyfin/cache:/cache diff --git a/roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2 b/roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2 index 40a87e2..ec8b6e9 100644 --- a/roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2 +++ b/roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2 @@ -2,9 +2,6 @@ networks: {{ helpers.default_network(198) | indent(2) }} - traefik_traefik: - external: true - services: app: @@ -18,8 +15,6 @@ services: - redis env_file: - .env.nextcloud - networks: - - default volumes: - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config @@ -32,8 +27,6 @@ services: depends_on: - app entrypoint: /cron.sh - networks: - - default volumes: - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config @@ -42,16 +35,8 @@ services: notify_push: image: nextcloud:${NEXTCLOUD_VERSION} container_name: nextcloud_notify_push - {# TODO: Refactor this and minio -#} labels: - - traefik.enable=true - - traefik.http.routers.nc-notify.rule=Host(`nc.{{ domain }}`) && PathPrefix(`/push`) - - traefik.http.routers.nc-notify.entrypoints=websecure - - traefik.http.routers.nc-notify.tls=true - - traefik.http.routers.nc-notify.tls.certresolver=letsencrypt - - traefik.http.routers.nc-notify.tls.domains.0.main={{ domain }} - - traefik.http.routers.nc-notify.tls.domains.0.sans=*.{{ domain }} - - traefik.http.services.nc-notify.loadbalancer.server.port=7867 + - {{ helpers.traefik_labels('nc', port='7867', path_prefix='/push') | indent(6) }} restart: unless-stopped user: www-data env_file: @@ -68,8 +53,6 @@ services: restart: unless-stopped env_file: - .env.db - networks: - - default volumes: - {{ base_volume_path }}/nextcloud/db:/var/lib/postgresql/data @@ -79,8 +62,6 @@ services: restart: unless-stopped env_file: - .env.redis - networks: - - default command: - sh - -c diff --git a/roles/alpina/templates/services/authentik/docker-compose.yml.j2 b/roles/alpina/templates/services/authentik/docker-compose.yml.j2 index c48e64e..a642fd7 100644 --- a/roles/alpina/templates/services/authentik/docker-compose.yml.j2 +++ b/roles/alpina/templates/services/authentik/docker-compose.yml.j2 @@ -2,8 +2,6 @@ networks: {{ helpers.default_network(253) | indent(2) }} - traefik_traefik: - external: true services: server: @@ -21,9 +19,6 @@ services: command: server env_file: - .env.authentik - networks: - - default - - traefik_traefik worker: image: ghcr.io/goauthentik/server:latest diff --git a/roles/alpina/templates/services/minio/docker-compose.yml.j2 b/roles/alpina/templates/services/minio/docker-compose.yml.j2 index 9e68148..9c89ab4 100644 --- a/roles/alpina/templates/services/minio/docker-compose.yml.j2 +++ b/roles/alpina/templates/services/minio/docker-compose.yml.j2 @@ -2,8 +2,6 @@ networks: {{ helpers.default_network(252) | indent(2) }} - traefik_traefik: - external: true services: minio: @@ -11,22 +9,11 @@ services: container_name: minio labels: - {{ helpers.traefik_labels('minio', port='9090') | indent(6) }} - - traefik.http.routers.minio.service=minio - - traefik.http.routers.minio-tls.service=minio - - traefik.http.routers.minio-s3.rule=Host(`s3.{{ domain }}`) || HostRegexp(`^.+[.]s3[.]{{ domain }}`) - - traefik.http.routers.minio-s3.entrypoints=websecure - - traefik.http.routers.minio-s3.tls=true - - traefik.http.routers.minio-s3.tls.certresolver=letsencrypt - - traefik.http.routers.minio-s3.tls.domains.0.main=s3.{{ domain }} - - traefik.http.routers.minio-s3.tls.domains.0.sans=*.s3.{{ domain }} - - traefik.http.routers.minio-s3.service=minio-s3 - - traefik.http.services.minio-s3.loadbalancer.server.port=9000 + - {{ helpers.traefik_labels('s3', port='9000') | indent(6) }} + - {{ helpers.traefik_labels('s3', port='9000', wildcard=true) | indent(6) }} restart: unless-stopped command: server --console-address ":9090" /data env_file: - .env.minio - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/minio/data:/data diff --git a/roles/alpina/templates/services/monitoring/docker-compose.yml.j2 b/roles/alpina/templates/services/monitoring/docker-compose.yml.j2 index ab7ce02..5fe3def 100644 --- a/roles/alpina/templates/services/monitoring/docker-compose.yml.j2 +++ b/roles/alpina/templates/services/monitoring/docker-compose.yml.j2 @@ -2,8 +2,6 @@ networks: {{ helpers.default_network(251) | indent(2) }} - traefik_traefik: - external: true services: grafana: @@ -17,9 +15,6 @@ services: restart: unless-stopped # Needed to make config files readable (not anymore, TODO: remove) user: "{{ remote_uid }}" - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/monitoring/grafana:/var/lib/grafana - ./grafana_config/grafana.ini:/etc/grafana/grafana.ini:ro @@ -103,9 +98,6 @@ services: restart: unless-stopped env_file: - .env.influxdb - networks: - - default - - traefik_traefik volumes: - {{ base_volume_path }}/monitoring/influxdb:/var/lib/influxdb2 diff --git a/roles/alpina/templates/services/traefik/docker-compose.yml.j2 b/roles/alpina/templates/services/traefik/docker-compose.yml.j2 index c243891..d25ac8e 100644 --- a/roles/alpina/templates/services/traefik/docker-compose.yml.j2 +++ b/roles/alpina/templates/services/traefik/docker-compose.yml.j2 @@ -1,14 +1,7 @@ {% import 'contrib/compose_helpers.j2' as helpers with context %} networks: - traefik: - internal: true - enable_ipv6: true - ipam: - config: - # TODO: Consider removing traefik network, it shouldn't be needed with host networking - - subnet: {{ traefik_subnet }}/24 - - subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, 255) }} + {{ helpers.default_network(254) | indent(2) }} services: traefik: @@ -25,11 +18,8 @@ services: - {{ base_volume_path }}/traefik/rules:/rules/extra:ro - {{ base_volume_path }}/traefik/acme:/acme - # This is mostly just so that the traefik network gets created whoami: image: containous/whoami container_name: whoami labels: - - {{ helpers.traefik_labels('whoami', port=80) | indent(6) }} - networks: - - traefik + - {{ helpers.traefik_labels('whoami', port='80') | indent(6) }} diff --git a/roles/alpina/templates/services/traefik/traefik.yml.j2 b/roles/alpina/templates/services/traefik/traefik.yml.j2 index edf9fef..b026723 100644 --- a/roles/alpina/templates/services/traefik/traefik.yml.j2 +++ b/roles/alpina/templates/services/traefik/traefik.yml.j2 @@ -36,7 +36,6 @@ certificatesResolvers: providers: docker: exposedByDefault: false - network: traefik_traefik file: directory: /rules watch: true