CaZzzer/alpina
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

traefik: refactor macro, remove old traefik network remnants

Browse Source
This commit is contained in:
Yuri Tatishchev 2025-01-04 01:36:54 -08:00
parent e86533701a
commit 2d96ed9348
Signed by: CaZzzer
GPG Key ID: E0EBF441EA424369
11 changed files with 34 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
contrib/compose_helpers.j2
View File

@ -6,23 +6,38 @@ default:
- subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, subnet_index) }}
{% endmacro %}
{% macro traefik_labels(host, service="", port="", auth=false) %}
{% macro traefik_labels(host, port='', path_prefix='', auth=false, wildcard=false) %}
{% set name = host ~ (wildcard * '-*') ~ path_prefix -%}
{% set tls_base = domain %}
{% if wildcard -%}
{% set tls_base = host ~ '.' ~ domain %}
{%- endif -%}
traefik.enable=true
- traefik.http.routers.{{ host }}.rule=Host(`{{ host }}.{{ domain }}`)
- traefik.http.routers.{{ host }}.entrypoints=web
- traefik.http.routers.{{ host }}-tls.rule=Host(`{{ host }}.{{ domain }}`)
- traefik.http.routers.{{ host }}-tls.entrypoints=websecure
- traefik.http.routers.{{ host }}-tls.tls=true
- traefik.http.routers.{{ host }}-tls.tls.certresolver=letsencrypt
- traefik.http.routers.{{ host }}-tls.tls.domains.0.main={{ domain }}
- traefik.http.routers.{{ host }}-tls.tls.domains.0.sans=*.{{ domain }}
{% if service -%}
- traefik.http.routers.{{ host }}.service={{ service }}
{% endif %}
- traefik.http.routers.r-{{ name }}.rule={{ host_rule(host, path_prefix, wildcard) }}
- traefik.http.routers.r-{{ name }}.entrypoints=websecure
- traefik.http.routers.r-{{ name }}.tls=true
- traefik.http.routers.r-{{ name }}.tls.certresolver=letsencrypt
- traefik.http.routers.r-{{ name }}.tls.domains.0.main={{ tls_base }}
- traefik.http.routers.r-{{ name }}.tls.domains.0.sans=*.{{ tls_base }}
{% if port -%}
- traefik.http.services.{{ host }}.loadbalancer.server.port={{ port }}
- traefik.http.routers.r-{{ name }}.service=svc-{{ name }}
- traefik.http.services.svc-{{ name }}.loadbalancer.server.port={{ port }}
{% endif %}
{% if auth -%}
- traefik.http.routers.{{ host }}-tls.middlewares=authentik@docker
- traefik.http.routers.r-{{ name }}.middlewares=authentik@docker
{% endif %}
{% endmacro %}
{% macro host_rule(host, path_prefix="", wildcard=false) %}
{% if wildcard %}
{# regular a.host prevents warnings from 'No domain found in rule HostRegexp' #}
{# TODO: figure out this stupidity properly #}
Host(`a.{{ host }}.{{ domain }}`) || HostRegexp(`^.+\.{{ host }}\.{{ domain | replace('.', '\.') }}$`)
{%- else %}
Host(`{{ host }}.{{ domain }}`)
{%- endif %}
{% if path_prefix -%}
&& PathPrefix(`{{ path_prefix }}`)
{%- endif %}
{% endmacro %}

2
group_vars/alpina/vars.yml
View File

@ -5,8 +5,6 @@ alpina_svc_path: ~/alpina
base_volume_path: /mnt/dock
media_volume_path: /mnt/media
traefik_subnet: 172.16.122.0
# Authentik
authentik_db_password: "{{ vault_authentik_db_password }}"
authentik_secret_key: "{{ vault_authentik_secret_key }}"

14
roles/alpina/templates/apps/arrstack/docker-compose.yml.j2
View File

@ -2,8 +2,6 @@
networks:
{{ helpers.default_network(249) | indent(2) }}
traefik_traefik:
external: true
services:
gluetun:
@ -16,9 +14,6 @@ services:
env_file:
- .env.gluetun
restart: unless-stopped
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/arrstack/gluetun:/gluetun
@ -49,9 +44,6 @@ services:
restart: unless-stopped
depends_on:
- qbittorrent
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/arrstack/config/prowlarr:/config
@ -63,9 +55,6 @@ services:
restart: unless-stopped
depends_on:
- qbittorrent
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/arrstack/config/sonarr:/config
- {{ base_volume_path }}/arrstack/downloads:/downloads
@ -79,9 +68,6 @@ services:
restart: unless-stopped
depends_on:
- qbittorrent
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/arrstack/config/radarr:/config
- {{ base_volume_path }}/arrstack/downloads:/downloads

7
roles/alpina/templates/apps/gitea/docker-compose.yml.j2
View File

@ -2,8 +2,6 @@
networks:
{{ helpers.default_network(199) | indent(2) }}
traefik_traefik:
external: true
services:
server:
@ -14,9 +12,6 @@ services:
restart: unless-stopped
env_file:
- .env.gitea
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/gitea/gitea:/data
depends_on:
@ -27,7 +22,5 @@ services:
restart: unless-stopped
env_file:
- .env.db
networks:
- default
volumes:
- {{ base_volume_path }}/gitea/postgres:/var/lib/postgresql/data

5
roles/alpina/templates/apps/jellyfin/docker-compose.yml.j2
View File

@ -2,8 +2,6 @@
networks:
{{ helpers.default_network(197) | indent(2) }}
traefik_traefik:
external: true
services:
jellyfin:
@ -14,9 +12,6 @@ services:
restart: unless-stopped
env_file:
- .env.jellyfin
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/jellyfin/config:/config
- {{ base_volume_path }}/jellyfin/cache:/cache

21
roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2
View File

@ -2,9 +2,6 @@
networks:
{{ helpers.default_network(198) | indent(2) }}
traefik_traefik:
external: true
services:
app:
@ -18,8 +15,6 @@ services:
- redis
env_file:
- .env.nextcloud
networks:
- default
volumes:
- {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
- {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
@ -32,8 +27,6 @@ services:
depends_on:
- app
entrypoint: /cron.sh
networks:
- default
volumes:
- {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
- {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
@ -42,16 +35,8 @@ services:
notify_push:
image: nextcloud:${NEXTCLOUD_VERSION}
container_name: nextcloud_notify_push
{# TODO: Refactor this and minio -#}
labels:
- traefik.enable=true
- traefik.http.routers.nc-notify.rule=Host(`nc.{{ domain }}`) && PathPrefix(`/push`)
- traefik.http.routers.nc-notify.entrypoints=websecure
- traefik.http.routers.nc-notify.tls=true
- traefik.http.routers.nc-notify.tls.certresolver=letsencrypt
- traefik.http.routers.nc-notify.tls.domains.0.main={{ domain }}
- traefik.http.routers.nc-notify.tls.domains.0.sans=*.{{ domain }}
- traefik.http.services.nc-notify.loadbalancer.server.port=7867
- {{ helpers.traefik_labels('nc', port='7867', path_prefix='/push') | indent(6) }}
restart: unless-stopped
user: www-data
env_file:
@ -68,8 +53,6 @@ services:
restart: unless-stopped
env_file:
- .env.db
networks:
- default
volumes:
- {{ base_volume_path }}/nextcloud/db:/var/lib/postgresql/data
@ -79,8 +62,6 @@ services:
restart: unless-stopped
env_file:
- .env.redis
networks:
- default
command:
- sh
- -c

5
roles/alpina/templates/services/authentik/docker-compose.yml.j2
View File

@ -2,8 +2,6 @@
networks:
{{ helpers.default_network(253) | indent(2) }}
traefik_traefik:
external: true
services:
server:
@ -21,9 +19,6 @@ services:
command: server
env_file:
- .env.authentik
networks:
- default
- traefik_traefik
worker:
image: ghcr.io/goauthentik/server:latest

17
roles/alpina/templates/services/minio/docker-compose.yml.j2
View File

@ -2,8 +2,6 @@
networks:
{{ helpers.default_network(252) | indent(2) }}
traefik_traefik:
external: true
services:
minio:
@ -11,22 +9,11 @@ services:
container_name: minio
labels:
- {{ helpers.traefik_labels('minio', port='9090') | indent(6) }}
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio-tls.service=minio
- traefik.http.routers.minio-s3.rule=Host(`s3.{{ domain }}`) || HostRegexp(`^.+[.]s3[.]{{ domain }}`)
- traefik.http.routers.minio-s3.entrypoints=websecure
- traefik.http.routers.minio-s3.tls=true
- traefik.http.routers.minio-s3.tls.certresolver=letsencrypt
- traefik.http.routers.minio-s3.tls.domains.0.main=s3.{{ domain }}
- traefik.http.routers.minio-s3.tls.domains.0.sans=*.s3.{{ domain }}
- traefik.http.routers.minio-s3.service=minio-s3
- traefik.http.services.minio-s3.loadbalancer.server.port=9000
- {{ helpers.traefik_labels('s3', port='9000') | indent(6) }}
- {{ helpers.traefik_labels('s3', port='9000', wildcard=true) | indent(6) }}
restart: unless-stopped
command: server --console-address ":9090" /data
env_file:
- .env.minio
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/minio/data:/data

8
roles/alpina/templates/services/monitoring/docker-compose.yml.j2
View File

@ -2,8 +2,6 @@
networks:
{{ helpers.default_network(251) | indent(2) }}
traefik_traefik:
external: true
services:
grafana:
@ -17,9 +15,6 @@ services:
restart: unless-stopped
# Needed to make config files readable (not anymore, TODO: remove)
user: "{{ remote_uid }}"
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/monitoring/grafana:/var/lib/grafana
- ./grafana_config/grafana.ini:/etc/grafana/grafana.ini:ro
@ -103,9 +98,6 @@ services:
restart: unless-stopped
env_file:
- .env.influxdb
networks:
- default
- traefik_traefik
volumes:
- {{ base_volume_path }}/monitoring/influxdb:/var/lib/influxdb2

14
roles/alpina/templates/services/traefik/docker-compose.yml.j2
View File

@ -1,14 +1,7 @@
{% import 'contrib/compose_helpers.j2' as helpers with context %}
networks:
traefik:
internal: true
enable_ipv6: true
ipam:
config:
# TODO: Consider removing traefik network, it shouldn't be needed with host networking
- subnet: {{ traefik_subnet }}/24
- subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, 255) }}
{{ helpers.default_network(254) | indent(2) }}
services:
traefik:
@ -25,11 +18,8 @@ services:
- {{ base_volume_path }}/traefik/rules:/rules/extra:ro
- {{ base_volume_path }}/traefik/acme:/acme
# This is mostly just so that the traefik network gets created
whoami:
image: containous/whoami
container_name: whoami
labels:
- {{ helpers.traefik_labels('whoami', port=80) | indent(6) }}
networks:
- traefik
- {{ helpers.traefik_labels('whoami', port='80') | indent(6) }}

1
roles/alpina/templates/services/traefik/traefik.yml.j2
View File

@ -36,7 +36,6 @@ certificatesResolvers:
providers:
docker:
exposedByDefault: false
network: traefik_traefik
file:
directory: /rules
watch: true