From c3f6bd2ea96015189501a08092421e546e07cd93 Mon Sep 17 00:00:00 2001
From: Iurii Tatishchev <itatishch@gmail.com>
Date: Wed, 29 Mar 2023 22:19:37 -0700
Subject: [PATCH] refactor: add https and acme to traefik

---
 contrib/compose_helpers.j2                     | 17 +++++++++++++++++
 roles/arrstack/templates/docker-compose.yml.j2 | 18 ++++++------------
 roles/gitea/templates/docker-compose.yml.j2    |  6 +++---
 roles/jellyfin/templates/docker-compose.yml.j2 |  6 +++---
 .../nextcloud/templates/docker-compose.yml.j2  |  5 +++--
 roles/traefik/templates/.env.traefik.j2        |  1 +
 roles/traefik/templates/docker-compose.yml.j2  | 10 ++++++----
 roles/traefik/templates/traefik.yml.j2         | 16 ++++++++++++++++
 roles/traefik/vars/app_config.yml              | 10 ++++++++++
 9 files changed, 65 insertions(+), 24 deletions(-)
 create mode 100644 contrib/compose_helpers.j2

diff --git a/contrib/compose_helpers.j2 b/contrib/compose_helpers.j2
new file mode 100644
index 0000000..b4f4010
--- /dev/null
+++ b/contrib/compose_helpers.j2
@@ -0,0 +1,17 @@
+{% macro traefik_labels(host, service="", port="") %}
+traefik.enable=true
+- traefik.http.routers.{{ host }}.rule=Host(`{{ host }}.{{ domain }}`)
+- traefik.http.routers.{{ host }}.entrypoints=web
+- traefik.http.routers.{{ host }}-tls.rule=Host(`{{ host }}.{{ domain }}`)
+- traefik.http.routers.{{ host }}-tls.entrypoints=websecure
+- traefik.http.routers.{{ host }}-tls.tls=true
+- traefik.http.routers.{{ host }}-tls.tls.certresolver=letsencrypt
+- traefik.http.routers.{{ host }}-tls.tls.domains.0.main={{ domain }}
+- traefik.http.routers.{{ host }}-tls.tls.domains.0.sans=*.{{ domain }}
+{% if service -%}
+- traefik.http.routers.{{ host }}.service={{ service }}
+{%- endif %}
+{% if port -%}
+- traefik.http.services.{{ host }}.loadbalancer.server.port={{ port }}
+{%- endif %}
+{%- endmacro %}
diff --git a/roles/arrstack/templates/docker-compose.yml.j2 b/roles/arrstack/templates/docker-compose.yml.j2
index 7776b14..ef37ea8 100644
--- a/roles/arrstack/templates/docker-compose.yml.j2
+++ b/roles/arrstack/templates/docker-compose.yml.j2
@@ -1,3 +1,5 @@
+{% from "contrib/compose_helpers.j2" import traefik_labels with context %}
+{##}
 version: "3.7"
 
 networks:
@@ -12,9 +14,7 @@ services:
     cap_add:
       - NET_ADMIN
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.qbittorrent.rule=Host(`qbit.{{ domain }}`)
-      - traefik.http.services.qbittorrent.loadbalancer.server.port=8080
+      - {{ traefik_labels("qbit", port="8080") | indent(6) }}
     restart: unless-stopped
     networks:
       - default
@@ -31,9 +31,7 @@ services:
     image: linuxserver/jackett:latest
     container_name: jackett
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.jackett.rule=Host(`jackett.{{ domain }}`)
-      - traefik.http.services.jackett.loadbalancer.server.port=9117
+      - {{ traefik_labels("jackett", port="9117") | indent(6) }}
     restart: unless-stopped
     networks:
       - default
@@ -47,9 +45,7 @@ services:
     image: linuxserver/sonarr:latest
     container_name: sonarr
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.sonarr.rule=Host(`sonarr.{{ domain }}`)
-      - traefik.http.services.sonarr.loadbalancer.server.port=8989
+      - {{ traefik_labels("sonarr", port="8989") | indent(6) }}
     restart: unless-stopped
     depends_on:
       - qbittorrent
@@ -66,9 +62,7 @@ services:
     image: linuxserver/radarr:latest
     container_name: radarr
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.radarr.rule=Host(`radarr.{{ domain }}`)
-      - traefik.http.services.radarr.loadbalancer.server.port=7878
+      - {{ traefik_labels("radarr", port="7878") | indent(6) }}
     restart: unless-stopped
     depends_on:
       - qbittorrent
diff --git a/roles/gitea/templates/docker-compose.yml.j2 b/roles/gitea/templates/docker-compose.yml.j2
index af632ed..8308d04 100644
--- a/roles/gitea/templates/docker-compose.yml.j2
+++ b/roles/gitea/templates/docker-compose.yml.j2
@@ -1,3 +1,5 @@
+{% from "contrib/compose_helpers.j2" import traefik_labels with context %}
+{##}
 version: "3.7"
 
 networks:
@@ -10,9 +12,7 @@ services:
     image: gitea/gitea:1.18
     container_name: gitea_server
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.gitea.rule=Host(`gitea.{{ domain }}`)
-      - traefik.http.services.gitea.loadbalancer.server.port=3000
+      - {{ traefik_labels("gitea", port="3000") | indent(6) }}
     restart: unless-stopped
     env_file:
       - .env.gitea
diff --git a/roles/jellyfin/templates/docker-compose.yml.j2 b/roles/jellyfin/templates/docker-compose.yml.j2
index 9c89ef4..1d8090b 100644
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@@ -1,3 +1,5 @@
+{% from "contrib/compose_helpers.j2" import traefik_labels with context %}
+{##}
 version: "3.7"
 
 networks:
@@ -10,9 +12,7 @@ services:
     image: jellyfin/jellyfin:10.8.6
     container_name: jellyfin_jellyfin
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.jellyfin.rule=Host(`jellyfin.{{ domain }}`)
-      - traefik.http.services.jellyfin.loadbalancer.server.port=8096
+      - {{ traefik_labels("jellyfin", port="8096") | indent(6) }}
     restart: unless-stopped
     env_file:
       - .env.jellyfin
diff --git a/roles/nextcloud/templates/docker-compose.yml.j2 b/roles/nextcloud/templates/docker-compose.yml.j2
index e22e789..25fd592 100644
--- a/roles/nextcloud/templates/docker-compose.yml.j2
+++ b/roles/nextcloud/templates/docker-compose.yml.j2
@@ -1,3 +1,5 @@
+{% from "contrib/compose_helpers.j2" import traefik_labels with context %}
+{##}
 version: "3.7"
 
 networks:
@@ -81,8 +83,7 @@ services:
     image: nginx:1.23-alpine
     container_name: nextcloud_web
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.nextcloud.rule=Host(`nc.{{ domain }}`)
+      - {{ traefik_labels("nc") | indent(6) }}
     restart: unless-stopped
     links:
       - app
diff --git a/roles/traefik/templates/.env.traefik.j2 b/roles/traefik/templates/.env.traefik.j2
index e69de29..a50b9de 100644
--- a/roles/traefik/templates/.env.traefik.j2
+++ b/roles/traefik/templates/.env.traefik.j2
@@ -0,0 +1 @@
+CF_DNS_API_TOKEN={{ cloudflare_api_token }}
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
index 220766c..b5abd68 100644
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -1,3 +1,5 @@
+{% from "contrib/compose_helpers.j2" import traefik_labels with context %}
+{##}
 version: "3.7"
 
 networks:
@@ -13,12 +15,11 @@ services:
     image: traefik:v2.9
     container_name: traefik
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.traefik.rule=Host(`traefik.{{ domain }}`)
-      - traefik.http.services.traefik.loadbalancer.server.port=8080
+      - {{ traefik_labels("traefik", service="api@internal") | indent(6) }}
     restart: unless-stopped
     ports:
       - "80:80"
+      - "443:443"
       - "8080:8080"
     env_file:
       - .env.traefik
@@ -29,5 +30,6 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - {{ base_volume_path }}/traefik/rules:/rules:ro
       - {{ base_volume_path }}/traefik/logs:/logs
-      - ./rules:/rules:ro
+      - {{ base_volume_path }}/traefik/acme:/acme
diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2
index 53246d4..b2c8698 100644
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -14,6 +14,22 @@ entryPoints:
     forwardedHeaders:
       trustedIPs:
         - "172.16.0.0/12"
+  websecure:
+    address: ":443"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: {{ acme_email }}
+      storage: "/acme/acme.json"
+      keyType: "EC384"
+      dnsChallenge:
+        provider: "cloudflare"
+        delayBeforeCheck: 10
+        resolvers:
+          - 1.1.1.1
+          - 8.8.8.8
+          - 9.9.9.9
 
 providers:
   docker:
diff --git a/roles/traefik/vars/app_config.yml b/roles/traefik/vars/app_config.yml
index e69de29..ed7d241 100644
--- a/roles/traefik/vars/app_config.yml
+++ b/roles/traefik/vars/app_config.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;alpina
+35326636356536326332383464373937366130613966663736396135306131353463353334336364
+6438346563313332313835326634383063323739643165660a353431336266353239323863363637
+34383565626131353530313531663034386530373133653463353063626466613436366235393638
+6432363033343336620a336265666362663861393762316137356635363834326566623462373531
+62313233306533336331383964346536303362383639633337386664646535313133633164316530
+62623535633062656330363931353665396431376233613936626232313264376634646237303236
+38396234323931613539393034396461383564363064356635343730633233366666313434646439
+34633739333964383865396133313936363166643464613132633031663065623664616365656164
+62643035623261623435336462643864396135323139336662363865306661356534