diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 1927fc8..0e24804 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -172,12 +172,16 @@ kuma_config: "{{ docker_dir }}/kuma/" # Traefik # -traefik_host: "traefik" -traefik_user_port: "80" -traefik_admin_port: "8080" - -traefik_config: "{{ docker_dir }}/traefik/etc-traefik/" -traefik_data: "{{ docker_dir }}/traefik/var-log/" +traefik: + host: "traefik" + admin: + port: "8080" + config: "{{ docker_dir }}/traefik/etc-traefik/" + data: "{{ docker_dir }}/traefik/var-log/" + letsencrypt: "{{ docker_dir }}/traefik/letsencrypt/" + user: + web: "80" + websecure: "443" # # DynDns Updater @@ -451,3 +455,17 @@ stirling: host: "stirling" dns: "pdf" port: 8084 + +# +# nginx proxy manager +# + +nginx: + host: "nginx" + endpoints: + http: 80 + https: 443 + admin: 8080 + paths: + letsencrypt: "{{docker_dir}}/nginx/letsencrypt" + data: "{{docker_dir}}/nginx/data" diff --git a/roles/docker/tasks/nginx-proxy-manager.yml b/roles/docker/tasks/nginx-proxy-manager.yml new file mode 100644 index 0000000..c6a7328 --- /dev/null +++ b/roles/docker/tasks/nginx-proxy-manager.yml @@ -0,0 +1,13 @@ +--- + +- name: Create nginx-data directory + file: + path: "{{ item }}" + owner: "{{ puid }}" + group: "{{ pgid }}" + mode: '755' + state: directory + loop: + - "{{ nginx.paths.letsencrypt }}" + - "{{ nginx.paths.data }}" + become: yes diff --git a/roles/docker/tasks/pi_compose.yml b/roles/docker/tasks/pi_compose.yml index 21f3435..a4fa09b 100644 --- a/roles/docker/tasks/pi_compose.yml +++ b/roles/docker/tasks/pi_compose.yml @@ -1,8 +1,8 @@ --- -- include_tasks: traefik.yml +- include_tasks: nginx-proxy-manager.yml tags: - - traefik + - nginx - include_tasks: pihole.yml tags: diff --git a/roles/docker/tasks/pihole.yml b/roles/docker/tasks/pihole.yml index 123193b..a98e2ba 100644 --- a/roles/docker/tasks/pihole.yml +++ b/roles/docker/tasks/pihole.yml @@ -10,3 +10,12 @@ - "{{ docker_dir }}/pihole/etc-pihole/" - "{{ docker_dir }}/pihole/etc-dnsmasq.d/" become: true + + +- name: Copy wildcard config + template: + owner: "{{ puid }}" + src: "templates/common/pihole/etc-dnsmasq/02-wildcard-dns.conf" + dest: "{{ docker_dir }}/pihole/etc-dnsmasq.d/02-wildcard-dns.conf" + mode: '660' + become: true diff --git a/roles/docker/tasks/traefik.yml b/roles/docker/tasks/traefik.yml index 222955f..d69ceaa 100644 --- a/roles/docker/tasks/traefik.yml +++ b/roles/docker/tasks/traefik.yml @@ -9,3 +9,10 @@ loop: - "{{ docker_dir }}/traefik/etc-traefik/" - "{{ docker_dir }}/traefik/var-log/" + +- name: Copy traefik-config + template: + owner: 1000 + src: "templates/common/traefik/etc-traefik/traefik.yml" + dest: "{{ traefik.config }}" + mode: '400' diff --git a/roles/docker/templates/aya01/compose.yaml b/roles/docker/templates/aya01/compose.yaml index 26de969..4e6de9a 100644 --- a/roles/docker/templates/aya01/compose.yaml +++ b/roles/docker/templates/aya01/compose.yaml @@ -1,26 +1,26 @@ version: '3' services: - traefik: - image: traefik:latest - container_name: traefik + nginx: + container_name: "{{nginx.host}}" + image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped networks: net: {} - volumes: - - "/etc/localtime:/etc/localtime:ro" - - "/var/run/docker.sock:/var/run/docker.sock:ro" - - "{{ traefik_config }}:/etc/traefik/" - - "{{ traefik_data }}:/var/log/" ports: - - "{{ traefik_user_port}}:80" - - "{{ traefik_admin_port}}:8080" + - '{{nginx.endpoints.http}}:80' + - '{{nginx.endpoints.https}}:443' + - '{{nginx.endpoints.admin}}:81' + volumes: + - "{{nginx.paths.data}}:/data" + - "{{nginx.paths.letsencrypt}}:/etc/letsencrypt" + - '/var/run/docker.sock:/var/run/docker.sock' pihole: - image: pihole/pihole:latest container_name: pihole + image: pihole/pihole:latest restart: unless-stopped depends_on: - - traefik + - nginx networks: - net ports: @@ -46,10 +46,6 @@ services: - 1.1.1.1 cap_add: - NET_ADMIN - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ pihole_host }}.rule=Host(`{{ pihole_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ pihole_host }}.loadbalancer.server.port=80" syncthing: image: syncthing/syncthing @@ -71,10 +67,6 @@ services: - PGID={{pgid}} - TZ={{timezone}} hostname: syncthing - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ syncthing_host }}.rule=Host(`{{ syncthing_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ syncthing_host }}.loadbalancer.server.port={{ syncthing_port }}" cupsd: container_name: cupsd @@ -93,10 +85,6 @@ services: volumes: - /var/run/dbus:/var/run/dbus - "{{cupsd_config}}:/etc/cups" - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ cupsd_host }}.rule=Host(`{{ cupsd_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.{{ cupsd_host }}.loadbalancer.server.port={{ cupsd_port }}" kuma: container_name: kuma @@ -114,10 +102,6 @@ services: - "{{ kuma_port }}:3001" volumes: - "{{ kuma_config }}:/app/data" - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{kuma_host}}.rule=Host(`{{ kuma_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.{{kuma_host}}.loadbalancer.server.port={{ kuma_port }}" plex: image: lscr.io/linuxserver/plex:latest @@ -148,10 +132,6 @@ services: - "{{ plex_tv }}:/tv" - "{{ plex_movies }}:/movies" - "{{ plex_music }}:/music" - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{plex_host}}.rule=Host(`{{ plex_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.{{plex_host}}.loadbalancer.server.port={{ plex_port }}" sonarr: image: lscr.io/linuxserver/sonarr:latest @@ -171,10 +151,6 @@ services: - {{ sonarr_downloads }}:/downloads #optional ports: - {{ sonarr_port }}:8989 - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{sonarr_host}}.rule=Host(`{{ sonarr_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.{{sonarr_host}}.loadbalancer.server.port={{ sonarr_port }}" radarr: image: lscr.io/linuxserver/radarr:latest @@ -194,10 +170,6 @@ services: - {{ radarr_downloads }}:/downloads #optional ports: - {{ radarr_port }}:7878 - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{radarr_host}}.rule=Host(`{{ radarr_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.{{radarr_host}}.loadbalancer.server.port={{ radarr_port }}" lidarr: image: lscr.io/linuxserver/lidarr:latest @@ -217,10 +189,6 @@ services: - {{ lidarr_downloads }}:/downloads #optional ports: - {{ lidarr_port }}:8686 - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{lidarr_host}}.rule=Host(`{{ lidarr_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.{{lidarr_host}}.loadbalancer.server.port={{ lidarr_port }}" prowlarr: image: lscr.io/linuxserver/prowlarr:latest @@ -238,10 +206,6 @@ services: - {{ prowlarr_config }}:/config ports: - {{ prowlarr_port }}:9696 - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{prowlarr_host}}.rule=Host(`{{ prowlarr_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.{{prowlarr_host}}.loadbalancer.server.port={{ prowlarr_port }}" pastebin: image: wantguns/bin @@ -261,10 +225,6 @@ services: - HOST_URL={{ bin_host }}.{{ aya01_host }}.{{ local_domain }} volumes: - {{ bin_upload }}:/app/upload - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ bin_host }}.rule=Host(`{{ bin_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ bin_host }}.loadbalancer.server.port={{ bin_port }}" tautulli: image: lscr.io/linuxserver/tautulli:latest @@ -282,10 +242,6 @@ services: - {{ tautulli_config}}:/config ports: - {{ tautulli_port }}:8181 - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ tautulli_host }}.rule=Host(`{{ tautulli_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ tautulli_host }}.loadbalancer.server.port={{ tautulli_port }}" {{ gluetun_host }}: image: qmcgaw/gluetun @@ -312,16 +268,6 @@ services: - SERVER_COUNTRIES={{ gluetun_country }} - OPENVPN_USER={{ vault_qbit_vpn_user }}+pmp - OPENVPN_PASSWORD={{ vault_qbit_vpn_password }} - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ gluetun_host }}.rule=Host(`{{ gluetun_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ gluetun_host }}.loadbalancer.server.port={{ gluetun_port }}" - - "traefik.http.routers.{{ torrentleech_host }}.service={{ torrentleech_host }}" - - "traefik.http.routers.{{ torrentleech_host }}.rule=Host(`{{ torrentleech_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ torrentleech_host }}.loadbalancer.server.port={{ torrentleech_port }}" - - "traefik.http.routers.{{ qbit_host }}.service={{ qbit_host }}" - - "traefik.http.routers.{{ qbit_host }}.rule=Host(`{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ qbit_host }}.loadbalancer.server.port={{ qbit_port }}" {{ torrentleech_host }}: image: qbittorrentofficial/qbittorrent-nox @@ -380,10 +326,6 @@ services: - prometheus_data:/prometheus/ ports: - {{ prometheus_port }}:9090 - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ prometheus_host }}.rule=Host(`{{ prometheus_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ prometheus_host }}.loadbalancer.server.port={{ prometheus_port }}" {{ grafana_host }}: image: grafana/grafana-oss @@ -403,10 +345,6 @@ services: - {{ grafana_config }}:/etc/grafana/ ports: - {{ grafana_port }}:3000 - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ grafana_host }}.rule=Host(`{{ grafana_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ grafana_host }}.loadbalancer.server.port={{ grafana_port }}" ddns-updater: container_name: ddns-updater @@ -420,10 +358,6 @@ services: - "{{ ddns_data }}:/updater/data/" ports: - "{{ ddns_port }}:8000/tcp" - labels: - - "traefik.enable=true" - - "traefik.http.routers.ddns-updater.rule=Host(`{{ ddns_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.ddns-updater.loadbalancer.server.port={{ ddns_port }}" homeassistant: container_name: homeassistant @@ -442,10 +376,6 @@ services: - 4357:4357 - 5683:5683 - 5683:5683/udp - labels: - - "traefik.enable=true" - - "traefik.http.routers.homeassistant.rule=Host(`{{ ha_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.homeassistant.loadbalancer.server.port={{ ha_port }}" {{stirling.host}}: container_name: {{stirling.host}} @@ -457,10 +387,6 @@ services: net: {} ports: - '{{stirling.port}}:8080' - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{stirling.host}}.rule=Host(`{{ stirling.dns }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{stirling.host}}.loadbalancer.server.port={{ 8080 }}" networks: zoneminder: diff --git a/roles/docker/templates/common/pihole/etc-dnsmasq/02-wildcard-dns.conf b/roles/docker/templates/common/pihole/etc-dnsmasq/02-wildcard-dns.conf new file mode 100644 index 0000000..c3ad8f6 --- /dev/null +++ b/roles/docker/templates/common/pihole/etc-dnsmasq/02-wildcard-dns.conf @@ -0,0 +1,3 @@ +address=/pi.borg.land/192.168.20.11 +address=/aya01.borg.land/192.168.20.12 +address=/naruto.borg.land/192.168.20.13 diff --git a/roles/docker/templates/common/traefik/etc-traefik/traefik.yml b/roles/docker/templates/common/traefik/etc-traefik/traefik.yml index 077da0c..266e754 100644 --- a/roles/docker/templates/common/traefik/etc-traefik/traefik.yml +++ b/roles/docker/templates/common/traefik/etc-traefik/traefik.yml @@ -10,6 +10,7 @@ entryPoints: providers: docker: endpoint: "unix:///var/run/docker.sock" + exposedbydefault: "false" # API and dashboard configuration api: @@ -21,3 +22,15 @@ log: accessLog: filePath: "/var/log/access.log" + +certificatesResolvers: + myresolver: + acme: + email: "me+cert@tudattr.dev" + storage: "/letsencrypt/acme.json" + dnsChallenge: + provider: "namecheap" + +metrics: + prometheus: + entrypoint: "traefik" diff --git a/roles/docker/templates/pi/compose.yaml b/roles/docker/templates/pi/compose.yaml index 72b4cf6..0cfd5a4 100644 --- a/roles/docker/templates/pi/compose.yaml +++ b/roles/docker/templates/pi/compose.yaml @@ -1,23 +1,27 @@ version: '3' services: - traefik: - container_name: traefik - image: traefik:latest + nginx: + container_name: "{{nginx.host}}" + image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped networks: net: {} - volumes: - - "/etc/localtime:/etc/localtime:ro" - - "/var/run/docker.sock:/var/run/docker.sock:ro" - - "{{ traefik_config }}:/etc/traefik/" - - "{{ traefik_data }}:/var/log/" ports: - - "{{ traefik_user_port }}:80" - - "{{ traefik_admin_port }}:8080" + - '{{nginx.endpoints.http}}:80' + - '{{nginx.endpoints.https}}:443' + - '{{nginx.endpoints.admin}}:81' + volumes: + - "{{nginx.paths.data}}:/data" + - "{{nginx.paths.letsencrypt}}:/etc/letsencrypt" + - '/var/run/docker.sock:/var/run/docker.sock' + + pihole: container_name: pihole image: pihole/pihole:latest restart: unless-stopped + depends_on: + - nginx networks: net: {} ports: @@ -26,7 +30,7 @@ services: - "67:67/udp" - "{{ pihole_port }}:80/tcp" environment: - - "WEBPASSWORD={{ vault_pi_pihole_password }}" + - "WEBPASSWORD={{ vault.pi.pihole.password }}" - "ServerIP=192.168.20.11" - "INTERFACE=eth0" - "DNS1=1.1.1.1" @@ -40,10 +44,6 @@ services: - 1.1.1.1 cap_add: - NET_ADMIN - labels: - - "traefik.enable=true" - - "traefik.http.routers.pihole.rule=Host(`{{ pihole_host }}.{{ pi_host }}.{{ local_domain }}`)" - - "traefik.http.services.pihole.loadbalancer.server.port={{ 80 }}" networks: net: