Use nginx as reverse proxy on walker, removing traefik

SSL coming soon

ansible/files/nginx-docker.conf

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name {{ server_name }};
+    set $upstream {{ upstream }};
+
+    ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
+    ssl_certificate_key {{ ssl_cert_path }}/key.pem;
+    ssl_trusted_certificate {{ ssl_cert_path }}/cert.pem;
+    include includes/ssl.conf;
+
+    include includes/docker-resolver.conf;
+
+    location / {
+        proxy_pass http://$upstream;
+
+        {%- if location_extra is defined +%}
+        {{ location_extra }}
+        {%- endif +%}
+    }
+}

ansible/host_vars/walker/main.yml

@@ -1,2 +1,4 @@
 restic_backup_locations:
   - /opt
+
+nginx_https_redirect: true

ansible/main.yml

@@ -52,7 +52,6 @@
 
 - hosts:
     - pve-docker
-    - walker
   roles:
     - traefik
 
@@ -101,12 +100,13 @@
 - hosts: walker
   roles:
     - nebula
+    - coredns
+    - nginx
     - plausible
     - restic
     - commento
     - website
     - remark42
-    - coredns
 
 - hosts: jellyfin
   roles:

ansible/roles/commento/files/docker-compose.yml

@@ -8,10 +8,7 @@ services:
       - db
     networks:
       - default
-      - traefik
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.commento.rule=Host(`commento.theorangeone.net`)
+      - coredns
     environment:
       - COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable
       - COMMENTO_ORIGIN=https://commento.theorangeone.net
@@ -37,5 +34,5 @@ services:
       - POSTGRES_USER=commento
 
 networks:
-  traefik:
+  coredns:
     external: true

ansible/roles/commento/tasks/main.yml

@@ -18,3 +18,15 @@
     validate: docker-compose -f %s config
   notify: restart commento
   become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/commento.conf
+    mode: "0644"
+  notify: reload nginx
+  become: true
+  vars:
+    server_name: commento.theorangeone.net
+    upstream: commento-commento-1.docker:8080
+    ssl_cert_path: /etc/nginx/ssl/theorangeone.net

ansible/roles/coredns/files/docker-compose.yml

@@ -9,8 +9,8 @@ services:
       - "{{ private_ip }}:5353:53/udp"
     networks:
       - default
-      - traefik
+      - coredns
 
 networks:
-  traefik:
+  coredns:
     external: true

ansible/roles/coredns/tasks/main.yml

@@ -1,3 +1,9 @@
+- name: Create network
+  docker_network:
+    name: coredns
+    internal: true
+  become: true
+
 - name: Create install directory
   file:
     path: /opt/coredns

ansible/roles/nginx/defaults/main.yml

@@ -1 +1,2 @@
 nginx_https_redirect: false
+docker_resolver_address: "{{ private_ip }}:5353"

ansible/roles/nginx/files/includes/docker-resolver.conf

@@ -0,0 +1,2 @@
+resolver {{ docker_resolver_address }} valid=2s;
+resolver_timeout 5s;

ansible/roles/nginx/tasks/main.yml

@@ -46,9 +46,9 @@
 - name: Copy config files
   template:
     src: "{{ item }}"
-    dest: "/etc/nginx/includes/{{ item | basename }}"
+    dest: /etc/nginx/includes/{{ item | basename }}
     mode: "0644"
-  with_fileglob: 'files/includes/*.conf'
+  with_fileglob: files/includes/*.conf
   become: true
   notify: reload nginx
 

ansible/roles/plausible/files/docker-compose.yml

@@ -10,20 +10,7 @@ services:
       - clickhouse
     networks:
       - default
-      - traefik
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`)
-      - traefik.http.services.plausible-plausible.loadbalancer.server.port=8000  # https://github.com/plausible/analytics/pull/237
-
-      - traefik.http.routers.plausible-embed.rule=Host(`elbisualp.theorangeone.net`)
-      - traefik.http.routers.plausible-embed.service=plausible-plausible
-
-      # https://github.com/plausible/analytics/pull/340
-      - traefik.http.middlewares.plausible-index.replacepathregex.regex=/js/index.js
-      - traefik.http.middlewares.plausible-index.replacepathregex.replacement=/js/plausible.js
-      - traefik.http.routers.plausible-embed.middlewares=plausible-index
-
+      - coredns
     environment:
       - SECRET_KEY_BASE={{ vault_plausible_secret_key }}
       - SIGNING_SALT={{ vault_plausible_signing_salt }}
@@ -66,5 +53,5 @@ services:
       - POSTGRES_USER=plausible
 
 networks:
-  traefik:
+  coredns:
     external: true

ansible/roles/plausible/tasks/main.yml

@@ -34,3 +34,17 @@
     validate: docker-compose -f %s config
   notify: restart plausible
   become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/plausible.conf
+    mode: "0644"
+  notify: reload nginx
+  become: true
+  vars:
+    server_name: plausible.theorangeone.net elbisualp.theorangeone.net
+    upstream: plausible-plausible-1.docker:8000
+    ssl_cert_path: /etc/nginx/ssl/theorangeone.net
+    location_extra: |
+      rewrite ^/js/index.js$ /js/plausible.js last;

ansible/roles/website/files/docker-compose.yml

@@ -30,12 +30,9 @@ services:
     <<: *website
     user: root
     command: /app/etc/entrypoints/nginx
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.website.rule=Host(`theorangeone.net`) || Host(`jakehoward.tech`)
     networks:
       - default
-      - traefik
+      - coredns
     depends_on:
       - django
 
@@ -85,5 +82,5 @@ services:
       - SENTRY_DSN={{ vault_spotify_sentry_dsn }}
 
 networks:
-  traefik:
+  coredns:
     external: true

ansible/roles/website/tasks/main.yml

@@ -18,3 +18,17 @@
     validate: docker-compose -f %s config
   notify: restart website
   become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/website.conf
+    mode: "0644"
+  notify: reload nginx
+  become: true
+  vars:
+    server_name: theorangeone.net
+    upstream: website-nginx-1.docker:8000
+    ssl_cert_path: /etc/nginx/ssl/theorangeone.net
+    location_extra: |
+      more_set_headers "Server: $upstream_http_server";