From d5c7d94ac8251b60d34005a044365efb1dc6cc0d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 15 Jan 2022 23:44:06 +0000 Subject: [PATCH] Run traefik as dockeruser, and without host networking This required port forwarding, a docker proxy, and a docker network, but the end result should be much more secure! --- ansible/roles/pages/files/docker-compose.yml | 9 ++++-- .../roles/plausible/files/docker-compose.yml | 7 +++++ .../roles/privatebin/files/docker-compose.yml | 7 +++++ .../files/calibre/docker-compose.yml | 7 +++++ .../files/librespeed/docker-compose.yml | 7 +++++ .../files/nextcloud/docker-compose.yml | 7 +++++ .../files/synapse/docker-compose.yml | 10 +++++++ .../files/tt-rss/docker-compose.yml | 7 +++++ .../files/wallabag/docker-compose.yml | 7 +++++ .../files/whoami/docker-compose.yml | 7 +++++ .../roles/traefik/files/docker-compose.yml | 29 ++++++++++++++++++- ansible/roles/traefik/files/traefik.yml | 7 +++-- ansible/roles/traefik/tasks/main.yml | 8 +++++ ansible/roles/upload/files/docker-compose.yml | 16 ++++++++++ .../uptime_kuma/files/docker-compose.yml | 7 +++++ .../vaultwarden/files/docker-compose.yml | 7 +++++ ansible/roles/yourls/files/docker-compose.yml | 7 +++++ 17 files changed, 150 insertions(+), 6 deletions(-) diff --git a/ansible/roles/pages/files/docker-compose.yml b/ansible/roles/pages/files/docker-compose.yml index b020d97..9673de3 100644 --- a/ansible/roles/pages/files/docker-compose.yml +++ b/ansible/roles/pages/files/docker-compose.yml @@ -19,12 +19,17 @@ services: - ./sites:/sites:ro restart: unless-stopped user: "{{ docker_user.id }}" - ports: - - 127.0.0.1:5000:5000 environment: - SITES_ROOT=/sites - TRAEFIK_SERVICE=traefik-pages-pages@docker - AUTH_PASSWORD={{ traefik_pages_password }} - TRAEFIK_CERT_RESOLVER=le + networks: + - default + - traefik labels: - traefik.enable=true + +networks: + traefik: + external: true diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index bc735cf..e992103 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -8,6 +8,9 @@ services: depends_on: - db - clickhouse + networks: + - default + - traefik labels: - traefik.enable=true - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`) @@ -52,3 +55,7 @@ services: environment: - POSTGRES_PASSWORD=plausible - POSTGRES_USER=plausible + +networks: + traefik: + external: true diff --git a/ansible/roles/privatebin/files/docker-compose.yml b/ansible/roles/privatebin/files/docker-compose.yml index 04e856f..2f719e3 100644 --- a/ansible/roles/privatebin/files/docker-compose.yml +++ b/ansible/roles/privatebin/files/docker-compose.yml @@ -12,3 +12,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.privatebin.rule=Host(`bin.theorangeone.net`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/calibre/docker-compose.yml b/ansible/roles/pve_docker/files/calibre/docker-compose.yml index 3e9c824..0ada5e6 100644 --- a/ansible/roles/pve_docker/files/calibre/docker-compose.yml +++ b/ansible/roles/pve_docker/files/calibre/docker-compose.yml @@ -13,3 +13,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.calibre.rule=Host(`calibre.jakehoward.tech`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml index d075255..82bce75 100644 --- a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml +++ b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml @@ -14,3 +14,10 @@ services: - traefik.http.routers.librespeed.rule=Host(`speed.jakehoward.tech`) - traefik.http.routers.librespeed.middlewares=librespeed-auth@docker - traefik.http.middlewares.librespeed-auth.basicauth.users={{ librespeed_basicauth }} + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 9f3656b..32ea086 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -26,6 +26,9 @@ services: - traefik.http.services.nextcloud-nextcloud.loadbalancer.server.scheme=https - traefik.http.middlewares.nextcloud-hsts.headers.stsseconds=15552000 - traefik.http.routers.nextcloud.middlewares=nextcloud-hsts@docker + networks: + - default + - traefik mariadb: image: mariadb:10.5 @@ -43,3 +46,7 @@ services: restart: unless-stopped volumes: - /mnt/tank/dbs/redis/nextcloud:/data + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 521ef72..362fc60 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -18,6 +18,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) + networks: + - default + - traefik db: image: postgres:14-alpine @@ -43,3 +46,10 @@ services: - traefik.http.routers.synapse-admin.rule=Host(`matrix.jakehoward.tech`) && PathPrefix(`/admin`) - traefik.http.middlewares.synapse-admin-path.stripprefix.prefixes=/admin - traefik.http.routers.synapse-admin.middlewares=synapse-admin-path@docker + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml index 3c9e385..71a850f 100644 --- a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml +++ b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml @@ -27,6 +27,9 @@ services: - db tmpfs: - /config/log + networks: + - default + - traefik db: image: postgres:14-alpine @@ -36,3 +39,7 @@ services: environment: - POSTGRES_PASSWORD=tt-rss - POSTGRES_USER=tt-rss + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml index a88c42e..64df922 100644 --- a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml +++ b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml @@ -15,9 +15,16 @@ services: - traefik.http.routers.wallabag.rule=Host(`wallabag.jakehoward.tech`) depends_on: - redis + networks: + - default + - traefik redis: image: redis:6-alpine restart: unless-stopped volumes: - /mnt/tank/dbs/redis/wallabag:/data + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/whoami/docker-compose.yml b/ansible/roles/pve_docker/files/whoami/docker-compose.yml index 2bf9a7b..0c1cd24 100644 --- a/ansible/roles/pve_docker/files/whoami/docker-compose.yml +++ b/ansible/roles/pve_docker/files/whoami/docker-compose.yml @@ -7,3 +7,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`who.0rng.one`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml index fc73942..bb7cade 100644 --- a/ansible/roles/traefik/files/docker-compose.yml +++ b/ansible/roles/traefik/files/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: traefik: image: traefik:v2.5 - network_mode: host + user: "{{ docker_user.id }}" environment: - CF_DNS_API_TOKEN={{ cloudflare_api_token }} volumes: @@ -11,3 +11,30 @@ services: - /tmp/traefik-logs:/var/log/traefik - ./traefik:/etc/traefik restart: unless-stopped + ports: + - 80:80 + - 443:443 + - "{{ private_ip }}:8080:8080" + depends_on: + - docker_proxy + networks: + - default + - traefik + - proxy_private + + docker_proxy: + image: tecnativa/docker-socket-proxy:latest + restart: unless-stopped + environment: + - CONTAINERS=1 + - INFO=1 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - proxy_private + +networks: + traefik: + external: true + proxy_private: + internal: true diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index 48481f4..e0d0069 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -32,21 +32,22 @@ entryPoints: - "{{ pve_hosts.internal_cidr }}" - "{{ nebula.cidr }}" traefik: - address: "{{ private_ip }}:8080" + address: :8080 ping: {} providers: docker: - endpoint: unix:///var/run/docker.sock + endpoint: tcp://docker_proxy:2375 watch: true exposedByDefault: false + network: traefik file: directory: /etc/traefik/conf {% if with_traefik_pages %} http: endpoint: - - "http://{{ traefik_pages_password }}@127.0.0.1:5000/.traefik-pages/provider" + - "http://{{ traefik_pages_password }}@traefik-pages:5000/.traefik-pages/provider" {% endif %} api: diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml index 5246076..df0e3ae 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/ansible/roles/traefik/tasks/main.yml @@ -1,3 +1,9 @@ +- name: Create network + docker_network: + name: traefik + internal: true + become: true + - name: Create install directory file: path: /opt/traefik @@ -11,6 +17,7 @@ path: /opt/traefik/traefik/ state: directory mode: "{{ docker_compose_directory_mask }}" + owner: "{{ docker_user.name }}" become: true - name: Create file provider directory @@ -18,6 +25,7 @@ path: /opt/traefik/traefik/conf state: directory mode: "{{ docker_compose_directory_mask }}" + owner: "{{ docker_user.name }}" become: true - name: Install compose file diff --git a/ansible/roles/upload/files/docker-compose.yml b/ansible/roles/upload/files/docker-compose.yml index 2b72265..a952958 100644 --- a/ansible/roles/upload/files/docker-compose.yml +++ b/ansible/roles/upload/files/docker-compose.yml @@ -12,6 +12,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.upload.rule=Host(`upload.theorangeone.net`) + networks: + - default + - traefik img: image: ghcr.io/realorangeone/static-server:latest @@ -23,6 +26,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.img.rule=Host(`img.theorangeone.net`) || Host(`img.0rng.one`) + networks: + - default + - traefik bg: image: ghcr.io/realorangeone/static-server:latest @@ -35,6 +41,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.bg.rule=Host(`bg.theorangeone.net`) + networks: + - default + - traefik dl: image: ghcr.io/realorangeone/static-server:latest @@ -46,3 +55,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.dl.rule=Host(`dl.theorangeone.net`) || Host(`dl.0rng.one`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index cc9cc0c..198c6d4 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -8,8 +8,15 @@ services: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - TZ={{ timezone }} + networks: + - default + - traefik volumes: - ./data:/app/data labels: - traefik.enable=true - traefik.http.routers.uptime-kuma.rule=Host(`status.theorangeone.net`) + +networks: + traefik: + external: true diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml index 4c77e9f..3ac27e2 100644 --- a/ansible/roles/vaultwarden/files/docker-compose.yml +++ b/ansible/roles/vaultwarden/files/docker-compose.yml @@ -35,6 +35,9 @@ services: - INVITATIONS_ALLOWED=false - ROCKET_WORKERS={{ ansible_processor_nproc // 2 }} - WEBSOCKET_ENABLED=true + networks: + - default + - traefik db: image: postgres:14-alpine @@ -44,3 +47,7 @@ services: environment: - POSTGRES_PASSWORD={{ vaultwarden_database_password }} - POSTGRES_USER=vaultwarden + +networks: + traefik: + external: true diff --git a/ansible/roles/yourls/files/docker-compose.yml b/ansible/roles/yourls/files/docker-compose.yml index 8af36a8..be589ac 100644 --- a/ansible/roles/yourls/files/docker-compose.yml +++ b/ansible/roles/yourls/files/docker-compose.yml @@ -18,6 +18,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.yourls.rule=Host(`0rng.one`) + networks: + - default + - traefik mariadb: image: mariadb:10.7 @@ -29,3 +32,7 @@ services: volumes: - /mnt/tank/dbs/mariadb/yourls:/var/lib/mysql restart: unless-stopped + +networks: + traefik: + external: true