Run traefik as dockeruser, and without host networking

This required port forwarding, a docker proxy, and a docker network, but the end result should be much more secure!

ansible/roles/pages/files/docker-compose.yml

@@ -19,12 +19,17 @@ services:
       - ./sites:/sites:ro
     restart: unless-stopped
     user: "{{ docker_user.id }}"
-    ports:
-      - 127.0.0.1:5000:5000
     environment:
       - SITES_ROOT=/sites
       - TRAEFIK_SERVICE=traefik-pages-pages@docker
       - AUTH_PASSWORD={{ traefik_pages_password }}
       - TRAEFIK_CERT_RESOLVER=le
+    networks:
+      - default
+      - traefik
     labels:
       - traefik.enable=true
+
+networks:
+  traefik:
+    external: true

ansible/roles/plausible/files/docker-compose.yml

@@ -8,6 +8,9 @@ services:
     depends_on:
       - db
       - clickhouse
+    networks:
+      - default
+      - traefik
     labels:
       - traefik.enable=true
       - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`)
@@ -52,3 +55,7 @@ services:
     environment:
       - POSTGRES_PASSWORD=plausible
       - POSTGRES_USER=plausible
+
+networks:
+  traefik:
+    external: true

ansible/roles/privatebin/files/docker-compose.yml

@@ -12,3 +12,10 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.privatebin.rule=Host(`bin.theorangeone.net`)
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/pve_docker/files/calibre/docker-compose.yml

@@ -13,3 +13,10 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.calibre.rule=Host(`calibre.jakehoward.tech`)
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/pve_docker/files/librespeed/docker-compose.yml

@@ -14,3 +14,10 @@ services:
       - traefik.http.routers.librespeed.rule=Host(`speed.jakehoward.tech`)
       - traefik.http.routers.librespeed.middlewares=librespeed-auth@docker
       - traefik.http.middlewares.librespeed-auth.basicauth.users={{ librespeed_basicauth }}
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/pve_docker/files/nextcloud/docker-compose.yml

@@ -26,6 +26,9 @@ services:
       - traefik.http.services.nextcloud-nextcloud.loadbalancer.server.scheme=https
       - traefik.http.middlewares.nextcloud-hsts.headers.stsseconds=15552000
       - traefik.http.routers.nextcloud.middlewares=nextcloud-hsts@docker
+    networks:
+      - default
+      - traefik
 
   mariadb:
     image: mariadb:10.5
@@ -43,3 +46,7 @@ services:
     restart: unless-stopped
     volumes:
       - /mnt/tank/dbs/redis/nextcloud:/data
+
+networks:
+  traefik:
+    external: true

ansible/roles/pve_docker/files/synapse/docker-compose.yml

@@ -18,6 +18,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
+    networks:
+      - default
+      - traefik
 
   db:
     image: postgres:14-alpine
@@ -43,3 +46,10 @@ services:
       - traefik.http.routers.synapse-admin.rule=Host(`matrix.jakehoward.tech`) && PathPrefix(`/admin`)
       - traefik.http.middlewares.synapse-admin-path.stripprefix.prefixes=/admin
       - traefik.http.routers.synapse-admin.middlewares=synapse-admin-path@docker
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/pve_docker/files/tt-rss/docker-compose.yml

@@ -27,6 +27,9 @@ services:
       - db
     tmpfs:
       - /config/log
+    networks:
+      - default
+      - traefik
 
   db:
     image: postgres:14-alpine
@@ -36,3 +39,7 @@ services:
     environment:
       - POSTGRES_PASSWORD=tt-rss
       - POSTGRES_USER=tt-rss
+
+networks:
+  traefik:
+    external: true

ansible/roles/pve_docker/files/wallabag/docker-compose.yml

@@ -15,9 +15,16 @@ services:
       - traefik.http.routers.wallabag.rule=Host(`wallabag.jakehoward.tech`)
     depends_on:
       - redis
+    networks:
+      - default
+      - traefik
 
   redis:
     image: redis:6-alpine
     restart: unless-stopped
     volumes:
       - /mnt/tank/dbs/redis/wallabag:/data
+
+networks:
+  traefik:
+    external: true

ansible/roles/pve_docker/files/whoami/docker-compose.yml

@@ -7,3 +7,10 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`who.0rng.one`)
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/traefik/files/docker-compose.yml

@@ -3,7 +3,7 @@ version: "2.3"
 services:
   traefik:
     image: traefik:v2.5
-    network_mode: host
+    user: "{{ docker_user.id }}"
     environment:
       - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
     volumes:
@@ -11,3 +11,30 @@ services:
       - /tmp/traefik-logs:/var/log/traefik
       - ./traefik:/etc/traefik
     restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+      - "{{ private_ip }}:8080:8080"
+    depends_on:
+      - docker_proxy
+    networks:
+      - default
+      - traefik
+      - proxy_private
+
+  docker_proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - INFO=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - proxy_private
+
+networks:
+  traefik:
+    external: true
+  proxy_private:
+    internal: true

ansible/roles/traefik/files/traefik.yml

@@ -32,21 +32,22 @@ entryPoints:
         - "{{ pve_hosts.internal_cidr }}"
         - "{{ nebula.cidr }}"
   traefik:
-    address: "{{ private_ip }}:8080"
+    address: :8080
 
 ping: {}
 
 providers:
   docker:
-    endpoint: unix:///var/run/docker.sock
+    endpoint: tcp://docker_proxy:2375
     watch: true
     exposedByDefault: false
+    network: traefik
   file:
     directory: /etc/traefik/conf
 {% if with_traefik_pages %}
   http:
     endpoint:
-      - "http://{{ traefik_pages_password }}@127.0.0.1:5000/.traefik-pages/provider"
+      - "http://{{ traefik_pages_password }}@traefik-pages:5000/.traefik-pages/provider"
 {% endif %}
 
 api:

ansible/roles/traefik/tasks/main.yml

@@ -1,3 +1,9 @@
+- name: Create network
+  docker_network:
+    name: traefik
+    internal: true
+  become: true
+
 - name: Create install directory
   file:
     path: /opt/traefik
@@ -11,6 +17,7 @@
     path: /opt/traefik/traefik/
     state: directory
     mode: "{{ docker_compose_directory_mask }}"
+    owner: "{{ docker_user.name }}"
   become: true
 
 - name: Create file provider directory
@@ -18,6 +25,7 @@
     path: /opt/traefik/traefik/conf
     state: directory
     mode: "{{ docker_compose_directory_mask }}"
+    owner: "{{ docker_user.name }}"
   become: true
 
 - name: Install compose file

ansible/roles/upload/files/docker-compose.yml

@@ -12,6 +12,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.upload.rule=Host(`upload.theorangeone.net`)
+    networks:
+      - default
+      - traefik
 
   img:
     image: ghcr.io/realorangeone/static-server:latest
@@ -23,6 +26,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.img.rule=Host(`img.theorangeone.net`) || Host(`img.0rng.one`)
+    networks:
+      - default
+      - traefik
 
   bg:
     image: ghcr.io/realorangeone/static-server:latest
@@ -35,6 +41,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.bg.rule=Host(`bg.theorangeone.net`)
+    networks:
+      - default
+      - traefik
 
   dl:
     image: ghcr.io/realorangeone/static-server:latest
@@ -46,3 +55,10 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.dl.rule=Host(`dl.theorangeone.net`) || Host(`dl.0rng.one`)
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/uptime_kuma/files/docker-compose.yml

@@ -8,8 +8,15 @@ services:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
       - TZ={{ timezone }}
+    networks:
+      - default
+      - traefik
     volumes:
       - ./data:/app/data
     labels:
       - traefik.enable=true
       - traefik.http.routers.uptime-kuma.rule=Host(`status.theorangeone.net`)
+
+networks:
+  traefik:
+    external: true

ansible/roles/vaultwarden/files/docker-compose.yml

@@ -35,6 +35,9 @@ services:
       - INVITATIONS_ALLOWED=false
       - ROCKET_WORKERS={{ ansible_processor_nproc // 2 }}
       - WEBSOCKET_ENABLED=true
+    networks:
+      - default
+      - traefik
 
   db:
     image: postgres:14-alpine
@@ -44,3 +47,7 @@ services:
     environment:
       - POSTGRES_PASSWORD={{ vaultwarden_database_password }}
       - POSTGRES_USER=vaultwarden
+
+networks:
+  traefik:
+    external: true

ansible/roles/yourls/files/docker-compose.yml

@@ -18,6 +18,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.yourls.rule=Host(`0rng.one`)
+    networks:
+      - default
+      - traefik
 
   mariadb:
     image: mariadb:10.7
@@ -29,3 +32,7 @@ services:
     volumes:
       - /mnt/tank/dbs/mariadb/yourls:/var/lib/mysql
     restart: unless-stopped
+
+networks:
+  traefik:
+    external: true