Replace nginx with traefik on walker

2026-01-22 18:07:05 +00:00 · 2025-07-23 14:32:12 +01:00 · 2025-07-23 14:32:12 +01:00 · 675ea17041
commit 675ea17041
parent 53b6ac195f
18 changed files with 36 additions and 171 deletions
--- a/ansible/files/nginx-docker.conf
+++ b/ansible/files/nginx-docker.conf
@ -1,26 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name {{ server_name }};
-    set $upstream {{ upstream }};
-
-    access_log /var/log/nginx/{{ server_name|split|first }}.log main;
-
-    ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
-    ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
-    ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;
-    include includes/ssl.conf;
-
-    include includes/docker-resolver.conf;
-
-    location / {
-        proxy_pass http://$upstream;
-
-        {%- if location_extra is defined +%}
-        {{ location_extra }}
-        {%- endif +%}
-    }
-}
--- a/ansible/host_vars/walker/main.yml
+++ b/ansible/host_vars/walker/main.yml
@ -3,16 +3,4 @@ private_ip: "{{ ansible_tailscale0.ipv4.address }}"
 restic_backup_locations:
  - /opt

-nginx_https_redirect: true
-
-certbot_certs:
-  - domains:
-      - theorangeone.net
-      - jakehoward.tech
-  - domains:
-      - plausible.theorangeone.net
-      - elbisualp.theorangeone.net
-  - domains:
-      - slides.jakehoward.tech
-  - domains:
-      - comentario.theorangeone.net
+traefik_http3: true
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -50,6 +50,7 @@
 - hosts:
    - pve-docker
    - grimes
+    - walker
  roles:
    - traefik

@ -105,9 +106,6 @@

 - hosts: walker
  roles:
-    - nginx
-    - geerlingguy.certbot
-    - coredns_docker_proxy
    - plausible
    - restic
    - website
--- a/ansible/roles/comentario/files/docker-compose.yml
+++ b/ansible/roles/comentario/files/docker-compose.yml
@ -7,7 +7,11 @@ services:
      - db
    networks:
      - default
-      - coredns
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.comentario.rule=Host(`comentario.theorangeone.net`)
+      - traefik.http.services.comentario-comentario.loadbalancer.server.port=80
    volumes:
      - ./secrets.yml:/comentario/secrets.yaml
    environment:
@ -25,5 +29,5 @@ services:
      - POSTGRES_USER=comentario

 networks:
-  coredns:
+  traefik:
    external: true
--- a/ansible/roles/comentario/tasks/main.yml
+++ b/ansible/roles/comentario/tasks/main.yml
@ -24,14 +24,3 @@
    mode: "600"
    owner: "{{ docker_user.name }}"
  notify: restart comentario
-
- name: Install nginx config
-  template:
-    src: files/nginx-docker.conf
-    dest: /etc/nginx/http.d/comentario.conf
-    mode: "0644"
-  notify: reload nginx
-  vars:
-    server_name: comentario.theorangeone.net
-    upstream: comentario-comentario-1.docker:80
-    ssl_cert_path: /etc/letsencrypt/live/comentario.theorangeone.net
--- a/ansible/roles/coredns_docker_proxy/files/Corefile
+++ b/ansible/roles/coredns_docker_proxy/files/Corefile
@ -1,21 +0,0 @@
-. {
-    errors
-    cancel
-
-    # Only allow requests to `.docker` records
-    view docker {
-        expr name() endsWith '.docker.'
-    }
-
-    # Strip the `.docker` suffix
-    rewrite name suffix .docker . answer auto
-
-    # Forward requests to Docker's DNS server
-    forward . 127.0.0.11
-}
-
-. {
-    acl {
-        block
-    }
-}
--- a/ansible/roles/coredns_docker_proxy/files/docker-compose.yml
+++ b/ansible/roles/coredns_docker_proxy/files/docker-compose.yml
@ -1,15 +0,0 @@
-services:
-  coredns:
-    image: coredns/coredns:latest
-    restart: unless-stopped
-    volumes:
-      - ./Corefile:/Corefile:ro
-    ports:
-      - "{{ private_ip }}:53053:53/udp"
-    networks:
-      - default
-      - coredns
-
-networks:
-  coredns:
-    external: true
--- a/ansible/roles/coredns_docker_proxy/handlers/main.yml
+++ b/ansible/roles/coredns_docker_proxy/handlers/main.yml
@ -1,4 +0,0 @@
- name: restart coredns
-  shell:
-    chdir: /opt/coredns
-    cmd: "{{ docker_update_command }}"
--- a/ansible/roles/coredns_docker_proxy/tasks/main.yml
+++ b/ansible/roles/coredns_docker_proxy/tasks/main.yml
@ -1,27 +0,0 @@
- name: Create network
-  docker_network:
-    name: coredns
-
- name: Create install directory
-  file:
-    path: /opt/coredns
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-
- name: Install compose file
-  template:
-    src: files/docker-compose.yml
-    dest: /opt/coredns/docker-compose.yml
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-    validate: docker-compose -f %s config
-  notify: restart coredns
-
- name: Install Corefile
-  template:
-    src: files/Corefile
-    dest: /opt/coredns/Corefile
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-  notify: restart coredns
--- a/ansible/roles/nginx/defaults/main.yml
+++ b/ansible/roles/nginx/defaults/main.yml
@ -1,2 +1 @@
 nginx_https_redirect: false
-docker_resolver_address: "{{ private_ip }}:53053"
--- a/ansible/roles/nginx/files/includes/docker-resolver.conf
+++ b/ansible/roles/nginx/files/includes/docker-resolver.conf
@ -1,2 +0,0 @@
-resolver {{ docker_resolver_address }} valid=2s;
-resolver_timeout 5s;
--- a/ansible/roles/plausible/files/docker-compose.yml
+++ b/ansible/roles/plausible/files/docker-compose.yml
@ -8,7 +8,7 @@ services:
      - clickhouse
    networks:
      - default
-      - coredns
+      - traefik
    environment:
      - SECRET_KEY_BASE={{ vault_plausible_secret_key }}
      - SIGNING_SALT={{ vault_plausible_signing_salt }}
@ -27,6 +27,18 @@ services:
      - SMTP_USER_NAME={{ vault_plausible_smtp_user }}
      - SMTP_USER_PWD={{ vault_plausible_smtp_password }}
      - SMTP_HOST_SSL_ENABLED=true
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`)
+      - traefik.http.services.plausible-plausible.loadbalancer.server.port=8000  # https://github.com/plausible/analytics/pull/237
+
+      - traefik.http.routers.plausible-embed.rule=Host(`elbisualp.theorangeone.net`)
+      - traefik.http.routers.plausible-embed.service=plausible-plausible
+
+      # https://github.com/plausible/analytics/pull/340
+      - traefik.http.middlewares.plausible-index.replacepathregex.regex=/js/index.js
+      - traefik.http.middlewares.plausible-index.replacepathregex.replacement=/js/plausible.js
+      - traefik.http.routers.plausible-embed.middlewares=plausible-index

  clickhouse:
    image: clickhouse/clickhouse-server:24.12-alpine
@ -54,5 +66,5 @@ services:
      - POSTGRES_USER=plausible

 networks:
-  coredns:
+  traefik:
    external: true
--- a/ansible/roles/plausible/tasks/main.yml
+++ b/ansible/roles/plausible/tasks/main.yml
@ -30,16 +30,3 @@
    owner: "{{ docker_user.name }}"
    validate: docker-compose -f %s config
  notify: restart plausible
-
- name: Install nginx config
-  template:
-    src: files/nginx-docker.conf
-    dest: /etc/nginx/http.d/plausible.conf
-    mode: "0644"
-  notify: reload nginx
-  vars:
-    server_name: plausible.theorangeone.net elbisualp.theorangeone.net
-    upstream: plausible-plausible-1.docker:8000
-    ssl_cert_path: /etc/letsencrypt/live/plausible.theorangeone.net
-    location_extra: |
-      rewrite ^/js/index.js$ /js/plausible.js last;
--- a/ansible/roles/slides/files/docker-compose.yml
+++ b/ansible/roles/slides/files/docker-compose.yml
@ -10,8 +10,11 @@ services:
      - ./slides:/srv
    networks:
      - default
-      - coredns
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.slides.rule=Host(`slides.jakehoward.tech`)

 networks:
-  coredns:
+  traefik:
    external: true
--- a/ansible/roles/slides/tasks/main.yml
+++ b/ansible/roles/slides/tasks/main.yml
@ -28,16 +28,3 @@
  loop_control:
    label: "{{ item.user }}"
  notify: restart slides
-
- name: Install nginx config
-  template:
-    src: files/nginx-docker.conf
-    dest: /etc/nginx/http.d/slides.conf
-    mode: "0644"
-  notify: reload nginx
-  vars:
-    server_name: slides.jakehoward.tech
-    upstream: slides-slides-1.docker:80
-    ssl_cert_path: /etc/letsencrypt/live/slides.jakehoward.tech
-    location_extra: |
-      client_max_body_size 0;
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -42,7 +42,7 @@ entryPoints:
        readTimeout: 180s
    {% if traefik_http3 %}
    http3: {}
-    {% end %}
+    {% endif %}
  traefik:
    address: :8080

@ -95,3 +95,6 @@ tls:

 pilot:
  dashboard: false
+
+log:
+  level: INFO
--- a/ansible/roles/website/files/docker-compose.yml
+++ b/ansible/roles/website/files/docker-compose.yml
@ -24,10 +24,13 @@ services:
      - ./cache:/tmp/nginx_cache
    networks:
      - default
-      - coredns
+      - traefik
    depends_on:
      - db
      - redis
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.website.rule=Host(`theorangeone.net`) || Host(`jakehoward.tech`)

  db:
    image: postgres:14-alpine
@ -54,5 +57,5 @@ services:
      - SENTRY_DSN={{ vault_spotify_sentry_dsn }}

 networks:
-  coredns:
+  traefik:
    external: true
--- a/ansible/roles/website/tasks/main.yml
+++ b/ansible/roles/website/tasks/main.yml
@ -16,16 +16,3 @@
    owner: "{{ docker_user.name }}"
    validate: docker-compose -f %s config
  notify: restart website
-
- name: Install nginx config
-  template:
-    src: files/nginx-docker.conf
-    dest: /etc/nginx/http.d/website.conf
-    mode: "0644"
-  notify: reload nginx
-  vars:
-    server_name: theorangeone.net jakehoward.tech
-    upstream: website-website-1.docker:8000
-    ssl_cert_path: /etc/letsencrypt/live/theorangeone.net
-    location_extra: |
-      more_set_headers "Server: $upstream_http_server";