From 675ea17041143228614c0cbee464e5d64c263c43 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 23 Jul 2025 14:32:12 +0100 Subject: [PATCH] Replace `nginx` with `traefik` on `walker` --- ansible/files/nginx-docker.conf | 26 ------------------ ansible/host_vars/walker/main.yml | 14 +--------- ansible/main.yml | 4 +-- .../roles/comentario/files/docker-compose.yml | 8 ++++-- ansible/roles/comentario/tasks/main.yml | 11 -------- .../roles/coredns_docker_proxy/files/Corefile | 21 --------------- .../files/docker-compose.yml | 15 ----------- .../coredns_docker_proxy/handlers/main.yml | 4 --- .../roles/coredns_docker_proxy/tasks/main.yml | 27 ------------------- ansible/roles/nginx/defaults/main.yml | 1 - .../nginx/files/includes/docker-resolver.conf | 2 -- .../roles/plausible/files/docker-compose.yml | 16 +++++++++-- ansible/roles/plausible/tasks/main.yml | 13 --------- ansible/roles/slides/files/docker-compose.yml | 7 +++-- ansible/roles/slides/tasks/main.yml | 13 --------- ansible/roles/traefik/files/traefik.yml | 5 +++- .../roles/website/files/docker-compose.yml | 7 +++-- ansible/roles/website/tasks/main.yml | 13 --------- 18 files changed, 36 insertions(+), 171 deletions(-) delete mode 100644 ansible/files/nginx-docker.conf delete mode 100644 ansible/roles/coredns_docker_proxy/files/Corefile delete mode 100644 ansible/roles/coredns_docker_proxy/files/docker-compose.yml delete mode 100644 ansible/roles/coredns_docker_proxy/handlers/main.yml delete mode 100644 ansible/roles/coredns_docker_proxy/tasks/main.yml delete mode 100644 ansible/roles/nginx/files/includes/docker-resolver.conf diff --git a/ansible/files/nginx-docker.conf b/ansible/files/nginx-docker.conf deleted file mode 100644 index 4eb2f3d..0000000 --- a/ansible/files/nginx-docker.conf +++ /dev/null @@ -1,26 +0,0 @@ -# {{ ansible_managed }} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name {{ server_name }}; - set $upstream {{ upstream }}; - - access_log /var/log/nginx/{{ server_name|split|first }}.log main; - - ssl_certificate {{ ssl_cert_path }}/fullchain.pem; - ssl_certificate_key {{ ssl_cert_path }}/privkey.pem; - ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem; - include includes/ssl.conf; - - include includes/docker-resolver.conf; - - location / { - proxy_pass http://$upstream; - - {%- if location_extra is defined +%} - {{ location_extra }} - {%- endif +%} - } -} diff --git a/ansible/host_vars/walker/main.yml b/ansible/host_vars/walker/main.yml index db55826..76fa751 100644 --- a/ansible/host_vars/walker/main.yml +++ b/ansible/host_vars/walker/main.yml @@ -3,16 +3,4 @@ private_ip: "{{ ansible_tailscale0.ipv4.address }}" restic_backup_locations: - /opt -nginx_https_redirect: true - -certbot_certs: - - domains: - - theorangeone.net - - jakehoward.tech - - domains: - - plausible.theorangeone.net - - elbisualp.theorangeone.net - - domains: - - slides.jakehoward.tech - - domains: - - comentario.theorangeone.net +traefik_http3: true diff --git a/ansible/main.yml b/ansible/main.yml index 38da2ce..6a7035b 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -50,6 +50,7 @@ - hosts: - pve-docker - grimes + - walker roles: - traefik @@ -105,9 +106,6 @@ - hosts: walker roles: - - nginx - - geerlingguy.certbot - - coredns_docker_proxy - plausible - restic - website diff --git a/ansible/roles/comentario/files/docker-compose.yml b/ansible/roles/comentario/files/docker-compose.yml index 992b1e5..6d3302e 100644 --- a/ansible/roles/comentario/files/docker-compose.yml +++ b/ansible/roles/comentario/files/docker-compose.yml @@ -7,7 +7,11 @@ services: - db networks: - default - - coredns + - traefik + labels: + - traefik.enable=true + - traefik.http.routers.comentario.rule=Host(`comentario.theorangeone.net`) + - traefik.http.services.comentario-comentario.loadbalancer.server.port=80 volumes: - ./secrets.yml:/comentario/secrets.yaml environment: @@ -25,5 +29,5 @@ services: - POSTGRES_USER=comentario networks: - coredns: + traefik: external: true diff --git a/ansible/roles/comentario/tasks/main.yml b/ansible/roles/comentario/tasks/main.yml index cdd7725..90debef 100644 --- a/ansible/roles/comentario/tasks/main.yml +++ b/ansible/roles/comentario/tasks/main.yml @@ -24,14 +24,3 @@ mode: "600" owner: "{{ docker_user.name }}" notify: restart comentario - -- name: Install nginx config - template: - src: files/nginx-docker.conf - dest: /etc/nginx/http.d/comentario.conf - mode: "0644" - notify: reload nginx - vars: - server_name: comentario.theorangeone.net - upstream: comentario-comentario-1.docker:80 - ssl_cert_path: /etc/letsencrypt/live/comentario.theorangeone.net diff --git a/ansible/roles/coredns_docker_proxy/files/Corefile b/ansible/roles/coredns_docker_proxy/files/Corefile deleted file mode 100644 index 17e14f2..0000000 --- a/ansible/roles/coredns_docker_proxy/files/Corefile +++ /dev/null @@ -1,21 +0,0 @@ -. { - errors - cancel - - # Only allow requests to `.docker` records - view docker { - expr name() endsWith '.docker.' - } - - # Strip the `.docker` suffix - rewrite name suffix .docker . answer auto - - # Forward requests to Docker's DNS server - forward . 127.0.0.11 -} - -. { - acl { - block - } -} diff --git a/ansible/roles/coredns_docker_proxy/files/docker-compose.yml b/ansible/roles/coredns_docker_proxy/files/docker-compose.yml deleted file mode 100644 index 46c73e3..0000000 --- a/ansible/roles/coredns_docker_proxy/files/docker-compose.yml +++ /dev/null @@ -1,15 +0,0 @@ -services: - coredns: - image: coredns/coredns:latest - restart: unless-stopped - volumes: - - ./Corefile:/Corefile:ro - ports: - - "{{ private_ip }}:53053:53/udp" - networks: - - default - - coredns - -networks: - coredns: - external: true diff --git a/ansible/roles/coredns_docker_proxy/handlers/main.yml b/ansible/roles/coredns_docker_proxy/handlers/main.yml deleted file mode 100644 index 9277b60..0000000 --- a/ansible/roles/coredns_docker_proxy/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: restart coredns - shell: - chdir: /opt/coredns - cmd: "{{ docker_update_command }}" diff --git a/ansible/roles/coredns_docker_proxy/tasks/main.yml b/ansible/roles/coredns_docker_proxy/tasks/main.yml deleted file mode 100644 index f781039..0000000 --- a/ansible/roles/coredns_docker_proxy/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: Create network - docker_network: - name: coredns - -- name: Create install directory - file: - path: /opt/coredns - state: directory - owner: "{{ docker_user.name }}" - mode: "{{ docker_compose_directory_mask }}" - -- name: Install compose file - template: - src: files/docker-compose.yml - dest: /opt/coredns/docker-compose.yml - mode: "{{ docker_compose_file_mask }}" - owner: "{{ docker_user.name }}" - validate: docker-compose -f %s config - notify: restart coredns - -- name: Install Corefile - template: - src: files/Corefile - dest: /opt/coredns/Corefile - mode: "{{ docker_compose_file_mask }}" - owner: "{{ docker_user.name }}" - notify: restart coredns diff --git a/ansible/roles/nginx/defaults/main.yml b/ansible/roles/nginx/defaults/main.yml index bc8db4a..39e84ef 100644 --- a/ansible/roles/nginx/defaults/main.yml +++ b/ansible/roles/nginx/defaults/main.yml @@ -1,2 +1 @@ nginx_https_redirect: false -docker_resolver_address: "{{ private_ip }}:53053" diff --git a/ansible/roles/nginx/files/includes/docker-resolver.conf b/ansible/roles/nginx/files/includes/docker-resolver.conf deleted file mode 100644 index 1378798..0000000 --- a/ansible/roles/nginx/files/includes/docker-resolver.conf +++ /dev/null @@ -1,2 +0,0 @@ -resolver {{ docker_resolver_address }} valid=2s; -resolver_timeout 5s; diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index e679ce4..37b1a25 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -8,7 +8,7 @@ services: - clickhouse networks: - default - - coredns + - traefik environment: - SECRET_KEY_BASE={{ vault_plausible_secret_key }} - SIGNING_SALT={{ vault_plausible_signing_salt }} @@ -27,6 +27,18 @@ services: - SMTP_USER_NAME={{ vault_plausible_smtp_user }} - SMTP_USER_PWD={{ vault_plausible_smtp_password }} - SMTP_HOST_SSL_ENABLED=true + labels: + - traefik.enable=true + - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`) + - traefik.http.services.plausible-plausible.loadbalancer.server.port=8000 # https://github.com/plausible/analytics/pull/237 + + - traefik.http.routers.plausible-embed.rule=Host(`elbisualp.theorangeone.net`) + - traefik.http.routers.plausible-embed.service=plausible-plausible + + # https://github.com/plausible/analytics/pull/340 + - traefik.http.middlewares.plausible-index.replacepathregex.regex=/js/index.js + - traefik.http.middlewares.plausible-index.replacepathregex.replacement=/js/plausible.js + - traefik.http.routers.plausible-embed.middlewares=plausible-index clickhouse: image: clickhouse/clickhouse-server:24.12-alpine @@ -54,5 +66,5 @@ services: - POSTGRES_USER=plausible networks: - coredns: + traefik: external: true diff --git a/ansible/roles/plausible/tasks/main.yml b/ansible/roles/plausible/tasks/main.yml index 87e16d0..dfce771 100644 --- a/ansible/roles/plausible/tasks/main.yml +++ b/ansible/roles/plausible/tasks/main.yml @@ -30,16 +30,3 @@ owner: "{{ docker_user.name }}" validate: docker-compose -f %s config notify: restart plausible - -- name: Install nginx config - template: - src: files/nginx-docker.conf - dest: /etc/nginx/http.d/plausible.conf - mode: "0644" - notify: reload nginx - vars: - server_name: plausible.theorangeone.net elbisualp.theorangeone.net - upstream: plausible-plausible-1.docker:8000 - ssl_cert_path: /etc/letsencrypt/live/plausible.theorangeone.net - location_extra: | - rewrite ^/js/index.js$ /js/plausible.js last; diff --git a/ansible/roles/slides/files/docker-compose.yml b/ansible/roles/slides/files/docker-compose.yml index e305a34..26a8f74 100644 --- a/ansible/roles/slides/files/docker-compose.yml +++ b/ansible/roles/slides/files/docker-compose.yml @@ -10,8 +10,11 @@ services: - ./slides:/srv networks: - default - - coredns + - traefik + labels: + - traefik.enable=true + - traefik.http.routers.slides.rule=Host(`slides.jakehoward.tech`) networks: - coredns: + traefik: external: true diff --git a/ansible/roles/slides/tasks/main.yml b/ansible/roles/slides/tasks/main.yml index 0dd08d9..ab1452a 100644 --- a/ansible/roles/slides/tasks/main.yml +++ b/ansible/roles/slides/tasks/main.yml @@ -28,16 +28,3 @@ loop_control: label: "{{ item.user }}" notify: restart slides - -- name: Install nginx config - template: - src: files/nginx-docker.conf - dest: /etc/nginx/http.d/slides.conf - mode: "0644" - notify: reload nginx - vars: - server_name: slides.jakehoward.tech - upstream: slides-slides-1.docker:80 - ssl_cert_path: /etc/letsencrypt/live/slides.jakehoward.tech - location_extra: | - client_max_body_size 0; diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index 12e43b5..929003a 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -42,7 +42,7 @@ entryPoints: readTimeout: 180s {% if traefik_http3 %} http3: {} - {% end %} + {% endif %} traefik: address: :8080 @@ -95,3 +95,6 @@ tls: pilot: dashboard: false + +log: + level: INFO diff --git a/ansible/roles/website/files/docker-compose.yml b/ansible/roles/website/files/docker-compose.yml index 94eeabf..5d8638a 100644 --- a/ansible/roles/website/files/docker-compose.yml +++ b/ansible/roles/website/files/docker-compose.yml @@ -24,10 +24,13 @@ services: - ./cache:/tmp/nginx_cache networks: - default - - coredns + - traefik depends_on: - db - redis + labels: + - traefik.enable=true + - traefik.http.routers.website.rule=Host(`theorangeone.net`) || Host(`jakehoward.tech`) db: image: postgres:14-alpine @@ -54,5 +57,5 @@ services: - SENTRY_DSN={{ vault_spotify_sentry_dsn }} networks: - coredns: + traefik: external: true diff --git a/ansible/roles/website/tasks/main.yml b/ansible/roles/website/tasks/main.yml index 3b6aadd..63e7e22 100644 --- a/ansible/roles/website/tasks/main.yml +++ b/ansible/roles/website/tasks/main.yml @@ -16,16 +16,3 @@ owner: "{{ docker_user.name }}" validate: docker-compose -f %s config notify: restart website - -- name: Install nginx config - template: - src: files/nginx-docker.conf - dest: /etc/nginx/http.d/website.conf - mode: "0644" - notify: reload nginx - vars: - server_name: theorangeone.net jakehoward.tech - upstream: website-website-1.docker:8000 - ssl_cert_path: /etc/letsencrypt/live/theorangeone.net - location_extra: | - more_set_headers "Server: $upstream_http_server";