Changes by cal: Migrate to traefik, update matrix

3 weeks ago · 89f15064e2
parent 97b77b5d5f
commit 89f15064e2
4 changed files with 73 additions and 24 deletions
--- a/docker-containers/keycloak/docker-compose.yml
+++ b/docker-containers/keycloak/docker-compose.yml
@ -29,19 +29,24 @@ services:
      - KC_HOSTNAME=auth.cttue.de
      - KC_HOSTNAME_STRICT_HTTPS=false
      - KC_PROXY=edge
-      - KC_HTTP_ENABLED=true
-      - KC_HOSTNAME_STRICT=false
      - KC_FEATURES=account2,account-api
-      - VIRTUAL_HOST=auth.cttue.de
      - VIRTUAL_PORT=8080
-      - LETSENCRYPT_HOST=auth.cttue.de
    restart: always
    networks:
      - local-keycloak
-      - cttue_web_services
-
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik
+      - traefik.http.routers.keycloak.entrypoints=web-secure
+      - traefik.http.routers.keycloak.service=keycloak
+      - traefik.http.routers.keycloak.rule=Host(`auth.cttue.de`)
+      - traefik.http.routers.keycloak.tls=true
+      - traefik.http.routers.keycloak.tls.certResolver=default
+      - traefik.http.routers.keycloak.tls.domains[0]=cttue.de
+      - traefik.http.routers.keycloak.tls.domains[0].sans=auth.cttue.de
+      - traefik.http.services.keycloak.loadbalancer.server.port=8080
 networks:
-  cttue_web_services:
-    external: true
  local-keycloak:
-
+  traefik:
+   external: true
--- a/docker-containers/nextcloud/docker-compose.yml
+++ b/docker-containers/nextcloud/docker-compose.yml
@ -30,9 +30,21 @@ services:
      - LETSENCRYPT_HOST=cloud.cttue.de
    volumes:
      - ./nextcloud-data:/var/www/html:z
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik
+      - traefik.http.routers.cloud.entrypoints=web-secure
+      - traefik.http.routers.cloud.service=cloud
+      - traefik.http.routers.cloud.rule=Host(`cloud.cttue.de`)
+      - traefik.http.routers.cloud.tls=true
+      - traefik.http.routers.cloud.tls.certResolver=default
+      - traefik.http.routers.cloud.tls.domains[0]=cttue.de
+      - traefik.http.routers.cloud.tls.domains[0].sans=cloud.cttue.de
+      - traefik.http.services.cloud.loadbalancer.server.port=80
    networks:
      cttue_web_services:
      backend:
+      traefik:
    depends_on:
      - nc_db

@ -41,4 +53,6 @@ networks:
    external: true
  # Internal network for communication with MySQL
  backend:
+  traefik:
+    external: true

--- a/docker-containers/pad/docker-compose.yml
+++ b/docker-containers/pad/docker-compose.yml
@ -39,6 +39,30 @@ services:
      - VIRTUAL_HOST=pad.cttue.de
      - VIRTUAL_PORT=3000
      - LETSENCRYPT_HOST=pad.cttue.de
+    labels:
+      - "traefik.enable=true"
+
+      # Router for HTTP (redirects to HTTPS)
+      - "traefik.http.routers.pad.rule=Host(`pad.cttue.de`)"
+      - "traefik.http.routers.pad.entrypoints=web"
+      - "traefik.http.routers.pad.middlewares=redirect-to-https"
+
+      # Router for HTTPS
+      - "traefik.http.routers.pad-secure.rule=Host(`pad.cttue.de`)"
+      - "traefik.http.routers.pad-secure.entrypoints=websecure"
+      - "traefik.http.routers.pad-secure.tls.certresolver=http"
+
+      # Define service and backend port (matching old upstream: port 3000)
+      - "traefik.http.services.pad.loadbalancer.server.port=3000"
+
+      # Redirect middleware (HTTP -> HTTPS)
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # Security Headers (Optional, mimics your Nginx security settings)
+      - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
+      - "traefik.docker.network=cttue_web_services"
    volumes:
      - ./uploads:/hedgedoc/public/uploads
    networks:
--- a/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml
+++ b/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml
@ -15,8 +15,8 @@ matrix_server_fqn_element: "element.cttue.de"
 matrix_homeserver_implementation: synapse

 # docker already installed
-matrix_docker_installation_enabled: true
-
+#matrix_docker_installation_enabled: true # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_playbook_docker_installation_enabled: true
 # A secret used as a base, for generating various other secrets.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iUET5UXgG3ku8IPbVsDvxKICQ"
@ -25,25 +25,25 @@ matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iU
 #
 # The playbook creates additional Postgres users and databases (one for each enabled service)
 # using this superuser account.
-matrix_postgres_connection_password: "SIHm7TtFF1ntGxKu"
+postgres_connection_password: "SIHm7TtFF1ntGxKu"

 #################### jwilder/nginx-proxy related ###################

 # Disable generation and retrieval of SSL certs
-matrix_ssl_retrieval_method: none
+# matrix_ssl_retrieval_method: none # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Configure Nginx to only use plain HTTP
-matrix_nginx_proxy_https_enabled: false
+# matrix_nginx_proxy_https_enabled: false # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Don't bind any HTTP or federation port to the host
-matrix_nginx_proxy_container_http_host_bind_port: ""
-matrix_nginx_proxy_container_federation_host_bind_port: ""
+# matrix_nginx_proxy_container_http_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+# matrix_nginx_proxy_container_federation_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
-matrix_nginx_proxy_trust_forwarded_proto: true
+# matrix_nginx_proxy_trust_forwarded_proto: true # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Trust and use the other reverse proxy's `X-Forwarded-For` header.
-matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for"
+# matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for" # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Disable Coturn because it needs SSL certs
 # (Clients can, though exposing IP address, use Matrix.org TURN)
@ -68,13 +68,16 @@ matrix_coturn_tls_cert_path: "/certs/fullchain.pem"
 matrix_coturn_tls_key_path: "/certs/key.pem"

 # All containers need to be on the same Docker network as nginx-proxy
-matrix_docker_network: "cttue_web_services"
-matrix_coturn_docker_network: "cttue_web_services"
+#matrix_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_homeserver_container_network: "cttue_web_services"
+# matrix_coturn_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_coturn_container_network: "cttue_web_services"

-matrix_nginx_proxy_container_extra_arguments:
-  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
-  - '-e "VIRTUAL_PORT=8080"'
-  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+# this one was changed during the upgrade - 30. Jan 2025 - Cal
+# matrix_nginx_proxy_container_extra_arguments:
+#  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+#  - '-e "VIRTUAL_PORT=8080"'
+#  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'

 # change federation to 443
 matrix_synapse_http_listener_resource_names: ["client", "federation"]
@ -115,3 +118,6 @@ matrix_synapse_configuration_extension_yaml: |
          email_template: "{% raw %}{{ user.email }}{% endraw %}"


+# config for traefik
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+traefik_config_certificatesResolvers_acme_email: pascal@cttue.de