From 3f7ea3db7e535f9ef20ea6421c08093d0b162b71 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 31 Jan 2023 09:51:50 +0100 Subject: [PATCH] only expose treafik dashboard on private networks --- README.md | 6 +++--- roles/blog/meta/main.yml | 4 ++++ roles/traefik/files/basic_auth_users | 9 --------- roles/traefik/tasks/main.yml | 4 ---- roles/traefik/templates/docker-compose.yml.j2 | 5 ++--- 5 files changed, 9 insertions(+), 19 deletions(-) create mode 100644 roles/blog/meta/main.yml delete mode 100644 roles/traefik/files/basic_auth_users diff --git a/README.md b/README.md index b1a3693..27eb081 100644 --- a/README.md +++ b/README.md @@ -31,10 +31,10 @@ All services below are running under Docker, except NSD and Borg. ## TODO -- Forward to https not working correctly yet. I think it works now? Should check it. -- Expose treafik dashboard only on local network - Clear view of what services + which versions we are running. This way, we can track security updates better. -- Mastodon links verifications +- Delegate pim.kunis.nl to my server +- Host tobb website? +- Move from Ubuntu to Debian ### NSD diff --git a/roles/blog/meta/main.yml b/roles/blog/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/blog/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/roles/traefik/files/basic_auth_users b/roles/traefik/files/basic_auth_users deleted file mode 100644 index e26bc55..0000000 --- a/roles/traefik/files/basic_auth_users +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -33333836626532396564616664353836636164386437323234333464336432663266663038313138 -3563663134333236366433636134653965393932343362360a306236343538663836633761353262 -65353961376230333530616465353735626232373132613635653162353634353865386638633365 -3762636464663532360a633162646365653764666563383632393738343931656366343336653437 -36656535346432313036323433396432303563663836303964643731326364306530636332346163 -36353034366562386664376565316339616466323133303464326637366432623164666332313762 -38663138613534363361376161376363666134336466303436643035356438303832333639373266 -62313730633763633066 diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index e589108..d190b3f 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -20,10 +20,6 @@ copy: src: "{{ role_path }}/files/services.toml" dest: "{{ service_dir }}/services.toml" -- name: Copy basic_auth_users file - copy: - src: "{{ role_path }}/files/basic_auth_users" - dest: "{{ service_dir }}/basic_auth_users" - name: Create traefik network docker_network: name: "traefik" diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2 index cfc1843..7db26ed 100644 --- a/roles/traefik/templates/docker-compose.yml.j2 +++ b/roles/traefik/templates/docker-compose.yml.j2 @@ -18,7 +18,6 @@ services: - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml - {{ service_dir }}/services.toml:/etc/traefik/services.toml - {{ service_dir }}/acme.json:/acme.json - - {{ service_dir }}/basic_auth_users:/basic_auth_users networks: - traefik labels: @@ -35,5 +34,5 @@ services: - traefik.http.routers.traefik.tls=true - traefik.http.routers.traefik.tls.certresolver=pizzapim - traefik.http.routers.traefik.service=api@internal - - traefik.http.routers.traefik.middlewares=basic-auth - - traefik.http.middlewares.basic-auth.basicauth.usersfile=/basic_auth_users + - traefik.http.routers.traefik.middlewares=whitelist-local + - "traefik.http.middlewares.whitelist-local.ipwhitelist.sourcerange=127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,::1,fc00::/7"