fix(traefik): set up certitifcate resolver

2022-04-23 16:11:38 +01:00 · 2022-04-23 16:11:38 +01:00 · 3669606b44
commit 3669606b44
parent 0f8c243682
5 changed files with 36 additions and 6 deletions
--- a/files/compose/docker-compose.yaml
+++ b/files/compose/docker-compose.yaml
@ -50,10 +50,10 @@ services:
      source: "/etc/localtime"
      target: "/etc/localtime"
      read_only: true
-    # For TLS certificate
-    #- type: "bind"
-    #  source: ""
-    #  target: ""
+    # Traefik TLS volume
+    - type: "bind"
+      source: "${TRAEFIK_TLS_HOST_DIR}"
+      target: "${TRAEFIK_TLS_CONTAINER_DIR}"
  # -- Code flow --
  gitea:
    container_name: "code-flow"
--- a/files/gitea/dynamic_git.yaml
+++ b/files/gitea/dynamic_git.yaml
@ -6,7 +6,8 @@ http:
      - "https"
      rule: "Host(`${GITEA_DOMAIN}`)"
      service: "git"
-      tls: {}
+      tls:
+        certResolver: resolver
  services:
    git:
      loadBalancer:
--- a/files/scripts/bootstrap.sh
+++ b/files/scripts/bootstrap.sh
@ -98,6 +98,16 @@ while [[ $# -gt 0 ]]; do
            shift
            shift
            ;;
+        --traefik-acme-ca-server)
+            TRAEFIK_ACME_CA_SERVER=$2
+            shift
+            shift
+            ;;
+        --traefik-acme-email)
+            TRAEFIK_ACME_EMAIL=$2
+            shift
+            shift
+            ;;
        *)
            # unknown argument
            shift
@ -138,12 +148,22 @@ export TRAEFIK_LOG_LEVEL="${TRAEFIK_LOG_LEVEL:-info}"
 export TRAEFIK_SEND_ANONYMOUS_USAGE="${TRAEFIK_SEND_ANONYMOUS_USAGE:-false}"
 export TRAEFIK_VERSION="${TRAEFIK_VERSION:-v2.6.3}"
 export TRAEFIK_CONTAINER_IPV4_ADDRESS="${TRAEFIK_CONTAINER_IPV4_ADDRESS:-172.20.0.2}"
+export TRAEFIK_ACME_CA_SERVER="${TRAEFIK_ACME_CA_SERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+export TRAEFIK_ACME_EMAIL="${TRAEFIK_ACME_EMAIL:-admin@localhost}"
 export TRAEFIK_SHARED_MOUNT_POINT="/flow/shared/traefik"
+export TRAEFIK_TLS_HOST_DIR="/mnt/flow/traefik/tls"
+export TRAEFIK_TLS_CONTAINER_DIR="/flow/traefik/tls"

 mkdir -p "${DOCKER_ROOT}"
 envsubst < "${ROOT_SETUP_DIRECTORY}/template/compose/docker-compose.yaml" > "${DOCKER_ROOT}/docker-compose.yaml"

 ## -- Traefik setup section --
+if ! [ -d ${TRAEFIK_TLS_HOST_DIR} ]; then
+    mkdir -p ${TRAEFIK_TLS_HOST_DIR}
+    chown root:root ${TRAEFIK_TLS_HOST_DIR}
+    chmod a-rwx,u+rwx ${TRAEFIK_TLS_HOST_DIR}
+fi
+
 mkdir -p "${TRAEFIK_DOCKER_DIR}"
 cp "${ROOT_SETUP_DIRECTORY}/template/traefik/Dockerfile" "${TRAEFIK_DOCKER_DIR}/Dockerfile"

--- a/files/traefik/dynamic_dashboard.yaml
+++ b/files/traefik/dynamic_dashboard.yaml
@ -6,4 +6,5 @@ http:
      - "https"
      rule: "Host(`${ROOT_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      service: "api@internal"
-      tls: {}
+      tls:
+        certResolver: resolver
--- a/files/traefik/traefik.yaml
+++ b/files/traefik/traefik.yaml
@ -23,5 +23,13 @@ providers:
  file:
    watch: true
    directory: "${TRAEFIK_SHARED_MOUNT_POINT}/dynamic"
+certificatesResolvers:
+  resolver:
+    acme:
+      caServer: "${TRAEFIK_ACME_CA_SERVER}"
+      email: "${TRAEFIK_ACME_EMAIL}"
+      storage: "${TRAEFIK_TLS_CONTAINER_DIR}/acme.json"
+      keyType: "RSA4096"
+      tlsChallenge: {}
 log:
  level: "${TRAEFIK_LOG_LEVEL}"