dogeystamp
864c1bdfd3
docker is now listening on localhost, with a haproxy on the services server to forward the ports outwards. this is because docker tends to disregard UFW's rules, but haproxy should be better in that regard. meanwhile, the firewall rules have been configured properly to only allow the bastion IP in over the wireguard connection, for proper authentication.
49 lines
1.0 KiB
YAML
49 lines
1.0 KiB
YAML
---
|
|
|
|
- name: Install haproxy package
|
|
community.general.pacman:
|
|
name:
|
|
- haproxy
|
|
|
|
- name: Figure out local IP address
|
|
set_fact:
|
|
service_ip: "{{ vpn_ip if wireguard_services else local_ip }}"
|
|
|
|
# for info about this, see top of roles/containers/templates/docker-compose.yml.j2
|
|
- name: Enumerate services to forward
|
|
set_fact:
|
|
haproxy_services:
|
|
- name: gitea
|
|
ports:
|
|
- 2498
|
|
- 3000
|
|
- name: navidrome
|
|
ports:
|
|
- 4533
|
|
- name: synapse
|
|
ports:
|
|
- 8008
|
|
- name: paperless
|
|
ports:
|
|
- 8000
|
|
|
|
- name: Deploy haproxy config (bastion)
|
|
template:
|
|
src: haproxy.cfg.bastion.j2
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
lstrip_blocks: true
|
|
when: '"bastion" in group_names'
|
|
|
|
- name: Deploy haproxy config (fleet)
|
|
template:
|
|
src: haproxy.cfg.fleet.j2
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
lstrip_blocks: true
|
|
when: '"fleet" in group_names'
|
|
|
|
- name: Enable haproxy service
|
|
systemd:
|
|
name: haproxy
|
|
enabled: yes
|
|
state: started
|