Run traefik as dockeruser, and without host networking

This required port forwarding, a docker proxy, and a docker network, but the end result should be much more secure!
2022-01-15 23:44:06 +00:00
parent 1348eb8b1c
commit d5c7d94ac8
17 changed files with 150 additions and 6 deletions
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@ -3,7 +3,7 @@ version: "2.3"
 services:
  traefik:
    image: traefik:v2.5
-    network_mode: host
+    user: "{{ docker_user.id }}"
    environment:
      - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
    volumes:
@ -11,3 +11,30 @@ services:
      - /tmp/traefik-logs:/var/log/traefik
      - ./traefik:/etc/traefik
    restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+      - "{{ private_ip }}:8080:8080"
+    depends_on:
+      - docker_proxy
+    networks:
+      - default
+      - traefik
+      - proxy_private
+
+  docker_proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - INFO=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - proxy_private
+
+networks:
+  traefik:
+    external: true
+  proxy_private:
+    internal: true
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -32,21 +32,22 @@ entryPoints:
        - "{{ pve_hosts.internal_cidr }}"
        - "{{ nebula.cidr }}"
  traefik:
-    address: "{{ private_ip }}:8080"
+    address: :8080

 ping: {}

 providers:
  docker:
-    endpoint: unix:///var/run/docker.sock
+    endpoint: tcp://docker_proxy:2375
    watch: true
    exposedByDefault: false
+    network: traefik
  file:
    directory: /etc/traefik/conf
 {% if with_traefik_pages %}
  http:
    endpoint:
-      - "http://{{ traefik_pages_password }}@127.0.0.1:5000/.traefik-pages/provider"
+      - "http://{{ traefik_pages_password }}@traefik-pages:5000/.traefik-pages/provider"
 {% endif %}

 api:
--- a/ansible/roles/traefik/tasks/main.yml
+++ b/ansible/roles/traefik/tasks/main.yml
@ -1,3 +1,9 @@
+- name: Create network
+  docker_network:
+    name: traefik
+    internal: true
+  become: true
+
 - name: Create install directory
  file:
    path: /opt/traefik
@ -11,6 +17,7 @@
    path: /opt/traefik/traefik/
    state: directory
    mode: "{{ docker_compose_directory_mask }}"
+    owner: "{{ docker_user.name }}"
  become: true

 - name: Create file provider directory
@ -18,6 +25,7 @@
    path: /opt/traefik/traefik/conf
    state: directory
    mode: "{{ docker_compose_directory_mask }}"
+    owner: "{{ docker_user.name }}"
  become: true

 - name: Install compose file