ssl / tsl and storage of document

2024-12-30 11:37:55 +01:00 · 2024-12-30 11:37:55 +01:00 · c6b32d6005
commit c6b32d6005
parent bf2e38ad51
7 changed files with 74 additions and 7 deletions
--- a/tasks/chill/main.yml
+++ b/tasks/chill/main.yml
@ -54,5 +54,15 @@
    - lexik_jwt_authentication.yaml
    - messenger.yaml
    - monolog.yaml
+    - chill_doc_store.yaml
+    - framework.yaml
  loop_control:
    loop_var: file
+
+- name: Create directory for storing data
+  ansible.builtin.file:
+    path: "{{ doc_storage_dir }}/{{ item['chill_environment'] }}"
+    owner: "82"
+    group: "82"
+    mode: '0766'
+    state: directory
--- a/tasks/chill/self_signed.yml
+++ b/tasks/chill/self_signed.yml
@ -0,0 +1,18 @@
+
+- name: Create directory for storing certificates
+  ansible.builtin.file:
+    path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}"
+    state: directory
+    owner: "{{ as_user }}"
+    mode: '0400'
+
+- name: Create private key
+  community.crypto.openssl_privatekey:
+    path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/key.pem"
+
+- name: Create self signed certificate
+  community.crypto.x509_certificate:
+    privatekey_path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/key.pem"
+    path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/cert.pem"
+    provider: selfsigned
+
--- a/tasks/traefik.yml
+++ b/tasks/traefik.yml
@ -13,3 +13,10 @@
    owner: "{{ as_user }}"
  notify:
    - Restart traefik
+
+- name: Create directory for storing certificates
+  ansible.builtin.file:
+    path: "/var/traefik/certs"
+    state: directory
+    owner: "{{ as_user }}"
+    mode: '0400'
--- a/templates/compose.yaml
+++ b/templates/compose.yaml
@ -6,13 +6,19 @@ services:
            - app:php
        labels:
            - "traefik.enable=true"
-            - "traefik.http.routers.frontend-{{ item.chill_environment }}.rule=Host(`{{ item.host }}`)"
-            - "traefik.http.routers.frontend-{{ item.chill_environment }}.entrypoints=web"
            - "traefik.docker.network=traefik"
-        {% if item.expose_port is not false -%}
-        ports:
-            - "{{ item.expose_port }}:80"
-        {% endif -%}
+            - "traefik.http.routers.frontend-{{ item.chill_environment }}.rule=Host(`{{ item.host }}`)"
+            - "traefik.http.routers.frontend-{{ item.chill_environment }}.entrypoints=websecure"
+            {%+ if item.tls_config == 'self_signed' +%}
+            - "traefik.http.routers.frontend-{{ item.chill_environment }}.tls=true"
+            {%+ endif +%}
+            {%+ if item.expose_port is not false +%}
+            - "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.rule=PathPrefix(`/`)"
+            - "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.entrypoints=chill{{ item.chill_environment }}"
+            {%+ if item.tls_config == 'self_signed' +%}
+            - "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.tls=true"
+            {%+ endif +%}
+            {%+ endif +%}
        networks:
            - traefik
            - default
@ -25,6 +31,7 @@ services:
            - './config/prod:/var/www/app/config/packages/prod:ro'
            - './var:/var/www/app/var:rw'
            - '/var/logs/chill:/var/www/app/logs'
+            - '{{ doc_storage_dir }}/{{ item['chill_environment'] }}:/var/storage'
        links:
            - redis
            - relatorio
--- a/templates/config/prod/chill_doc_store.yaml
+++ b/templates/config/prod/chill_doc_store.yaml
@ -0,0 +1,3 @@
+chill_doc_store:
+    local_storage:
+        storage_path: '/var/storage'
--- a/templates/config/prod/framework.yaml
+++ b/templates/config/prod/framework.yaml
@ -0,0 +1,3 @@
+framework:
+    trusted_proxies: '172.150.0.0/24'
+    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
--- a/templates/traefik-compose.yaml
+++ b/templates/traefik-compose.yaml
@ -13,17 +13,36 @@ services:
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entryPoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
+      {%+ for c in chills +%}
+      {%+ if c.expose_port is not false +%}
+      - "--entryPoints.chill{{ c.chill_environment }}.address=:{{ c.expose_port }}"
+      {% endif +%}
+      {% endfor +%}
+
    ports:
      # The HTTP port
      - "80:80"
+      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
+      {% for c in chills +%}
+      {% if c.expose_port is not false +%}
+      - "{{ c.expose_port }}:{{ c.expose_port }}"
+      {% endif +%}
+      {%+ endfor +%}
+
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/traefik/certs:/var/traefik/certs
    networks:
      - traefik

 networks:
  traefik:
    name: traefik
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.150.0.0/24