From c20d74af7904d2a867ee2749b39de2cbe2df332a Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 21 Apr 2023 12:45:32 +0300 Subject: [PATCH 1/2] buscarron and honoroit - add basic auth for metrics --- .../matrix-bot-buscarron/defaults/main.yml | 15 ++++++++++++ .../tasks/setup_install.yml | 22 ++++++++++++++++++ .../matrix-bot-buscarron/templates/labels.j2 | 23 ++++++++++++++++++- .../matrix-bot-honoroit/defaults/main.yml | 15 ++++++++++++ .../tasks/setup_install.yml | 22 ++++++++++++++++++ .../matrix-bot-honoroit/templates/labels.j2 | 23 ++++++++++++++++++- 6 files changed, 118 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 0596c440f..7a31514b9 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -14,6 +14,10 @@ matrix_bot_buscarron_hostname: '' # This value must either be `/` or not end with a slash (e.g. `/buscarron`). matrix_bot_buscarron_path_prefix: / +# The path at which Buscarron will expose metrics +# This value must either be `/` or not end with a slash (e.g. `/metrics`). +matrix_bot_buscarron_metrics_path: /metrics + matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" @@ -36,6 +40,15 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_buscarron_container_additional_networks: [] +# enable basic auth for metrics +matrix_bot_buscarron_basicauth_enabled: false +# temporary file name on the host that runs ansible +matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd" +# username +matrix_bot_buscarron_basicauth_user: '' +# password +matrix_bot_buscarron_basicauth_password: '' + # matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. # @@ -46,6 +59,8 @@ matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron # The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`). matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}" matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_buscarron_container_labels_traefik_metrics_path: "{{ matrix_bot_buscarron_metrics_path }}" +matrix_bot_buscarron_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_buscarron_container_labels_traefik_metrics_path }}`)" matrix_bot_buscarron_container_labels_traefik_priority: 0 matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 1c2c62e14..2c478e459 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -40,6 +40,20 @@ - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true} when: "item.when | bool" +- name: Determine basicauth filename + set_fact: + matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}" + when: matrix_bot_buscarron_basicauth_enabled | bool + +- name: Generate basic auth file + community.general.htpasswd: + path: "{{ matrix_bot_buscarron_basicauth_file }}" + name: "{{ matrix_bot_buscarron_basicauth_user }}" + password: "{{ matrix_bot_buscarron_basicauth_password }}" + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_buscarron_basicauth_enabled | bool + - name: Ensure buscarron support files installed ansible.builtin.template: src: "{{ role_path }}/templates/{{ item }}.j2" @@ -51,6 +65,14 @@ - env - labels +- name: Ensure temporary basic auth file is removed + ansible.builtin.file: + path: "{{ matrix_bot_buscarron_basicauth_file }}" + state: absent + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_buscarron_basicauth_enabled | bool + - name: Ensure buscarron image is pulled community.docker.docker_image: name: "{{ matrix_bot_buscarron_docker_image }}" diff --git a/roles/custom/matrix-bot-buscarron/templates/labels.j2 b/roles/custom/matrix-bot-buscarron/templates/labels.j2 index 5a53805a5..6a1ead33d 100644 --- a/roles/custom/matrix-bot-buscarron/templates/labels.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2 @@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_n {% endif %} {% set middlewares = [] %} +{% set middlewares_metrics = [] %} {% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$ @@ -18,6 +19,11 @@ traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes= {% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %} {% endif %} +{% if matrix_bot_buscarron_basicauth_enabled %} +traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }} +{% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %} +{% endif %} + {% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }} @@ -38,8 +44,23 @@ traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_ {% if matrix_bot_buscarron_container_labels_traefik_tls %} traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} {% endif %} - traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 + +{% if middlewares_metrics | length > 0 %} +traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }} +{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron +traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }} +traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }} +{% if matrix_bot_buscarron_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080 +{% endif %} + {% endif %} {{ matrix_bot_buscarron_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 5e90ef51f..ea93d55f2 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -11,6 +11,10 @@ matrix_bot_honoroit_hostname: '' # This value must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_path_prefix: / +# The path at which honoroit will expose metrics +# This value must either be `/` or not end with a slash (e.g. `/metrics`). +matrix_bot_honoroit_metrics_path: /metrics + matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" @@ -34,6 +38,15 @@ matrix_bot_honoroit_container_network: matrix-bot-honoroit # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_honoroit_container_additional_networks: [] +# enable basic auth for metrics +matrix_bot_honoroit_basicauth_enabled: false +# temporary file name on the host that runs ansible +matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd" +# username +matrix_bot_honoroit_basicauth_user: '' +# password +matrix_bot_honoroit_basicauth_password: '' + # matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. # @@ -44,6 +57,8 @@ matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_h # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 14b5a0e47..dc490e4c1 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -40,6 +40,20 @@ - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when | bool" +- name: Determine basicauth filename + set_fact: + matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}" + when: matrix_bot_honoroit_basicauth_enabled | bool + +- name: Generate basic auth file + community.general.htpasswd: + path: "{{ matrix_bot_honoroit_basicauth_file }}" + name: "{{ matrix_bot_honoroit_basicauth_user }}" + password: "{{ matrix_bot_honoroit_basicauth_password }}" + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_honoroit_basicauth_enabled | bool + - name: Ensure honoroit support files installed ansible.builtin.template: src: "{{ role_path }}/templates/{{ item }}.j2" @@ -51,6 +65,14 @@ - env - labels +- name: Ensure temporary basic auth file is removed + ansible.builtin.file: + path: "{{ matrix_bot_honoroit_basicauth_file }}" + state: absent + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_honoroit_basicauth_enabled | bool + - name: Ensure honoroit image is pulled community.docker.docker_image: name: "{{ matrix_bot_honoroit_docker_image }}" diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index f03af34a2..7943e00f1 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_ne {% endif %} {% set middlewares = [] %} +{% set middlewares_metrics = [] %} {% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$ @@ -25,6 +26,11 @@ traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseh {% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %} {% endif %} +{% if matrix_bot_honoroit_basicauth_enabled %} +traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }} +{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} +{% endif %} + traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }} {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} @@ -38,8 +44,23 @@ traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_la {% if matrix_bot_honoroit_container_labels_traefik_tls %} traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} {% endif %} - traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080 + +{% if middlewares_metrics | length > 0 %} +traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} +{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit +traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }} +traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} +{% if matrix_bot_honoroit_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-honoroit-metrics.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080 +{% endif %} + {% endif %} {{ matrix_bot_honoroit_container_labels_additional_labels }} From f0be907971aeafd07b072e566628229e7bacf0e8 Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 21 Apr 2023 12:48:50 +0300 Subject: [PATCH 2/2] create honoroit docker network --- roles/custom/matrix-bot-honoroit/tasks/setup_install.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index dc490e4c1..5336e85dc 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -108,6 +108,11 @@ pull: true when: "matrix_bot_honoroit_container_image_self_build | bool" +- name: Ensure honoroit container network is created + community.general.docker_network: + name: "{{ matrix_bot_honoroit_container_network }}" + driver: bridge + - name: Ensure matrix-bot-honoroit.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2"