Merge branch 'secure-traefik-portainer' into 'main'

Secure traefik portainer See merge request !1

Merge branch 'secure-traefik-portainer' into 'main'
a40eca59 · Patrick MADELA · 85cc0374 · 97af7305 · a40eca59 · a40eca59
Commit a40eca59 authored 3 weeks ago by Patrick MADELA
--- a/roles/certificate/tasks/main.yml
+++ b/roles/certificate/tasks/main.yml
@@ -8,45 +8,49 @@
    path: "/etc/ssl/certs"
    state: directory
    mode: "0644"
-  when: domain is defined
+  when: certificates is defined

 - name: Create ssl private keys directory
  ansible.builtin.file:
    path: "/etc/ssl/private"
    state: directory
    mode: "0600"
-  when: domain is defined
+  when: certificates is defined

 - name: Generate private key
  community.crypto.openssl_privatekey:
-    path: "/etc/ssl/private/{{ domain }}.key"
+    path: "/etc/ssl/private/{{ item.domain }}.key"
    size: 2048
-  when: domain is defined
+  loop: "{{ certificates }}"
+  when: certificates is defined

- name: Generate certificate signing request
+- name: Generate certificates signing request
  community.crypto.openssl_csr:
-    path: "/etc/ssl/certs/{{ domain }}.csr"
-    privatekey_path: "/etc/ssl/private/{{ domain }}.key"
-    common_name: "{{ domain }}"
+    path: "/etc/ssl/certs/{{ item.domain }}.csr"
+    privatekey_path: "/etc/ssl/private/{{ item.domain }}.key"
+    common_name: "{{ item.domain }}"
    country_name: FR
    state_or_province_name: ESSONNE
    locality_name: SAINT AUBIN
    organization_name: SYNCHROTRON-SOLEIL
    organizational_unit_name: ISAC
-    subject_alt_name: "{{ certificate_aliases | map('regex_replace', '^(.*)$', 'DNS:\\1') | list }}"
-  when: domain is defined
+    subject_alt_name: "{{ item.certificate_aliases | map('regex_replace', '^(.*)$', 'DNS:\\1') | list if item.certificate_aliases is defined else omit }}"
+  loop: "{{ certificates }}"
+  when: certificates is defined

 - name: Generate self-signed certificate
  community.crypto.x509_certificate:
-    path: "/etc/ssl/certs/{{ domain }}.crt"
-    privatekey_path: "/etc/ssl/private/{{ domain }}.key"
-    csr_path: "/etc/ssl/certs/{{ domain }}.csr"
+    path: "/etc/ssl/certs/{{ item.domain }}.crt"
+    privatekey_path: "/etc/ssl/private/{{ item.domain }}.key"
+    csr_path: "/etc/ssl/certs/{{ item.domain }}.csr"
    provider: selfsigned
-  when: domain is defined and selfsigned is defined and selfsigned
+  loop: "{{ certificates }}"
+  when: certificates is defined and item.selfsigned is defined and item.selfsigned

- name: Copy certificate
+- name: Copy certificates
  ansible.builtin.copy:
-    src: "{{ certificate_file }}"
-    dest: "/etc/ssl/certs/{{ domain }}.crt"
+    src: "{{ item.certificate_file }}"
+    dest: "/etc/ssl/certs/{{ item.domain }}.crt"
    mode: "0644"
-  when: domain is defined and (selfsigned is not defined or not selfsigned)
+  loop: "{{ certificates }}"
+  when: certificates is defined and (item.selfsigned is not defined or not item.selfsigned)
--- a/roles/portainer/templates/docker-compose.yml
+++ b/roles/portainer/templates/docker-compose.yml
@@ -17,7 +17,7 @@ services:
      - traefik.docker.network=proxy
      - traefik.http.routers.portainer.entrypoints=websecure
      - traefik.http.routers.portainer.tls=true
-      - traefik.http.routers.portainer.rule=Host(`{{ domain }}`) && PathPrefix(`/portainer`)
+      - traefik.http.routers.portainer.rule=Host(`{{ portainer_domain }}`) && PathPrefix(`/portainer`)
      # See https://community.containo.us/t/middleware-to-add-the-if-needed/1895/13
      - traefik.http.middlewares.strip-prefix.chain.middlewares=strip-prefix-1,strip-prefix-2
      - traefik.http.middlewares.strip-prefix-1.redirectregex.regex=^(https?://[^/]+/[a-z0-9_]+)$$

--- a/roles/traefik/templates/conf.yml
+++ b/roles/traefik/templates/conf.yml
@@ -18,8 +18,10 @@ default-security-headers:
    stsSeconds: 63072000
 tls:
  certificates:
-    - certFile: /ssl/{{ domain }}.crt
-      keyFile: /ssl/{{ domain }}.key
+{% for cert in certificates %}
+    - certFile: /ssl/{{ cert.domain }}.crt
+      keyFile: /ssl/{{ cert.domain }}.key
+{% endfor %}
  options:
    default:
      minVersion: VersionTLS12

--- a/roles/traefik/templates/docker-compose.yml
+++ b/roles/traefik/templates/docker-compose.yml
@@ -24,8 +24,10 @@ services:
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "{{ traefik_path }}/config/conf.yml:/config/conf.yml:ro"
-      - "/etc/ssl/private/{{ domain }}.key:/ssl/{{ domain }}.key:ro"
-      - "/etc/ssl/certs/{{ domain }}.crt:/ssl/{{ domain }}.crt:ro"
+{% for cert in certificates %}
+      - "/etc/ssl/private/{{ cert.domain }}.key:/ssl/{{ cert.domain }}.key:ro"
+      - "/etc/ssl/certs/{{ cert.domain }}.crt:/ssl/{{ cert.domain }}.crt:ro"
+{% endfor %}
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "{{ traefik_path }}/log:/var/log/traefik"
    labels:
@@ -33,7 +35,7 @@ services:
      - traefik.docker.network=proxy
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls=true
-      - traefik.http.routers.traefik.rule=Host(`{{ domain }}`) && PathPrefix(`/traefik`)
+      - traefik.http.routers.traefik.rule=Host(`{{ traefik_domain }}`) && PathPrefix(`/traefik`)
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.server.port=8080