From 720267bb87721003c41580f9a9a1fb8df5726d57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Krop=C3=A1=C4=8Dek?= <kropikuba@gmail.com>
Date: Wed, 4 Oct 2023 21:42:20 +0200
Subject: [PATCH] Fixed a lot of traefik issues for docker swarm deployment

---
 deploy.py                            |  7 ++--
 inventory.py                         | 13 ++++++--
 pubkeys/desktop_win.pub              |  1 +
 pubkeys/desktop_wsl.pub              |  1 +
 pubkeys/laptop_olc.pub               |  1 +
 pubkeys/laptop_personal.pub          |  1 +
 tasks/ssh.py                         | 41 +++++++++++++++++++++++
 templates/joplin/.env.example        |  1 -
 templates/joplin/docker-compose.yml  | 49 +++++++++++-----------------
 templates/traefik/.env.example       |  1 +
 templates/traefik/docker-compose.yml | 48 +++++++++++++++++++++++++++
 11 files changed, 128 insertions(+), 36 deletions(-)
 create mode 100644 pubkeys/desktop_win.pub
 create mode 100644 pubkeys/desktop_wsl.pub
 create mode 100644 pubkeys/laptop_olc.pub
 create mode 100644 pubkeys/laptop_personal.pub
 create mode 100644 tasks/ssh.py
 create mode 100644 templates/traefik/.env.example
 create mode 100644 templates/traefik/docker-compose.yml

diff --git a/deploy.py b/deploy.py
index 3331280..d79a332 100644
--- a/deploy.py
+++ b/deploy.py
@@ -1,4 +1,5 @@
-from pyinfra import host
+from tasks.ssh import setup_ssh
+
 from pyinfra.operations import apt
 from pyinfra_docker import deploy_docker
 
@@ -9,7 +10,7 @@ apt.packages(
 )
 
 apt.packages(
-    name="Install usefull packages",
+    name="Install useful packages",
     packages=["htop", "curl", "ufw"],
 )
 
@@ -24,4 +25,6 @@ apt.packages(
         ],
 )
 
+setup_ssh()
+
 deploy_docker()
diff --git a/inventory.py b/inventory.py
index 63f8642..bb5c2be 100644
--- a/inventory.py
+++ b/inventory.py
@@ -1,6 +1,4 @@
-# nextcloud = [("172.104.145.146", {"ssh_user": "root"})]
-
-joplin = [
+joplin_old = [
     (
         "joplin.togetherdays.cz", {
             "ssh_user": "root",
@@ -8,3 +6,12 @@ joplin = [
         }
     )
 ]
+
+joplin_new = [
+    (
+        "test.joplin.togetherdays.cz", {
+            "ssh_user": "root",
+            "web_server": True
+        }
+    )
+]
\ No newline at end of file
diff --git a/pubkeys/desktop_win.pub b/pubkeys/desktop_win.pub
new file mode 100644
index 0000000..1c0e6a2
--- /dev/null
+++ b/pubkeys/desktop_win.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCphDfhKwJcml31Iwig9PLF0lwUdmEj+C7OgHgh+R8iBhERPs6bvDgtbLcOr0HJ9FbUUgAug1r8pHRiKgF+QWEzUwnf7smF0vg1SB/m9XQfPnwXT3xXGXPPckxAPDhxK40SZyrTv7E99TCRLXK8YvdBDBwXfSpKvX6ReRfkN9FEmq7neRrrNMRxaITHeq5yzDPAisP9lbaikERAVgy0EH5M6UYpCfHITwggfnivzkazYsR+j8w7xNOe0uSUj8mnRA1VRs7Mx1UUdNK7karonxOIhBI58EcoNCyDlK3g5nJ2JgbVwkuG46a9TGx8Wt4MighvI9tq3PgAunxxud2oAGx5qubuT/t53jRoCf45GC/qi7PEQ3gMkEERpST4OyuwAgLgii4vX7auiJWOzMwgyNg387QUGpSZRghovB+CD0WUB8tHlmx5ZPmwS2Enj2GLavSpU4FYYtC8ocn0yI5JESKGpD5U/f3HytAdkI8naFSm/75KcnIiaMbHyc0PD6iuztE= kropi@KropiMasinka
diff --git a/pubkeys/desktop_wsl.pub b/pubkeys/desktop_wsl.pub
new file mode 100644
index 0000000..111f503
--- /dev/null
+++ b/pubkeys/desktop_wsl.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPexUMyL1yGJx0x3lE4QwTLVAsI/0VobbHO9EcP4BsfJ krop@KropiMasinka
\ No newline at end of file
diff --git a/pubkeys/laptop_olc.pub b/pubkeys/laptop_olc.pub
new file mode 100644
index 0000000..3d6fb3f
--- /dev/null
+++ b/pubkeys/laptop_olc.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcnX9CcpqCdfC4apgd6ccyTSyhPt3mIiSAXD00czPtt jakub.kropacek@olc.cz
diff --git a/pubkeys/laptop_personal.pub b/pubkeys/laptop_personal.pub
new file mode 100644
index 0000000..c702a02
--- /dev/null
+++ b/pubkeys/laptop_personal.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUnlAjPnMwJYgZb7YuholdTxifOEFnAyXVqI+xFlHw6 krop@lenar
diff --git a/tasks/ssh.py b/tasks/ssh.py
new file mode 100644
index 0000000..b83d71a
--- /dev/null
+++ b/tasks/ssh.py
@@ -0,0 +1,41 @@
+from pathlib import Path
+
+from pyinfra.api import deploy
+from pyinfra.operations import files, systemd
+
+BASE_DIR = Path(__file__).parent.parent
+
+def deploy_ssh_keys():
+    files.file(
+        name="Create authorized_keys file",
+        path="/root/.ssh/authorized_keys"
+    )
+
+
+    for key_path in BASE_DIR.glob("pubkeys/*.pub"):
+        with open(key_path, "r") as f:
+            key = f.read().strip()
+        files.line(
+            name=f"Adding key {key_path.name} to /root/.ssh/authorized_keys",
+            path="/root/.ssh/authorized_keys",
+            line=key
+        )
+
+def reconfigure_ssh():
+    config_changed = files.line(
+        name="Disable password login",
+        path="/etc/ssh/sshd_config",
+        line="PasswordAuthentication .+",
+        replace="PasswordAuthentication no"
+    ).changed
+
+    systemd.service(
+        name="Restart SSHD service",
+        service="ssh",
+        restarted=config_changed
+    )
+
+@deploy
+def setup_ssh():
+    deploy_ssh_keys()
+    reconfigure_ssh()
diff --git a/templates/joplin/.env.example b/templates/joplin/.env.example
index 5487aa9..0103021 100644
--- a/templates/joplin/.env.example
+++ b/templates/joplin/.env.example
@@ -1,4 +1,3 @@
-EMAIL=
 HOST=
 POSTGRES_PASSWORD=
 POSTGRES_DATABASE=
diff --git a/templates/joplin/docker-compose.yml b/templates/joplin/docker-compose.yml
index f67fe4e..90c258b 100644
--- a/templates/joplin/docker-compose.yml
+++ b/templates/joplin/docker-compose.yml
@@ -1,55 +1,33 @@
 networks:
   traefik-net:
     name: traefik-net
+    external: true
 
 volumes:
-  traefik-certs:
-    name: traefik-certs
+  joplin-pg-data:
+    name: joplin-pg-data
 
 services:
-  traefik:
-    image: traefik:v2.10
-    command:
-      - --providers.docker
-      - --providers.docker.network=traefik-net
-      - --providers.docker.exposedbydefault=false
-      - --entrypoints.web.address=:80
-      - --entrypoints.web.http.redirections.entryPoint.to=websecure
-      - --entrypoints.web.http.redirections.entryPoint.scheme=https
-      - --entrypoints.web.http.redirections.entrypoint.permanent=true
-      - --entrypoints.websecure.address=:443
-      - --certificatesresolvers.le.acme.tlschallenge=true
-      - --certificatesresolvers.le.acme.email=${EMAIL}
-      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - traefik-certs:/letsencrypt
   db:
     image: postgres:15
     volumes:
-      - ./data/postgres:/var/lib/postgresql/data
+      - joplin-pg-data:/var/lib/postgresql/data
     restart: unless-stopped
+    networks:
+      - default
     environment:
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_USER=${POSTGRES_USER}
       - POSTGRES_DB=${POSTGRES_DATABASE}
+
   joplin:
     image: joplin/server:latest
     depends_on:
       - db
     restart: unless-stopped
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.joplin.rule=Host(`${HOST}`)
-      - traefik.http.routers.joplin.entrypoints=websecure
-      - traefik.http.routers.joplin.tls.certresolver=le
-      - traefik.http.services.joplin.loadbalancer.server.port=22300
     environment:
       - APP_PORT=22300
-      - APP_BASE_URL=${HOST}
+      - APP_BASE_URL=https://${HOST}
       - DB_CLIENT=pg
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_DATABASE=${POSTGRES_DATABASE}
@@ -64,3 +42,14 @@ services:
       - MAILER_AUTH_PASSWORD=${MAILER_AUTH_PASSWORD}
       - MAILER_NOREPLY_NAME=${MAILER_NOREPLY_NAME}
       - MAILER_NOREPLY_EMAIL=${MAILER_NOREPLY_EMAIL}
+    networks:
+      - traefik-net
+      - default
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik-net
+        - traefik.http.routers.joplin.rule=Host(`${HOST}`)
+        - traefik.http.routers.joplin.entrypoints=websecure
+        - traefik.http.routers.joplin.tls.certresolver=le
+        - traefik.http.services.joplin.loadbalancer.server.port=22300
diff --git a/templates/traefik/.env.example b/templates/traefik/.env.example
new file mode 100644
index 0000000..4bac020
--- /dev/null
+++ b/templates/traefik/.env.example
@@ -0,0 +1 @@
+EMAIL=
\ No newline at end of file
diff --git a/templates/traefik/docker-compose.yml b/templates/traefik/docker-compose.yml
new file mode 100644
index 0000000..5e5bdd0
--- /dev/null
+++ b/templates/traefik/docker-compose.yml
@@ -0,0 +1,48 @@
+networks:
+  traefik-net:
+    name: traefik-net
+
+volumes:
+  traefik-certs:
+    name: traefik-certs
+
+services:
+  traefik:
+    image: traefik:v2.10
+    command:
+      - --api.dashboard=true
+      - --providers.docker
+      - --providers.docker.network=traefik-net
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.swarmMode=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.web.http.redirections.entryPoint.to=websecure
+      - --entrypoints.web.http.redirections.entryPoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+      - --entrypoints.websecure.address=:443
+      - --certificatesresolvers.le.acme.tlschallenge=true
+      - --certificatesresolvers.le.acme.email=${EMAIL}
+      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik-certs:/letsencrypt
+    networks:
+      traefik-net:
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+#      labels:
+#        - traefik.enable=true
+#        - traefik.http.routers.dashboard.rule = PathPrefix(`/traefik`)
+#        - traefik.http.routers.dashboard.service=api@internal
+#        - traefik.http.routers.dashboard.middlewares=auth
+#        - traefik.http.services.dashboard.loadbalancer.server.port=8080
+#        - traefik.http.middlewares.auth.basicauth.users=krop:$$apr1$$YAMELker$$W7BRLr8GbsqVdaVjp9qOI/