From 588eeca370bc2f0969236faddbfe3d773467ba69 Mon Sep 17 00:00:00 2001 From: Aidan Hembree <8049680+ahembree@users.noreply.github.com> Date: Mon, 23 May 2022 17:50:06 -0400 Subject: [PATCH] implement per-container public exposure --- roles/hmsdocker/defaults/main.yml | 12 +++++++++++ .../hmsdocker/templates/docker-compose.yml.j2 | 20 +++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/roles/hmsdocker/defaults/main.yml b/roles/hmsdocker/defaults/main.yml index 619f64e..b1c0e4d 100644 --- a/roles/hmsdocker/defaults/main.yml +++ b/roles/hmsdocker/defaults/main.yml @@ -341,6 +341,7 @@ hms_docker_compose_container_state: present # `enabled`: Enables or disables the container # `directory`: Creates the container directory within the apps folder # `traefik`: Enables or disables accessing the container via Traefik +# `expose_to_public`: Enables or disables exposing the container to the public internet via Traefik (removes allowlist restrictions) hms_docker_container_map: traefik: enabled: yes @@ -350,46 +351,57 @@ hms_docker_container_map: enabled: yes directory: yes traefik: yes + expose_to_public: no radarr: enabled: yes directory: yes traefik: yes + expose_to_public: no bazarr: enabled: yes directory: yes traefik: yes + expose_to_public: no transmission: enabled: yes directory: yes traefik: yes + expose_to_public: no portainer: enabled: yes directory: yes traefik: yes + expose_to_public: no overseerr: enabled: yes directory: yes traefik: yes + expose_to_public: no prowlarr: enabled: yes directory: yes traefik: yes + expose_to_public: no requestrr: enabled: yes directory: yes traefik: yes + expose_to_public: no plex: enabled: yes directory: yes traefik: yes + expose_to_public: no tautulli: enabled: yes directory: yes traefik: yes + expose_to_public: no nzbget: enabled: yes directory: yes traefik: yes + expose_to_public: no plex_transcode_folder: "{{ hms_docker_apps_path }}/plex/transcode_temp" # default: "{{ hms_docker_apps_path }}/plex/transcode_temp" diff --git a/roles/hmsdocker/templates/docker-compose.yml.j2 b/roles/hmsdocker/templates/docker-compose.yml.j2 index e78bf95..3d795f8 100644 --- a/roles/hmsdocker/templates/docker-compose.yml.j2 +++ b/roles/hmsdocker/templates/docker-compose.yml.j2 @@ -24,9 +24,11 @@ services: labels: - traefik.enable=true - traefik.http.services.portainer-{{ project_name }}.loadbalancer.server.port=9000 +{% if not hms_docker_container_map['portainer']['expose_to_public'] %} - "traefik.http.routers.portainer-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} {% endif %} +{% endif %} {% if container_enable_auto_updates %} # Watchtower container, automatic updates @@ -114,9 +116,11 @@ services: labels: - traefik.enable=true - traefik.http.services.nzbget-{{ project_name }}.loadbalancer.server.port=6789 +{% if not hms_docker_container_map['nzbget']['expose_to_public'] %} - "traefik.http.routers.nzbget-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} {% endif %} +{% endif %} {% if hms_docker_container_map['transmission']['enabled'] and transmission_vpn_provider is defined and transmission_vpn_user is defined and transmission_vpn_pass is defined %} # Transmission container, torrent client/VPN @@ -199,9 +203,11 @@ services: # for the transmission container web UI, so we have traefik point to this one instead when trying to access the transmission web UI - traefik.http.routers.proxy-{{ project_name }}.rule=Host(`transmission.{{ hms_docker_domain }}`) - traefik.http.services.proxy-{{ project_name }}.loadbalancer.server.port=8080 +{% if not hms_docker_container_map['transmission']['expose_to_public'] %} - "traefik.http.routers.proxy-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} {% endif %} +{% endif %} {% if hms_docker_container_map['requestrr']['enabled'] %} # Requestrr container, chat client for requests @@ -230,9 +236,11 @@ services: labels: - traefik.enable=true - traefik.http.services.requestrr-{{ project_name }}.loadbalancer.server.port=4545 +{% if not hms_docker_container_map['requestrr']['expose_to_public'] %} - "traefik.http.routers.requestrr-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} {% endif %} +{% endif %} {% if hms_docker_container_map['prowlarr']['enabled'] %} # Prowlarr container, torrent indexer @@ -261,9 +269,11 @@ services: labels: - traefik.enable=true - traefik.http.services.prowlarr-{{ project_name }}.loadbalancer.server.port=9696 +{% if not hms_docker_container_map['prowlarr']['expose_to_public'] %} - "traefik.http.routers.prowlarr-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} {% endif %} +{% endif %} {% if hms_docker_container_map['sonarr']['enabled'] %} # Sonarr container, tv show indexer @@ -286,7 +296,9 @@ services: labels: - traefik.enable=true - traefik.http.services.sonarr-{{ project_name }}.loadbalancer.server.port=8989 +{% if not hms_docker_container_map['sonarr']['expose_to_public'] %} - "traefik.http.routers.sonarr-{{ project_name }}.middlewares=internal-ipwhitelist" +{% endif %} {% endif %} volumes: - {{ hms_docker_apps_path }}/sonarr/config:/config @@ -330,7 +342,9 @@ services: labels: - traefik.enable=true - traefik.http.services.radarr-{{ project_name }}.loadbalancer.server.port=7878 +{% if not hms_docker_container_map['radarr']['expose_to_public'] %} - "traefik.http.routers.radarr-{{ project_name }}.middlewares=internal-ipwhitelist" +{% endif %} {% endif %} volumes: - {{ hms_docker_apps_path }}/radarr/config:/config @@ -385,9 +399,11 @@ services: labels: - traefik.enable=true - traefik.http.services.bazarr-{{ project_name }}.loadbalancer.server.port=6767 +{% if not hms_docker_container_map['bazarr']['expose_to_public'] %} - "traefik.http.routers.bazarr-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} {% endif %} +{% endif %} {% if hms_docker_container_map['overseerr']['enabled'] %} # Overseer container, request platform @@ -475,9 +491,11 @@ services: labels: - traefik.enable=true - traefik.http.services.plex-{{ project_name }}.loadbalancer.server.port=32400 +{% if not hms_docker_container_map['plex']['expose_to_public'] %} - "traefik.http.routers.plex-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} {% endif %} +{% endif %} {% if hms_docker_container_map['tautulli']['enabled'] %} # Tautulli container, analytics @@ -500,8 +518,10 @@ services: labels: - traefik.enable=true - traefik.http.services.tautulli-{{ project_name }}.loadbalancer.server.port=8181 +{% if not hms_docker_container_map['tautulli']['expose_to_public'] %} - "traefik.http.routers.tautulli-{{ project_name }}.middlewares=internal-ipwhitelist" {% endif %} +{% endif %} {% if container_expose_ports or not hms_docker_container_map['traefik']['enabled'] %} ports: - 8181:8181