ufw rules
This commit is contained in:
Yann Autissier
parent
4206ffb5b7
commit
96567c54dc
|
|
@ -70,7 +70,7 @@ deploy: $(if $(filter $(ENV),$(ENV_DEPLOY)),deploy-localhost,deploy@$(ENV)) ## D
|
|||
# target down: Remove application dockers
|
||||
# on local host
|
||||
.PHONY: down
|
||||
down: docker-compose-down ## Remove application dockers
|
||||
down: docker-compose-down ufw-delete ## Remove application dockers
|
||||
|
||||
# target exec: Exec ARGS in docker SERVICE
|
||||
# on local host
|
||||
|
|
@ -213,7 +213,7 @@ tests: app-tests ## Test application
|
|||
# target up: Create and start application dockers
|
||||
# on local host
|
||||
.PHONY: up
|
||||
up: docker-compose-up app-start ## Create application dockers
|
||||
up: docker-compose-up ufw-update app-start ## Create application dockers
|
||||
|
||||
# target update app-update: Update application files
|
||||
# on local host
|
||||
|
|
|
|||
|
|
@ -82,13 +82,15 @@ endef
|
|||
define docker-compose
|
||||
$(call INFO,docker-compose,$(1))
|
||||
$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
|
||||
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))) $(1)))
|
||||
$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
|
||||
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) $(1)))
|
||||
endef
|
||||
# function docker-compose-exec-sh: Run docker-compose-exec sh -c 'arg 2' in service 1
|
||||
define docker-compose-exec-sh
|
||||
$(call INFO,docker-compose-exec-sh,$(1)$(comma) $(2))
|
||||
$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
|
||||
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))) exec -T $(1) sh -c '$(2)'))
|
||||
$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
|
||||
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) exec -T $(1) sh -c '$(2)'))
|
||||
endef
|
||||
# function docker-push: Push docker image
|
||||
define docker-push
|
||||
|
|
|
|||
|
|
@ -1,14 +1,20 @@
|
|||
CMDARGS += ufw ufw-docker
|
||||
UFW_UPDATE ?= $(or $(SERVICE),$(DOCKER_SERVICES))
|
||||
|
||||
ifeq ($(SETUP_UFW),true)
|
||||
|
||||
# function ufw: Exec command ufw with args 1
|
||||
define ufw
|
||||
$(call INFO,ufw,$(1)$(comma))
|
||||
$(call app-bootstrap,ufw-docker)
|
||||
$(call app-exec,,ufw $(1))
|
||||
endef
|
||||
|
||||
# function ufw-docker: Exec command ufw-docker with args 1
|
||||
define ufw-docker
|
||||
$(call INFO,ufw-docker,$(1)$(comma))
|
||||
$(call app-bootstrap,ufw-docker)
|
||||
$(call app-exec,,ufw-docker $(1))
|
||||
endef
|
||||
|
||||
endif
|
||||
|
|
|
|||
|
|
@ -1,5 +1,37 @@
|
|||
# target ufw: Call ufw ARGS
|
||||
.PHONY: ufw
|
||||
ufw:
|
||||
$(call ufw,$(ARGS))
|
||||
|
||||
# target ufw-delete: Fire ufw-update UFW_DELETE=true
|
||||
.PHONY: ufw-delete
|
||||
ufw-delete: UFW_DELETE := true
|
||||
ufw-delete: ufw-update
|
||||
|
||||
# target ufw-docker: Call ufw-docker ARGS
|
||||
.PHONY: ufw-docker
|
||||
ufw-docker:
|
||||
$(call ufw-docker,$(ARGS))
|
||||
|
||||
# target ufw-docker: Call ufw and ufw-docker foreach service UFW_UPDATE
|
||||
.PHONY: ufw-update
|
||||
ufw-update:
|
||||
$(foreach update,$(UFW_UPDATE), \
|
||||
$(foreach port,$(UFW_DOCKER_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
|
||||
$(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(DOCKER_COMPOSE_PROJECT_NAME)-$(update) $(port)) \
|
||||
) \
|
||||
$(foreach port,$(UFW_UPDATE_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
|
||||
$(call ufw,$(if $(UFW_DELETE),delete) allow $(port)) \
|
||||
) \
|
||||
)
|
||||
|
||||
## ex: ufw-node-up will update ufw rules for stack node
|
||||
.PHONY: stack-%
|
||||
ufw-%:
|
||||
$(eval stack := $(subst -$(lastword $(subst -, ,$*)),,$*))
|
||||
$(eval command := $(lastword $(subst -, ,$*)))
|
||||
$(if $(findstring -,$*), \
|
||||
$(if $(filter ufw-$(command),$(MAKE_TARGETS)), \
|
||||
$(call make,ufw-$(command) STACK="$(stack)") \
|
||||
) \
|
||||
)
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ define app-docker
|
|||
$(eval dir := $(or $(APP_DIR)))
|
||||
$(eval dockerfile := $(or $(1)))
|
||||
$(if $(wildcard $(dockerfile)),
|
||||
$(eval service := $(or $(SERVICE),$(subst .,,$(call LOWERCASE,$(lastword $(subst /, ,$(patsubst %/Dockerfile,%,$(dockerfile)))))),undefined))
|
||||
$(eval service := $(or $(DOCKER_SERVICE),$(subst .,,$(call LOWERCASE,$(lastword $(subst /, ,$(patsubst %/Dockerfile,%,$(dockerfile)))))),undefined))
|
||||
$(eval docker := ${COMPOSE_SERVICE_NAME}-$(service))
|
||||
$(eval DOCKER_IMAGE := $(DOCKER_REPOSITORY)/$(service):$(DOCKER_IMAGE_TAG))
|
||||
$(eval DOCKER_LABELS := SERVICE_NAME=$(docker) SERVICE_TAGS=urlprefix-$(service).$(APP_DOMAIN)/$(APP_PATH))
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ DRYRUN_RECURSIVE ?= false
|
|||
ELAPSED_TIME = $(shell $(call TIME))
|
||||
ENV ?= master
|
||||
ENV_ARGS ?= $(env_args)
|
||||
ENV_FILE ?= $(wildcard $(CONFIG)/$(ENV)/$(APP)/.env .env)
|
||||
ENV_FILE ?= $(wildcard $(if $(filter-out myos,$(MYOS)),$(MONOREPO_DIR)/.env) $(CONFIG)/$(ENV)/$(APP)/.env .env)
|
||||
ENV_LIST ?= $(shell ls .git/refs/heads/ 2>/dev/null)
|
||||
ENV_RESET ?= false
|
||||
ENV_VARS ?= APP BRANCH DOMAIN ENV HOME HOSTNAME GID GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME GROUP MONOREPO MONOREPO_DIR TAG UID USER VERSION
|
||||
|
|
@ -251,7 +251,7 @@ define env-run
|
|||
endef
|
||||
|
||||
# function make: Call make with predefined options and variables
|
||||
# 1st arg: make command line (targets and arguments)
|
||||
# 1st arg: make command line (targets and arguments)
|
||||
# 2nd arg: directory to call make from
|
||||
# 3rd arg: list of variables to pass to make (ENV by default)
|
||||
# 4th arg: path to .env file with additional arguments to call make with (file must exist when calling make)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
CMDARGS += node-exec stack-node-exec node-exec:% node-exec@% node-run node-run:% node-run@%
|
||||
node ?= node/autoheal node/certbot node/consul node/fabio node/registrator
|
||||
node ?= $(patsubst stack/%,%,$(patsubst %.yml,%,$(wildcard stack/node/*.yml)))
|
||||
ENV_VARS += DOCKER_HOST_IFACE DOCKER_HOST_INET4 DOCKER_INTERNAL_DOCKER_HOST
|
||||
SETUP_LETSENCRYPT ?=
|
||||
|
||||
|
|
|
|||
|
|
@ -2,3 +2,6 @@ NODE_CONSUL_ACL_TOKENS_MASTER=01234567-89AB-CDEF-0123-456789ABCDEF
|
|||
NODE_CONSUL_HTTP_TOKEN=01234567-89AB-CDEF-0123-456789ABCDEF
|
||||
NODE_CONSUL_SERVICE_8500_TAGS=urlprefix-consul.${DOMAIN}/
|
||||
NODE_FABIO_SERVICE_9998_TAGS=urlprefix-fabio.${DOMAIN}/
|
||||
UFW_UPDATE_node-certbot=53/udp
|
||||
UFW_UPDATE_node-consul=8500
|
||||
UFW_DOCKER_node-fabio=80 443
|
||||
|
|
|
|||
|
|
@ -7,3 +7,4 @@ NODE_IPFS_PUBSUB_ROUTER=gossipsub
|
|||
NODE_IPFS_ROUTING_TYPE=dht
|
||||
NODE_IPFS_SERVICE_8080_CHECK_HTTP=/ipfs/QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/readme
|
||||
NODE_IPFS_SERVICE_8080_TAGS=urlprefix-ipfs.${DOMAIN}/
|
||||
UFW_DOCKER_node-ipfs=4001/tcp 4001/udp 8080
|
||||
|
|
|
|||
|
|
@ -2,3 +2,4 @@ NODE_MAILSERVER_ENABLE_MANAGESIEVE=1
|
|||
NODE_MAILSERVER_SPOOF_PROTECTION=1
|
||||
NODE_MAILSERVER_SSL_TYPE=letsencrypt
|
||||
NODE_MAILSERVER_UPDATE_CHECK=0
|
||||
UFW_DOCKER_node-mailserver=25 465 587 993
|
||||
|
|
|
|||
Loading…
Reference in New Issue