Switch to traefik
This PR is for a major milestone improvement in infrastructure! I'm not all the way to cutting the NAS out of the service loop, but here's what has been done, in summary:
- Establish a multi-node docker swarm
- Define docker stack service definitions for all user-facing services and put them in this repository
- Establish a local, end-to-end secure, authenticated Docker registry with auth server and registry server running as services (defined in /auth and /registry in this repository!)
- Establish a two-stage reverse proxy system entirely in docker:
-
-
- customized HAProxy serving as a L4 rproxy using SNI to route requests to customized, static endpoints which will terminate TLS, with a default route to the NAS which will terminate all other TLS requests. This proxy is defined in /flowproxy
-
-
-
- After the NAS terminates TLS, requests are routed back to the docker swarm to a Traefik reverse proxy, which currently supports dynamically routing to Docker Swarm services as they come up and disappear. Currently Traefik only handles decrypted HTTP coming off the NAS, routing to the docker services that come up. In the future can manager dynamic certificates with LetsEncrypt as well. Traefik is defined as a docker swarm service in /traefik.
-
In the future I want to set up Traefik to get certificates for any services that come up as they come up, and store them in Consul. I want the NAS to be cut completely out of reverse proxying, so that Traefik becomes the default route for services that HAProxy can't identify using SNI. Eventually I want better visibility into proxying and my swarm, probably with Prometheus+Grafana. And of course, I want to dockerize GitLab and Taiga, eventually, as always.