Yeah. That's neat start.
Currently my weapon of choice are:
- Ansible - Not great, not terrible solution for spawning services
- Docker - Containers everywhere
- Taefik - routing with docker labels should be only option right?
- Cloudflared - when proxy DNS is not enough lest hide behind zero-trust tunnel
- Pihole - local DNS for my lazy self to provide easy name and also internal certs
So my paranoid stack contains all of above and in addition I found https://github.com/justmiles/traefik-cloudflare-tunnel and use as my best shot for automate publishing services online.
With those I can (almost) easily spawn most of my needed stuff, specify internal/external access, hide my local IP from world and also have two type of free certs (Cloudflare for external and LE for internal use) cause I'm lazy but also cheap.
From spaghetti code I currently own to something universal and useful there is still a long path (weird since I stole most ideas from [Ansible-NAS](https://github.com/davestephens/ansible-nas) project and butchered it a lot), but that is nothing that stops me from proposing idea.
Lets organize previous info as in timeline:
- Ansible is capable of spawning docker containers on my docker-mule (*cough* homeserver)
- Taefik via docker-labels is generating reverse-proxy routing + provides LE certs for internal services (acme + cloudflare DNS challenge )
- Traefik-cloudflare-tunnel reads traefik api and gather all services for specific entry point and handles zero-trust tunnels entries + DNS entries
- Cloudflared receives traffic form web and routes it to traefik accordingly
- Pihole creates local DNS entries in regards to current config and keep my internal services reachable (additional ad blocking is win-win scenario)
Everything else is configuration written in ansible to keep correct docker labels and provide secrets to keep these done automagically.
For those parts I will post service-specific posts to avoid lengthy entries.