feat: Fail2ban, auto configure reverse proxies

ansible/roles/traefik/templates/docker-compose.yml.j2

@@ -19,6 +19,7 @@ services:
       - ./data/traefik.yml:/traefik.yml:ro
       - ./data/dynamic:/etc/traefik/dynamic:ro
       - ./data/acme.json:/acme.json
+      - /var/log/traefik:/var/log/traefik
     labels:
       - "traefik.enable=true"
 

ansible/roles/traefik/templates/remote-services.yml.j2

@@ -20,6 +20,7 @@ http:
         permanent: true
 
   routers:
+    # Static services - HTTPS
     traefik-secure:
       rule: "Host(`traefik.{{ domain }}`)"
       entryPoints:
@@ -30,16 +31,6 @@ http:
       tls:
         certResolver: cloudflare
 
-    sonarr:
-      rule: "Host(`sonarr.{{ domain }}`)"
-      entryPoints:
-        - https
-      middlewares:
-        - pocketid-auth
-      service: sonarr
-      tls:
-        certResolver: cloudflare
-
     pocketid:
       rule: "Host(`auth.{{ domain }}`)"
       entryPoints:
@@ -55,22 +46,117 @@ http:
       service: tinyauth
       tls:
         certResolver: cloudflare
+
+    # Static services - HTTP to HTTPS redirect
+    traefik-redirect:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - http
+      middlewares:
+        - traefik-https-redirect
+      service: api@internal
+
+    pocketid-redirect:
+      rule: "Host(`auth.{{ domain }}`)"
+      entryPoints:
+        - http
+      middlewares:
+        - traefik-https-redirect
+      service: pocketid
+    
+    tinyauth-redirect:
+      rule: "Host(`auth-proxy.{{ domain }}`)"
+      entryPoints:
+        - http
+      middlewares:
+        - traefik-https-redirect
+      service: tinyauth
+
+    # Auto-configured services - HTTPS
+{% for service_name, config in auto_configure_traefik.items() %}
+{% if config.auth_bypass_paths is defined %}
+    # {{ service_name }} - bypass paths (no auth)
+{% for path in config.auth_bypass_paths %}
+    {{ service_name }}-bypass-{{ loop.index }}:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
+      entryPoints:
+        - https
+      priority: 100
+      service: {{ service_name }}
+      tls:
+        certResolver: cloudflare
+{% endfor %}
+    # {{ service_name }} - default path (with auth if required)
+    {{ service_name }}:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
+      entryPoints:
+        - https
+      priority: 1
+{% if config.auth_required | default(true) %}
+      middlewares:
+        - pocketid-auth
+{% endif %}
+      service: {{ service_name }}
+      tls:
+        certResolver: cloudflare
+{% else %}
+    {{ service_name }}:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
+      entryPoints:
+        - https
+{% if config.auth_required | default(true) %}
+      middlewares:
+        - pocketid-auth
+{% endif %}
+      service: {{ service_name }}
+      tls:
+        certResolver: cloudflare
+{% endif %}
+{% endfor %}
+
+    # Auto-configured services - HTTP to HTTPS redirect
+{% for service_name, config in auto_configure_traefik.items() %}
+{% if config.auth_bypass_paths is defined %}
+    # {{ service_name }} - bypass paths redirects
+{% for path in config.auth_bypass_paths %}
+    {{ service_name }}-bypass-{{ loop.index }}-redirect:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
+      entryPoints:
+        - http
+      priority: 100
+      middlewares:
+        - traefik-https-redirect
+      service: {{ service_name }}
+{% endfor %}
+{% endif %}
+    # {{ service_name }} - default redirect
+    {{ service_name }}-redirect:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
+      entryPoints:
+        - http
+      middlewares:
+        - traefik-https-redirect
+      service: {{ service_name }}
+{% endfor %}
   
   services:
-    sonarr:
-      loadBalancer:
-        passHostHeader: true
-        servers:
-          - url: "http://{{ sonarr_host }}:{{ sonarr_port }}"
-
     pocketid:
       loadBalancer:
         passHostHeader: true
         servers:
-          - url: "http://{{ pocketid_host }}:{{ pocketid_port  }}"
+          - url: "http://{{ pocketid_host }}:{{ pocketid_port }}"
     
     tinyauth:
       loadBalancer:
         passHostHeader: true
         servers:
           - url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"
+
+    # Auto-configured services
+{% for service_name, config in auto_configure_traefik.items() %}
+    {{ service_name }}:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://{{ config.host }}:{{ config.port }}"
+{% endfor %}

ansible/roles/traefik/templates/traefik.yml.j2

@@ -3,6 +3,13 @@ api:
   debug: true
   insecure: true
 
+log:
+  level: INFO
+
+accessLog:
+  filePath: /var/log/traefik/access.log
+  format: json
+
 entryPoints:
   http:
     address: ":80"