lino/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Fail2ban, auto configure reverse proxies

Browse Source
This commit is contained in:
Lino Silva
2026-04-01 22:45:10 +01:00
parent f17526afc3
commit 3f28ed0c14
11 changed files with 451 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/roles/traefik/templates/remote-services.yml.j2
+103 -17
View File
@@ -20,6 +20,7 @@ http:
permanent: true
routers:
# Static services - HTTPS
traefik-secure:
rule: "Host(`traefik.{{ domain }}`)"
entryPoints:
@@ -30,16 +31,6 @@ http:
tls:
certResolver: cloudflare
sonarr:
rule: "Host(`sonarr.{{ domain }}`)"
entryPoints:
- https
middlewares:
- pocketid-auth
service: sonarr
tls:
certResolver: cloudflare
pocketid:
rule: "Host(`auth.{{ domain }}`)"
entryPoints:
@@ -55,22 +46,117 @@ http:
service: tinyauth
tls:
certResolver: cloudflare
# Static services - HTTP to HTTPS redirect
traefik-redirect:
rule: "Host(`traefik.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: api@internal
pocketid-redirect:
rule: "Host(`auth.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: pocketid
tinyauth-redirect:
rule: "Host(`auth-proxy.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: tinyauth
# Auto-configured services - HTTPS
{% for service_name, config in auto_configure_traefik.items() %}
{% if config.auth_bypass_paths is defined %}
# {{ service_name }} - bypass paths (no auth)
{% for path in config.auth_bypass_paths %}
{{ service_name }}-bypass-{{ loop.index }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
entryPoints:
- https
priority: 100
service: {{ service_name }}
tls:
certResolver: cloudflare
{% endfor %}
# {{ service_name }} - default path (with auth if required)
{{ service_name }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- https
priority: 1
{% if config.auth_required | default(true) %}
middlewares:
- pocketid-auth
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% else %}
{{ service_name }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- https
{% if config.auth_required | default(true) %}
middlewares:
- pocketid-auth
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% endif %}
{% endfor %}
# Auto-configured services - HTTP to HTTPS redirect
{% for service_name, config in auto_configure_traefik.items() %}
{% if config.auth_bypass_paths is defined %}
# {{ service_name }} - bypass paths redirects
{% for path in config.auth_bypass_paths %}
{{ service_name }}-bypass-{{ loop.index }}-redirect:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
entryPoints:
- http
priority: 100
middlewares:
- traefik-https-redirect
service: {{ service_name }}
{% endfor %}
{% endif %}
# {{ service_name }} - default redirect
{{ service_name }}-redirect:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: {{ service_name }}
{% endfor %}
services:
sonarr:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ sonarr_host }}:{{ sonarr_port }}"
pocketid:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ pocketid_host }}:{{ pocketid_port }}"
- url: "http://{{ pocketid_host }}:{{ pocketid_port }}"
tinyauth:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"
# Auto-configured services
{% for service_name, config in auto_configure_traefik.items() %}
{{ service_name }}:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ config.host }}:{{ config.port }}"
{% endfor %}