feat: Let's encrypt, pocketid

ansible/roles/traefik/templates/docker-compose.yml.j2

@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   traefik:
     image: traefik:v3.0
@@ -13,23 +11,32 @@ services:
       - "80:80"
       - "443:443"
       - "8080:8080"  # Dashboard
+    environment:
+      - CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./data/traefik.yml:/traefik.yml:ro
+      - ./data/dynamic:/etc/traefik/dynamic:ro
       - ./data/acme.json:/acme.json
     labels:
       - "traefik.enable=true"
+      # HTTP to HTTPS redirect
       - "traefik.http.routers.traefik.entrypoints=http"
       - "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
       - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
       - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      # HTTPS with auth
       - "traefik.http.routers.traefik-secure.entrypoints=https"
       - "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
       - "traefik.http.routers.traefik-secure.tls=true"
       - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
       - "traefik.http.routers.traefik-secure.service=api@internal"
+      # ForwardAuth middleware pointing to Pocket ID
+      - "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
+      - "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
+      - "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"
 
 networks:
   proxy:

ansible/roles/traefik/templates/remote-services.yml.j2

@@ -0,0 +1,16 @@
+http:
+  routers:
+    pocketid:
+      rule: "Host(`auth.{{ domain }}`)"
+      entryPoints:
+        - https
+      service: pocketid
+      tls:
+        certResolver: cloudflare
+  
+  services:
+    pocketid:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://10.0.4.10:8001"

ansible/roles/traefik/templates/traefik.yml.j2

@@ -13,6 +13,8 @@ entryPoints:
           scheme: https
   https:
     address: ":443"
+    forwardedHeaders:
+      insecure: true
   traefik:
     address: ":8080"
 
@@ -23,6 +25,9 @@ providers:
   docker:
     endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
+  file:
+    directory: /etc/traefik/dynamic
+    watch: true
 
 certificatesResolvers:
   cloudflare: