feat: Let's encrypt, pocketid

ansible/roles/traefik/templates/docker-compose.yml.j2

@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   traefik:
     image: traefik:v3.0
@@ -13,23 +11,32 @@ services:
       - "80:80"
       - "443:443"
       - "8080:8080"  # Dashboard
+    environment:
+      - CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./data/traefik.yml:/traefik.yml:ro
+      - ./data/dynamic:/etc/traefik/dynamic:ro
       - ./data/acme.json:/acme.json
     labels:
       - "traefik.enable=true"
+      # HTTP to HTTPS redirect
       - "traefik.http.routers.traefik.entrypoints=http"
       - "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
       - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
       - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      # HTTPS with auth
       - "traefik.http.routers.traefik-secure.entrypoints=https"
       - "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
       - "traefik.http.routers.traefik-secure.tls=true"
       - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
       - "traefik.http.routers.traefik-secure.service=api@internal"
+      # ForwardAuth middleware pointing to Pocket ID
+      - "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
+      - "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
+      - "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"
 
 networks:
   proxy: