From faaa61f257e9ee155421f601b4cee3ed0ad732b7 Mon Sep 17 00:00:00 2001
From: Lino Silva <lino@dexscreener.com>
Date: Thu, 2 Apr 2026 00:27:25 +0100
Subject: [PATCH] fix: Mastodon https headers

---
 ansible/ansible.cfg                           |  2 ++
 ansible/inventories/group_vars/all/main.yml   |  1 +
 .../traefik/templates/remote-services.yml.j2  | 30 +++++++++++++++++--
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 2c5fedf..e1f90a0 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -2,3 +2,5 @@
 roles_path = ./roles
 inventory = ./inventories/production.yml
 host_key_checking = False
+deprecation_warnings = False
+interpreter_python  = auto_silent
\ No newline at end of file
diff --git a/ansible/inventories/group_vars/all/main.yml b/ansible/inventories/group_vars/all/main.yml
index 4e6ef9f..18763a6 100644
--- a/ansible/inventories/group_vars/all/main.yml
+++ b/ansible/inventories/group_vars/all/main.yml
@@ -141,6 +141,7 @@ auto_configure_traefik:
     host: "10.0.2.20"
     port: 80
     auth_required: false
+    forward_https: true
   matrix:
     subdomain: "chat"
     host: "10.0.2.20"
diff --git a/ansible/roles/traefik/templates/remote-services.yml.j2 b/ansible/roles/traefik/templates/remote-services.yml.j2
index fb0c498..ebcc0f5 100644
--- a/ansible/roles/traefik/templates/remote-services.yml.j2
+++ b/ansible/roles/traefik/templates/remote-services.yml.j2
@@ -19,6 +19,18 @@ http:
         scheme: https
         permanent: true
 
+{% for service_name, config in auto_configure_traefik.items() %}
+{% if config.forward_https | default(false) %}
+    {{ service_name }}-https-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Ssl: "on"
+          X-Forwarded-Host: "{{ config.subdomain }}.{{ domain }}"
+          X-Forwarded-Port: "443"
+{% endif %}
+{% endfor %}
+
   serversTransports:
     ignore-tls:
       insecureSkipVerify: true
@@ -102,6 +114,10 @@ http:
       entryPoints:
         - https
       priority: 100
+{% if config.forward_https | default(false) %}
+      middlewares:
+        - {{ service_name }}-https-headers
+{% endif %}
       service: {{ service_name }}
       tls:
         certResolver: cloudflare
@@ -112,9 +128,14 @@ http:
       entryPoints:
         - https
       priority: 1
-{% if config.auth_required | default(true) %}
+{% if config.auth_required | default(true) or config.forward_https | default(false) %}
       middlewares:
+{% if config.auth_required | default(true) %}
         - pocketid-auth
+{% endif %}
+{% if config.forward_https | default(false) %}
+        - {{ service_name }}-https-headers
+{% endif %}
 {% endif %}
       service: {{ service_name }}
       tls:
@@ -124,9 +145,14 @@ http:
       rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
       entryPoints:
         - https
-{% if config.auth_required | default(true) %}
+{% if config.auth_required | default(true) or config.forward_https | default(false) %}
       middlewares:
+{% if config.auth_required | default(true) %}
         - pocketid-auth
+{% endif %}
+{% if config.forward_https | default(false) %}
+        - {{ service_name }}-https-headers
+{% endif %}
 {% endif %}
       service: {{ service_name }}
       tls: