http: middlewares: pocketid-auth: forwardAuth: address: "https://auth-proxy.{{ domain }}/api/auth/traefik" trustForwardHeader: true authResponseHeaders: - "X-Auth-User" - "X-Auth-Email" - "X-Auth-Name" - Authorization - Remote-Email - Remote-Name - Remote-User - Remote-Groups traefik-https-redirect: redirectScheme: scheme: https permanent: true routers: # Static services - HTTPS traefik-secure: rule: "Host(`traefik.{{ domain }}`)" entryPoints: - https middlewares: - pocketid-auth service: api@internal tls: certResolver: cloudflare pocketid: rule: "Host(`auth.{{ domain }}`)" entryPoints: - https service: pocketid tls: certResolver: cloudflare tinyauth: rule: "Host(`auth-proxy.{{ domain }}`)" entryPoints: - https service: tinyauth tls: certResolver: cloudflare website: rule: "Host(`{{ domain }}`)" entryPoints: - https service: website tls: certResolver: cloudflare # Static services - HTTP to HTTPS redirect traefik-redirect: rule: "Host(`traefik.{{ domain }}`)" entryPoints: - http middlewares: - traefik-https-redirect service: api@internal pocketid-redirect: rule: "Host(`auth.{{ domain }}`)" entryPoints: - http middlewares: - traefik-https-redirect service: pocketid tinyauth-redirect: rule: "Host(`auth-proxy.{{ domain }}`)" entryPoints: - http middlewares: - traefik-https-redirect service: tinyauth website-redirect: rule: "Host(`{{ domain }}`)" entryPoints: - http middlewares: - traefik-https-redirect service: website # Auto-configured services - HTTPS {% for service_name, config in auto_configure_traefik.items() %} {% if config.auth_bypass_paths is defined %} # {{ service_name }} - bypass paths (no auth) {% for path in config.auth_bypass_paths %} {{ service_name }}-bypass-{{ loop.index }}: rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)" entryPoints: - https priority: 100 service: {{ service_name }} tls: certResolver: cloudflare {% endfor %} # {{ service_name }} - default path (with auth if required) {{ service_name }}: rule: "Host(`{{ config.subdomain }}.{{ domain }}`)" entryPoints: - https priority: 1 {% if config.auth_required | default(true) %} middlewares: - pocketid-auth {% endif %} service: {{ service_name }} tls: certResolver: cloudflare {% else %} {{ service_name }}: rule: "Host(`{{ config.subdomain }}.{{ domain }}`)" entryPoints: - https {% if config.auth_required | default(true) %} middlewares: - pocketid-auth {% endif %} service: {{ service_name }} tls: certResolver: cloudflare {% endif %} {% endfor %} # Auto-configured services - HTTP to HTTPS redirect {% for service_name, config in auto_configure_traefik.items() %} {% if config.auth_bypass_paths is defined %} # {{ service_name }} - bypass paths redirects {% for path in config.auth_bypass_paths %} {{ service_name }}-bypass-{{ loop.index }}-redirect: rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)" entryPoints: - http priority: 100 middlewares: - traefik-https-redirect service: {{ service_name }} {% endfor %} {% endif %} # {{ service_name }} - default redirect {{ service_name }}-redirect: rule: "Host(`{{ config.subdomain }}.{{ domain }}`)" entryPoints: - http middlewares: - traefik-https-redirect service: {{ service_name }} {% endfor %} services: pocketid: loadBalancer: passHostHeader: true servers: - url: "http://{{ pocketid_host }}:{{ pocketid_port }}" tinyauth: loadBalancer: passHostHeader: true servers: - url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}" website: loadBalancer: passHostHeader: true servers: - url: "http://{{ website_host }}:{{ website_port }}" # Auto-configured services {% for service_name, config in auto_configure_traefik.items() %} {{ service_name }}: loadBalancer: passHostHeader: true servers: - url: "http://{{ config.host }}:{{ config.port }}" {% endfor %}