Lino Silva
218 lines
5.8 KiB
Django/Jinja
218 lines
5.8 KiB
Django/Jinja
http:
|
|
middlewares:
|
|
pocketid-auth:
|
|
forwardAuth:
|
|
address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- "X-Auth-User"
|
|
- "X-Auth-Email"
|
|
- "X-Auth-Name"
|
|
- Authorization
|
|
- Remote-Email
|
|
- Remote-Name
|
|
- Remote-User
|
|
- Remote-Groups
|
|
|
|
traefik-https-redirect:
|
|
redirectScheme:
|
|
scheme: https
|
|
permanent: true
|
|
|
|
{% for service_name, config in auto_configure_traefik.items() %}
|
|
{% if config.forward_https | default(false) %}
|
|
{{ service_name }}-https-headers:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Forwarded-Proto: "https"
|
|
X-Forwarded-Ssl: "on"
|
|
X-Forwarded-Host: "{{ config.subdomain }}.{{ domain }}"
|
|
X-Forwarded-Port: "443"
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
serversTransports:
|
|
ignore-tls:
|
|
insecureSkipVerify: true
|
|
|
|
routers:
|
|
# Static services - HTTPS
|
|
traefik-secure:
|
|
rule: "Host(`traefik.{{ domain }}`)"
|
|
entryPoints:
|
|
- https
|
|
middlewares:
|
|
- pocketid-auth
|
|
service: api@internal
|
|
tls:
|
|
certResolver: cloudflare
|
|
|
|
pocketid:
|
|
rule: "Host(`auth.{{ domain }}`)"
|
|
entryPoints:
|
|
- https
|
|
service: pocketid
|
|
tls:
|
|
certResolver: cloudflare
|
|
|
|
tinyauth:
|
|
rule: "Host(`auth-proxy.{{ domain }}`)"
|
|
entryPoints:
|
|
- https
|
|
service: tinyauth
|
|
tls:
|
|
certResolver: cloudflare
|
|
|
|
website:
|
|
rule: "Host(`{{ domain }}`)"
|
|
entryPoints:
|
|
- https
|
|
service: website
|
|
tls:
|
|
certResolver: cloudflare
|
|
|
|
# Static services - HTTP to HTTPS redirect
|
|
traefik-redirect:
|
|
rule: "Host(`traefik.{{ domain }}`)"
|
|
entryPoints:
|
|
- http
|
|
middlewares:
|
|
- traefik-https-redirect
|
|
service: api@internal
|
|
|
|
pocketid-redirect:
|
|
rule: "Host(`auth.{{ domain }}`)"
|
|
entryPoints:
|
|
- http
|
|
middlewares:
|
|
- traefik-https-redirect
|
|
service: pocketid
|
|
|
|
tinyauth-redirect:
|
|
rule: "Host(`auth-proxy.{{ domain }}`)"
|
|
entryPoints:
|
|
- http
|
|
middlewares:
|
|
- traefik-https-redirect
|
|
service: tinyauth
|
|
|
|
website-redirect:
|
|
rule: "Host(`{{ domain }}`)"
|
|
entryPoints:
|
|
- http
|
|
middlewares:
|
|
- traefik-https-redirect
|
|
service: website
|
|
|
|
# Auto-configured services - HTTPS
|
|
{% for service_name, config in auto_configure_traefik.items() %}
|
|
{% if config.auth_bypass_paths is defined %}
|
|
# {{ service_name }} - bypass paths (no auth)
|
|
{% for path in config.auth_bypass_paths %}
|
|
{{ service_name }}-bypass-{{ loop.index }}:
|
|
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
|
|
entryPoints:
|
|
- https
|
|
priority: 100
|
|
{% if config.forward_https | default(false) %}
|
|
middlewares:
|
|
- {{ service_name }}-https-headers
|
|
{% endif %}
|
|
service: {{ service_name }}
|
|
tls:
|
|
certResolver: cloudflare
|
|
{% endfor %}
|
|
# {{ service_name }} - default path (with auth if required)
|
|
{{ service_name }}:
|
|
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
|
|
entryPoints:
|
|
- https
|
|
priority: 1
|
|
{% if config.auth_required | default(true) or config.forward_https | default(false) %}
|
|
middlewares:
|
|
{% if config.auth_required | default(true) %}
|
|
- pocketid-auth
|
|
{% endif %}
|
|
{% if config.forward_https | default(false) %}
|
|
- {{ service_name }}-https-headers
|
|
{% endif %}
|
|
{% endif %}
|
|
service: {{ service_name }}
|
|
tls:
|
|
certResolver: cloudflare
|
|
{% else %}
|
|
{{ service_name }}:
|
|
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
|
|
entryPoints:
|
|
- https
|
|
{% if config.auth_required | default(true) or config.forward_https | default(false) %}
|
|
middlewares:
|
|
{% if config.auth_required | default(true) %}
|
|
- pocketid-auth
|
|
{% endif %}
|
|
{% if config.forward_https | default(false) %}
|
|
- {{ service_name }}-https-headers
|
|
{% endif %}
|
|
{% endif %}
|
|
service: {{ service_name }}
|
|
tls:
|
|
certResolver: cloudflare
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
# Auto-configured services - HTTP to HTTPS redirect
|
|
{% for service_name, config in auto_configure_traefik.items() %}
|
|
{% if config.auth_bypass_paths is defined %}
|
|
# {{ service_name }} - bypass paths redirects
|
|
{% for path in config.auth_bypass_paths %}
|
|
{{ service_name }}-bypass-{{ loop.index }}-redirect:
|
|
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
|
|
entryPoints:
|
|
- http
|
|
priority: 100
|
|
middlewares:
|
|
- traefik-https-redirect
|
|
service: {{ service_name }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
# {{ service_name }} - default redirect
|
|
{{ service_name }}-redirect:
|
|
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
|
|
entryPoints:
|
|
- http
|
|
middlewares:
|
|
- traefik-https-redirect
|
|
service: {{ service_name }}
|
|
{% endfor %}
|
|
|
|
services:
|
|
pocketid:
|
|
loadBalancer:
|
|
passHostHeader: true
|
|
servers:
|
|
- url: "http://{{ pocketid_host }}:{{ pocketid_port }}"
|
|
|
|
tinyauth:
|
|
loadBalancer:
|
|
passHostHeader: true
|
|
servers:
|
|
- url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"
|
|
|
|
website:
|
|
loadBalancer:
|
|
passHostHeader: true
|
|
servers:
|
|
- url: "http://{{ website_host }}:{{ website_port }}"
|
|
|
|
# Auto-configured services
|
|
{% for service_name, config in auto_configure_traefik.items() %}
|
|
{{ service_name }}:
|
|
loadBalancer:
|
|
passHostHeader: true
|
|
{% if config.https | default(false) %}
|
|
serversTransport: ignore-tls@file
|
|
{% endif %}
|
|
servers:
|
|
- url: "{{ 'https' if config.https | default(false) else 'http' }}://{{ config.host }}:{{ config.port }}"
|
|
{% endfor %}
|