lino/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3f28ed0c14fea3b98ea8368348265c2a623cca6d
homelab/ansible/roles/traefik/templates/remote-services.yml.j2
T
Lino Silva 3f28ed0c14 feat: Fail2ban, auto configure reverse proxies
2026-04-01 22:45:10 +01:00

163 lines
4.2 KiB
Django/Jinja
Raw Blame History

http:
middlewares:
pocketid-auth:
forwardAuth:
address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- "X-Auth-User"
- "X-Auth-Email"
- "X-Auth-Name"
- Authorization
- Remote-Email
- Remote-Name
- Remote-User
- Remote-Groups
traefik-https-redirect:
redirectScheme:
scheme: https
permanent: true
routers:
# Static services - HTTPS
traefik-secure:
rule: "Host(`traefik.{{ domain }}`)"
entryPoints:
- https
middlewares:
- pocketid-auth
service: api@internal
tls:
certResolver: cloudflare
pocketid:
rule: "Host(`auth.{{ domain }}`)"
entryPoints:
- https
service: pocketid
tls:
certResolver: cloudflare
tinyauth:
rule: "Host(`auth-proxy.{{ domain }}`)"
entryPoints:
- https
service: tinyauth
tls:
certResolver: cloudflare
# Static services - HTTP to HTTPS redirect
traefik-redirect:
rule: "Host(`traefik.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: api@internal
pocketid-redirect:
rule: "Host(`auth.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: pocketid
tinyauth-redirect:
rule: "Host(`auth-proxy.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: tinyauth
# Auto-configured services - HTTPS
{% for service_name, config in auto_configure_traefik.items() %}
{% if config.auth_bypass_paths is defined %}
# {{ service_name }} - bypass paths (no auth)
{% for path in config.auth_bypass_paths %}
{{ service_name }}-bypass-{{ loop.index }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
entryPoints:
- https
priority: 100
service: {{ service_name }}
tls:
certResolver: cloudflare
{% endfor %}
# {{ service_name }} - default path (with auth if required)
{{ service_name }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- https
priority: 1
{% if config.auth_required | default(true) %}
middlewares:
- pocketid-auth
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% else %}
{{ service_name }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- https
{% if config.auth_required | default(true) %}
middlewares:
- pocketid-auth
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% endif %}
{% endfor %}
# Auto-configured services - HTTP to HTTPS redirect
{% for service_name, config in auto_configure_traefik.items() %}
{% if config.auth_bypass_paths is defined %}
# {{ service_name }} - bypass paths redirects
{% for path in config.auth_bypass_paths %}
{{ service_name }}-bypass-{{ loop.index }}-redirect:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
entryPoints:
- http
priority: 100
middlewares:
- traefik-https-redirect
service: {{ service_name }}
{% endfor %}
{% endif %}
# {{ service_name }} - default redirect
{{ service_name }}-redirect:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: {{ service_name }}
{% endfor %}
services:
pocketid:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ pocketid_host }}:{{ pocketid_port }}"
tinyauth:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"
# Auto-configured services
{% for service_name, config in auto_configure_traefik.items() %}
{{ service_name }}:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ config.host }}:{{ config.port }}"
{% endfor %}
Reference in New Issue View Git Blame Copy Permalink