lino/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bab98a020c642dab7408ba75ea1db66f3ac12af0
homelab/ansible/roles/traefik/templates/remote-services.yml.j2
T
Lino Silva a05b2ea9ea chore: Renaming
2026-05-12 22:28:16 +01:00

243 lines
6.6 KiB
Django/Jinja
Raw Blame History

http:
middlewares:
pocketid-auth:
forwardAuth:
address: "https://auth-proxy.{{ domain }}/api/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- "X-Auth-User"
- "X-Auth-Email"
- "X-Auth-Name"
- Authorization
- Remote-Email
- Remote-Name
- Remote-User
- Remote-Groups
traefik-https-redirect:
redirectScheme:
scheme: https
permanent: true
{% for service_name, config in auto_configure_traefik.items() %}
{% if config.forward_https | default(false) %}
{{ service_name }}-https-headers:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Ssl: "on"
X-Forwarded-Host: "{{ config.subdomain }}.{{ domain }}"
X-Forwarded-Port: "443"
{% endif %}
{% endfor %}
serversTransports:
ignore-tls:
insecureSkipVerify: true
routers:
# Local IP bypass - HTTPS (higher priority, no auth)
traefik-secure-local:
rule: "Host(`traefik.{{ domain }}`) && (ClientIP(`192.168.0.0/16`) || ClientIP(`10.0.0.0/8`) || ClientIP(`172.16.0.0/12`))"
entryPoints:
- https
priority: 200
service: api@internal
tls:
certResolver: cloudflare
# Static services - HTTPS
traefik-secure:
rule: "Host(`traefik.{{ domain }}`)"
entryPoints:
- https
middlewares:
- pocketid-auth
service: api@internal
tls:
certResolver: cloudflare
pocketid:
rule: "Host(`auth.{{ domain }}`)"
entryPoints:
- https
service: pocketid
tls:
certResolver: cloudflare
tinyauth:
rule: "Host(`auth-proxy.{{ domain }}`)"
entryPoints:
- https
service: tinyauth
tls:
certResolver: cloudflare
website:
rule: "Host(`{{ domain }}`)"
entryPoints:
- https
service: website
tls:
certResolver: cloudflare
# Static services - HTTP to HTTPS redirect
traefik-redirect:
rule: "Host(`traefik.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: api@internal
pocketid-redirect:
rule: "Host(`auth.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: pocketid
tinyauth-redirect:
rule: "Host(`auth-proxy.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: tinyauth
website-redirect:
rule: "Host(`{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: website
# Auto-configured services - HTTPS
{% for service_name, config in auto_configure_traefik.items() %}
{% if config.internal | default(true) %}
# {{ service_name }} - local IP bypass (no auth)
{{ service_name }}-local:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && (ClientIP(`192.168.0.0/16`) || ClientIP(`10.0.0.0/8`) || ClientIP(`172.16.0.0/12`))"
entryPoints:
- https
priority: 200
{% if config.forward_https | default(false) %}
middlewares:
- {{ service_name }}-https-headers
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% endif %}
{% if config.auth_bypass_paths is defined %}
# {{ service_name }} - bypass paths (no auth)
{% for path in config.auth_bypass_paths %}
{{ service_name }}-bypass-{{ loop.index }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
entryPoints:
- https
priority: 100
{% if config.forward_https | default(false) %}
middlewares:
- {{ service_name }}-https-headers
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% endfor %}
# {{ service_name }} - default path (with auth if required)
{{ service_name }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- https
priority: 1
{% if config.internal | default(true) or config.forward_https | default(false) %}
middlewares:
{% if config.internal | default(true) %}
- pocketid-auth
{% endif %}
{% if config.forward_https | default(false) %}
- {{ service_name }}-https-headers
{% endif %}
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% else %}
{{ service_name }}:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- https
{% if config.internal | default(true) or config.forward_https | default(false) %}
middlewares:
{% if config.internal | default(true) %}
- pocketid-auth
{% endif %}
{% if config.forward_https | default(false) %}
- {{ service_name }}-https-headers
{% endif %}
{% endif %}
service: {{ service_name }}
tls:
certResolver: cloudflare
{% endif %}
{% endfor %}
# Auto-configured services - HTTP to HTTPS redirect
{% for service_name, config in auto_configure_traefik.items() %}
{% if config.auth_bypass_paths is defined %}
# {{ service_name }} - bypass paths redirects
{% for path in config.auth_bypass_paths %}
{{ service_name }}-bypass-{{ loop.index }}-redirect:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && PathPrefix(`{{ path }}`)"
entryPoints:
- http
priority: 100
middlewares:
- traefik-https-redirect
service: {{ service_name }}
{% endfor %}
{% endif %}
# {{ service_name }} - default redirect
{{ service_name }}-redirect:
rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
entryPoints:
- http
middlewares:
- traefik-https-redirect
service: {{ service_name }}
{% endfor %}
services:
pocketid:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ pocketid_host }}:{{ pocketid_port }}"
tinyauth:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ tinyauth_host }}:{{ tinyauth_port }}"
website:
loadBalancer:
passHostHeader: true
servers:
- url: "http://{{ website_host }}:{{ website_port }}"
# Auto-configured services
{% for service_name, config in auto_configure_traefik.items() %}
{{ service_name }}:
loadBalancer:
passHostHeader: true
{% if config.https | default(false) %}
serversTransport: ignore-tls@file
{% endif %}
servers:
- url: "{{ 'https' if config.https | default(false) else 'http' }}://{{ config.host }}:{{ config.port }}"
{% endfor %}
Reference in New Issue View Git Blame Copy Permalink