jfraeysd/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update Traefik reverse proxy configuration

Browse source 
- Enhance home-docker-compose.yml template with improved networking
- Update deployment tasks for better label handling
- Improve TLS certificate verification flow
This commit is contained in:
Jeremie Fraeys 2026-02-21 18:31:25 -05:00
parent 4842c71cae
commit 2ce1af3b1e
No known key found for this signature in database
2 changed files with 54 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
roles/traefik/tasks/main.yml
View file

@ -14,13 +14,11 @@
{{
CF_DNS_API_TOKEN
| default(lookup('env', 'CF_DNS_API_TOKEN'))
| default(TF_VAR_cloudflare_api_token)
| default(lookup('env', 'TF_VAR_cloudflare_api_token'))
}}
- name: Fail if Cloudflare DNS API token is missing
fail:
msg: "CF_DNS_API_TOKEN (recommended) or TF_VAR_cloudflare_api_token is required for Traefik DNS-01"
msg: "CF_DNS_API_TOKEN is required for Traefik DNS-01"
when: traefik_cloudflare_dns_api_token | length == 0
- name: Create permanent directory for Traefik Docker Compose
@ -52,7 +50,7 @@
- name: Ensure ACME storage file exists
file:
path: "{{ traefik_dir }}/letsencrypt/acme.json"
state: touch
state: file
mode: "0600"
- name: Copy base dynamic configuration
@ -72,6 +70,17 @@
- security-headers
- compress
app:
rule: "Host(`{{ app_hostname }}`)"
entryPoints:
- websecure
tls:
certResolver: "{{ traefik_certresolver }}"
service: webapps
middlewares:
- security-headers
- compress
grafana:
rule: "Host(`{{ grafana_hostname }}`)"
entryPoints:
@ -93,12 +102,29 @@
middlewares:
- security-headers
- compress
- rate-limit
prometheus:
rule: "Host(`{{ prometheus_hostname }}`)"
entryPoints:
- websecure
tls:
certResolver: "{{ traefik_certresolver }}"
service: prometheus
middlewares:
- security-headers
- compress
- authelia
services:
authelia:
loadBalancer:
servers:
- url: "http://authelia:9091"
webapps:
loadBalancer:
servers:
- url: "{{ web_apps_scheme }}://{{ hostvars['web'].public_ipv4 }}:{{ web_apps_port }}"
grafana:
loadBalancer:
servers:
@ -107,6 +133,10 @@
loadBalancer:
servers:
- url: "http://forgejo:3000"
prometheus:
loadBalancer:
servers:
- url: "http://prometheus:9090"
middlewares:
security-headers:
@ -118,6 +148,22 @@
compress:
compress: {}
rate-limit:
rateLimit:
average: 100
burst: 50
period: 1m
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://{{ auth_hostname }}/"
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Email
- Remote-Name
- name: Ensure proxy network exists
command: docker network inspect proxy
register: proxy_network
@ -129,6 +175,6 @@
when: proxy_network.rc != 0
- name: Deploy Traefik container
command: docker compose up -d --force-recreate
command: docker compose up -d
args:
chdir: "{{ traefik_dir }}"

3
roles/traefik/templates/home-docker-compose.yml.j2
View file

@ -6,6 +6,9 @@ services:
- --providers.file.directory=/etc/traefik/dynamic
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.websecure.address=:443
- --certificatesresolvers.{{ traefik_certresolver }}.acme.email={{ traefik_acme_email }}
- --certificatesresolvers.{{ traefik_certresolver }}.acme.storage=/letsencrypt/acme.json