diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index e7313a5..2b72883 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -14,13 +14,11 @@ {{ CF_DNS_API_TOKEN | default(lookup('env', 'CF_DNS_API_TOKEN')) - | default(TF_VAR_cloudflare_api_token) - | default(lookup('env', 'TF_VAR_cloudflare_api_token')) }} - name: Fail if Cloudflare DNS API token is missing fail: - msg: "CF_DNS_API_TOKEN (recommended) or TF_VAR_cloudflare_api_token is required for Traefik DNS-01" + msg: "CF_DNS_API_TOKEN is required for Traefik DNS-01" when: traefik_cloudflare_dns_api_token | length == 0 - name: Create permanent directory for Traefik Docker Compose @@ -52,7 +50,7 @@ - name: Ensure ACME storage file exists file: path: "{{ traefik_dir }}/letsencrypt/acme.json" - state: touch + state: file mode: "0600" - name: Copy base dynamic configuration @@ -72,6 +70,17 @@ - security-headers - compress + app: + rule: "Host(`{{ app_hostname }}`)" + entryPoints: + - websecure + tls: + certResolver: "{{ traefik_certresolver }}" + service: webapps + middlewares: + - security-headers + - compress + grafana: rule: "Host(`{{ grafana_hostname }}`)" entryPoints: @@ -93,12 +102,29 @@ middlewares: - security-headers - compress + - rate-limit + + prometheus: + rule: "Host(`{{ prometheus_hostname }}`)" + entryPoints: + - websecure + tls: + certResolver: "{{ traefik_certresolver }}" + service: prometheus + middlewares: + - security-headers + - compress + - authelia services: authelia: loadBalancer: servers: - url: "http://authelia:9091" + webapps: + loadBalancer: + servers: + - url: "{{ web_apps_scheme }}://{{ hostvars['web'].public_ipv4 }}:{{ web_apps_port }}" grafana: loadBalancer: servers: @@ -107,6 +133,10 @@ loadBalancer: servers: - url: "http://forgejo:3000" + prometheus: + loadBalancer: + servers: + - url: "http://prometheus:9090" middlewares: security-headers: @@ -118,6 +148,22 @@ compress: compress: {} + rate-limit: + rateLimit: + average: 100 + burst: 50 + period: 1m + + authelia: + forwardAuth: + address: "http://authelia:9091/api/verify?rd=https://{{ auth_hostname }}/" + trustForwardHeader: true + authResponseHeaders: + - Remote-User + - Remote-Groups + - Remote-Email + - Remote-Name + - name: Ensure proxy network exists command: docker network inspect proxy register: proxy_network @@ -129,6 +175,6 @@ when: proxy_network.rc != 0 - name: Deploy Traefik container - command: docker compose up -d --force-recreate + command: docker compose up -d args: chdir: "{{ traefik_dir }}" diff --git a/roles/traefik/templates/home-docker-compose.yml.j2 b/roles/traefik/templates/home-docker-compose.yml.j2 index 6aab54d..15be2a3 100644 --- a/roles/traefik/templates/home-docker-compose.yml.j2 +++ b/roles/traefik/templates/home-docker-compose.yml.j2 @@ -6,6 +6,9 @@ services: - --providers.file.directory=/etc/traefik/dynamic - --providers.file.watch=true - --entrypoints.web.address=:80 + - --entrypoints.web.http.redirections.entrypoint.to=websecure + - --entrypoints.web.http.redirections.entrypoint.scheme=https + - --entrypoints.web.http.redirections.entrypoint.permanent=true - --entrypoints.websecure.address=:443 - --certificatesresolvers.{{ traefik_certresolver }}.acme.email={{ traefik_acme_email }} - --certificatesresolvers.{{ traefik_certresolver }}.acme.storage=/letsencrypt/acme.json