Initial Commit

2025-09-08 18:29:40 +10:00
commit 12444311a4
59 changed files with 2931 additions and 0 deletions
--- a/roles/traefik/templates/config.yml.j2
+++ b/roles/traefik/templates/config.yml.j2
@ -0,0 +1,51 @@
+---
+http:
+  routers:
+    oc-router:
+      entryPoints:
+        - "https"
+      service: oc-service
+      rule: "Host(`omada.comprofix.xyz`)" # change it to actual address
+      tls: {}
+      middlewares:
+        - default-headers
+        - https-redirect
+
+  services:
+    oc-service:
+      loadBalancer:
+        servers:
+          - url: https://omada-lxc.comprofix.xyz:8043 # change it to actual ip of the controller
+
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    default-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      IPAllowList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+        - "100.64.0.0/10"
+
+    secured:
+      chain:
+        middlewares:
+        - default-headers
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@ -0,0 +1,42 @@
+api:
+  dashboard: true
+  debug: true
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: ":443"
+
+serversTransport:
+  insecureSkipVerify: true
+
+log:
+  level: DEBUG
+  filePath: /var/log/traefik/traefik.json.log
+  format: json
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: {{ CF_API_EMAIL }}
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+