chore: remove nfs and traefik roles. Move them to tasks

2025-10-11 22:02:00 +10:00
parent 09c67abe58
commit bc61753794
15 changed files with 421 additions and 575 deletions
--- a/templates/config.yml.j2
+++ b/templates/config.yml.j2
@@ -0,0 +1,51 @@
+---
+http:
+  routers:
+    oc-router:
+      entryPoints:
+        - "https"
+      service: oc-service
+      rule: "Host(`omada.comprofix.xyz`)" # change it to actual address
+      tls: {}
+      middlewares:
+        - default-headers
+        - https-redirect
+
+  services:
+    oc-service:
+      loadBalancer:
+        servers:
+          - url: https://omada-lxc.comprofix.xyz:8043 # change it to actual ip of the controller
+
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    default-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      IPAllowList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+        - "100.64.0.0/10"
+
+    secured:
+      chain:
+        middlewares:
+        - default-headers
--- a/templates/traefik.yml.j2
+++ b/templates/traefik.yml.j2
@@ -0,0 +1,42 @@
+api:
+  dashboard: true
+  debug: true
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: ":443"
+
+serversTransport:
+  insecureSkipVerify: true
+
+log:
+  level: DEBUG
+  filePath: /var/log/traefik/traefik.json.log
+  format: json
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: {{ CF_API_EMAIL }}
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+