fix: update traefik for omada

2024-11-16 19:56:02 +10:00 · 2024-11-16 19:56:02 +10:00 · bceef910d2
commit bceef910d2
parent c8f7d0ab5d
3 changed files with 64 additions and 6 deletions
--- a/2
+++ b/2
@ -8,5 +8,5 @@ vps02.comprofix.com
 docker.comprofix.xyz

 [omada]
-omada.comprofix.xyz ansible_user=root
+omada-lxc.comprofix.xyz ansible_user=root

--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@ -16,7 +16,14 @@
  template:
    src: templates/traefik.yml.j2
    dest: "{{ data_folder }}/traefik/data/traefik.yml"
-    mode: '0600'
+    mode: "0600"
+
+- name: Copy Traefik config
+  template:
+    src: templates/config.yml.j2
+    dest: "{{ data_folder }}/traefik/data/config.yml"
+    mode: "0600"
+  when: traefik_host == "traefik02.comprofix.xyz"

 - name: Check if {{ data_folder }}/traefik/data/acme.json exists
  ansible.builtin.stat:
@ -29,7 +36,7 @@
    state: touch
    owner: root
    group: root
-    mode: '0600'
+    mode: "0600"
  when: not file_status.stat.exists

 - name: Check if {{ data_folder }}/traefik/data/traefik.json.log exists
@ -43,7 +50,7 @@
    state: touch
    owner: root
    group: root
-    mode: '0600'
+    mode: "0600"
  when: not file_status.stat.exists

 - name: Create traefik Container
@ -65,7 +72,7 @@
      - "{{ data_folder }}/traefik/data/traefik.yml:/traefik.yml:ro"
      - "{{ data_folder }}/traefik/data/acme.json:/acme.json"
      - "{{ data_folder }}/traefik/data/traefik.json.log:/traefik.json.log"
-      # - ./data/config.yml:/config.yml:ro
+      - "{{ data_folder }}/traefik/data/config.yml:/config.yml:ro"
    labels:
      traefik.enable: "true"
      traefik.http.routers.traefik.entrypoints: "http"
@ -83,4 +90,4 @@
      traefik.http.routers.traefik-secure.tls.domains[0].sans: "*.comprofix.com"
      traefik.http.routers.traefik-secure.tls.domains[1].main: "comprofix.xyz"
      traefik.http.routers.traefik-secure.tls.domains[1].sans: "*.comprofix.xyz"
-      traefik.http.routers.traefik-secure.service: "api@internal"
+      traefik.http.routers.traefik-secure.service: "api@internal"
--- a/roles/traefik/templates/config.yml.j2
+++ b/roles/traefik/templates/config.yml.j2
@ -0,0 +1,51 @@
+---
+http:
+  routers:
+    oc-router:
+      entryPoints:
+        - "https"
+      service: oc-service
+      rule: "Host(`omada.comprofix.xyz`)" # change it to actual address
+      tls: {}
+      middlewares:
+        - default-headers
+        - https-redirect
+
+  services:
+    oc-service:
+      loadBalancer:
+        servers:
+          - url: https://omada-lxc.comprofix.xyz:8043 # change it to actual ip of the controller
+
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    default-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      IPAllowList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+        - "100.64.0.0/10"
+
+    secured:
+      chain:
+        middlewares:
+        - default-headers