fix: update traefik for omada

hosts

@@ -8,5 +8,5 @@ vps02.comprofix.com
 docker.comprofix.xyz
 
 [omada]
-omada.comprofix.xyz ansible_user=root
+omada-lxc.comprofix.xyz ansible_user=root
 

roles/traefik/tasks/main.yml

@@ -16,7 +16,14 @@
   template:
     src: templates/traefik.yml.j2
     dest: "{{ data_folder }}/traefik/data/traefik.yml"
-    mode: '0600'
+    mode: "0600"
+
+- name: Copy Traefik config
+  template:
+    src: templates/config.yml.j2
+    dest: "{{ data_folder }}/traefik/data/config.yml"
+    mode: "0600"
+  when: traefik_host == "traefik02.comprofix.xyz"
 
 - name: Check if {{ data_folder }}/traefik/data/acme.json exists
   ansible.builtin.stat:
@@ -29,7 +36,7 @@
     state: touch
     owner: root
     group: root
-    mode: '0600'
+    mode: "0600"
   when: not file_status.stat.exists
 
 - name: Check if {{ data_folder }}/traefik/data/traefik.json.log exists
@@ -43,7 +50,7 @@
     state: touch
     owner: root
     group: root
-    mode: '0600'
+    mode: "0600"
   when: not file_status.stat.exists
 
 - name: Create traefik Container
@@ -65,7 +72,7 @@
       - "{{ data_folder }}/traefik/data/traefik.yml:/traefik.yml:ro"
       - "{{ data_folder }}/traefik/data/acme.json:/acme.json"
       - "{{ data_folder }}/traefik/data/traefik.json.log:/traefik.json.log"
-      # - ./data/config.yml:/config.yml:ro
+      - "{{ data_folder }}/traefik/data/config.yml:/config.yml:ro"
     labels:
       traefik.enable: "true"
       traefik.http.routers.traefik.entrypoints: "http"

roles/traefik/templates/config.yml.j2

@@ -0,0 +1,51 @@
+---
+http:
+  routers:
+    oc-router:
+      entryPoints:
+        - "https"
+      service: oc-service
+      rule: "Host(`omada.comprofix.xyz`)" # change it to actual address
+      tls: {}
+      middlewares:
+        - default-headers
+        - https-redirect
+
+  services:
+    oc-service:
+      loadBalancer:
+        servers:
+          - url: https://omada-lxc.comprofix.xyz:8043 # change it to actual ip of the controller
+
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    default-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      IPAllowList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+        - "100.64.0.0/10"
+
+    secured:
+      chain:
+        middlewares:
+        - default-headers