From e2073fbd30e38efb37ea1a17314778edd8109963 Mon Sep 17 00:00:00 2001 From: Correl Roush Date: Sun, 24 Nov 2024 20:34:37 -0500 Subject: [PATCH] Add traefik configuration --- roles/traefik/files/conf.d/atma.yaml | 16 ++ roles/traefik/files/conf.d/calibre.yaml | 16 ++ roles/traefik/files/conf.d/fedi.yaml | 16 ++ roles/traefik/files/conf.d/git.yaml | 35 +++ roles/traefik/files/conf.d/homeassistant.yaml | 25 ++ roles/traefik/files/conf.d/misc.yaml | 16 ++ roles/traefik/files/conf.d/nextcloud.yaml | 16 ++ roles/traefik/files/conf.d/playcrafters.yaml | 23 ++ roles/traefik/files/conf.d/sailmaker.yaml | 213 ++++++++++++++++++ roles/traefik/files/conf.d/syncthing.yaml | 14 ++ roles/traefik/files/conf.d/tutor.yaml | 16 ++ roles/traefik/files/conf.d/wallabag.yaml | 16 ++ roles/traefik/files/traefik.yaml | 75 ++++++ roles/traefik/handlers/main.yml | 4 + roles/traefik/tasks/main.yml | 9 + promtail.yml => traefik.yml | 5 + 16 files changed, 515 insertions(+) create mode 100644 roles/traefik/files/conf.d/atma.yaml create mode 100644 roles/traefik/files/conf.d/calibre.yaml create mode 100644 roles/traefik/files/conf.d/fedi.yaml create mode 100644 roles/traefik/files/conf.d/git.yaml create mode 100644 roles/traefik/files/conf.d/homeassistant.yaml create mode 100644 roles/traefik/files/conf.d/misc.yaml create mode 100644 roles/traefik/files/conf.d/nextcloud.yaml create mode 100644 roles/traefik/files/conf.d/playcrafters.yaml create mode 100644 roles/traefik/files/conf.d/sailmaker.yaml create mode 100644 roles/traefik/files/conf.d/syncthing.yaml create mode 100644 roles/traefik/files/conf.d/tutor.yaml create mode 100644 roles/traefik/files/conf.d/wallabag.yaml create mode 100644 roles/traefik/files/traefik.yaml create mode 100644 roles/traefik/handlers/main.yml create mode 100644 roles/traefik/tasks/main.yml rename promtail.yml => traefik.yml (84%) diff --git a/roles/traefik/files/conf.d/atma.yaml b/roles/traefik/files/conf.d/atma.yaml new file mode 100644 index 0000000..ee45583 --- /dev/null +++ b/roles/traefik/files/conf.d/atma.yaml @@ -0,0 +1,16 @@ +http: + routers: + atma-public: + rule: "Host(`atma.phoenixinquis.net`) || Host(`atma.phoenixinquis.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certResolver: dyndns + service: atma + + services: + atma: + loadBalancer: + servers: + - url: "http://reason.sailmaker:80" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/calibre.yaml b/roles/traefik/files/conf.d/calibre.yaml new file mode 100644 index 0000000..08051d9 --- /dev/null +++ b/roles/traefik/files/conf.d/calibre.yaml @@ -0,0 +1,16 @@ +http: + routers: + calibre-public: + rule: "Host(`calibre.phoenixinquis.is-a-geek.org`) || Host(`calibrep.phoenixinquis.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certresolver: dyndns + service: calibre + + services: + calibre: + loadBalancer: + servers: + - url: "http://reason.sailmaker:80" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/fedi.yaml b/roles/traefik/files/conf.d/fedi.yaml new file mode 100644 index 0000000..2a66b43 --- /dev/null +++ b/roles/traefik/files/conf.d/fedi.yaml @@ -0,0 +1,16 @@ +http: + routers: + fedi-public: + rule: "Host(`fedi.fenix.lgbt`)" + entryPoints: + - websecure + tls: + certresolver: fenix.lgbt + service: fedi + + services: + fedi: + loadBalancer: + servers: + - url: "http://reason.sailmaker:3030" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/git.yaml b/roles/traefik/files/conf.d/git.yaml new file mode 100644 index 0000000..3bf2758 --- /dev/null +++ b/roles/traefik/files/conf.d/git.yaml @@ -0,0 +1,35 @@ +http: + routers: + git-public: + rule: "Host(`git.phoenixinquis.net`)" + entryPoints: + - websecure + tls: + certresolver: dyndns + service: git + middlewares: + # - git-ratelimit + - git-block-uas + + services: + git: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:80" + passHostHeader: true + + middlewares: + git-ratelimit: + rateLimit: + average: 10 + burst: 30 + period: 1m + git-block-uas: + plugin: + traefik-plugin-blockuseragent: + Regex : + - "facebookexternalhit" + - "meta-externalagent" + - "Amazonbot" + - "SemrushBot" + - "DotBot" diff --git a/roles/traefik/files/conf.d/homeassistant.yaml b/roles/traefik/files/conf.d/homeassistant.yaml new file mode 100644 index 0000000..14d081f --- /dev/null +++ b/roles/traefik/files/conf.d/homeassistant.yaml @@ -0,0 +1,25 @@ +http: + routers: + homeassistant-public: + rule: "Host(`hass.karai.is-a-geek.org`) || Host(`hass.phoenixinquis.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certResolver: dyndns + service: homeassistant + homeassistant-internal: + rule: "Host(`homeassistant.sailmaker.fenix.lgbt`)" + entryPoints: + - websecure + tls: + domains: + - main: "*.sailmaker.fenix.lgbt" + certResolver: fenix.lgbt + service: homeassistant + + services: + homeassistant: + loadBalancer: + servers: + - url: "http://192.168.1.13:8123" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/misc.yaml b/roles/traefik/files/conf.d/misc.yaml new file mode 100644 index 0000000..3686f5b --- /dev/null +++ b/roles/traefik/files/conf.d/misc.yaml @@ -0,0 +1,16 @@ +http: + routers: + misc-public: + rule: "Host(`misc.phoenixinquis.net`) || Host(`misc.phoenixinquis.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certResolver: dyndns + service: misc + + services: + misc: + loadBalancer: + servers: + - url: "http://reason.sailmaker:80" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/nextcloud.yaml b/roles/traefik/files/conf.d/nextcloud.yaml new file mode 100644 index 0000000..6525923 --- /dev/null +++ b/roles/traefik/files/conf.d/nextcloud.yaml @@ -0,0 +1,16 @@ +http: + routers: + cloud-public: + rule: "Host(`cloud.phoenixinquis.net`) || Host(`cloud.phoenixinquis.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certResolver: dyndns + service: cloud + + services: + cloud: + loadBalancer: + servers: + - url: "http://reason.sailmaker:80" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/playcrafters.yaml b/roles/traefik/files/conf.d/playcrafters.yaml new file mode 100644 index 0000000..5ec3092 --- /dev/null +++ b/roles/traefik/files/conf.d/playcrafters.yaml @@ -0,0 +1,23 @@ +http: + routers: + playcrafters-public: + rule: "Host(`playcrafters.phoenixinquis.net`)" + entryPoints: + - websecure + tls: + certresolver: dyndns + service: playcrafters + playcrafters-public-dyndns: + rule: "Host(`playcrafters.karai.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certresolver: dyndns + service: playcrafters + + services: + playcrafters: + loadBalancer: + servers: + - url: "http://reason.sailmaker:80" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/sailmaker.yaml b/roles/traefik/files/conf.d/sailmaker.yaml new file mode 100644 index 0000000..462a547 --- /dev/null +++ b/roles/traefik/files/conf.d/sailmaker.yaml @@ -0,0 +1,213 @@ +_templates: + internal-tls-router: &sailmaker-tls + entryPoints: + - websecure + tls: + domains: + - main: "*.sailmaker.fenix.lgbt" + certresolver: fenix.lgbt + public-tls-router: &public-tls + entryPoints: + - websecure + tls: + certresolver: dyndns +http: + routers: + freepbx-internal: + rule: "Host(`freepbx.sailmaker.fenix.lgbt`)" + service: freepbx + <<: *sailmaker-tls + grafana-internal: + rule: "Host(`grafana.sailmaker.fenix.lgbt`)" + service: grafana + <<: *sailmaker-tls + homepage-internal: + rule: "Host(`sailmaker.fenix.lgbt`)" + service: heimdall + <<: *sailmaker-tls + jellyfin-internal: + rule: "Host(`jellyfin.sailmaker.fenix.lgbt`)" + service: jellyfin + <<: *sailmaker-tls + lldap-internal: + rule: "Host(`ldap.sailmaker.fenix.lgbt`)" + service: lldap + <<: *sailmaker-tls + loki-internal: + rule: "Host(`loki.sailmaker.fenix.lgbt`)" + service: loki + <<: *sailmaker-tls + plex-internal: + rule: "Host(`plex.sailmaker.fenix.lgbt`)" + service: plex + <<: *sailmaker-tls + proxmox-internal: + rule: "Host(`proxmox.sailmaker.fenix.lgbt`)" + service: proxmox + <<: *sailmaker-tls + prowlarr-internal: + rule: "Host(`prowlarr.sailmaker.fenix.lgbt`)" + service: prowlarr + <<: *sailmaker-tls + radarr-internal: + rule: "Host(`radarr.sailmaker.fenix.lgbt`)" + service: radarr + <<: *sailmaker-tls + correl-internal: + rule: "Host(`correl.sailmaker.fenix.lgbt`)" + service: roam + <<: *sailmaker-tls + hugo-internal: + rule: "Host(`hugo.sailmaker.fenix.lgbt`)" + service: hugo + <<: *sailmaker-tls + omada-internal: + rule: "Host(`omada.sailmaker.fenix.lgbt`)" + service: omada + <<: *sailmaker-tls + sabnzbd-internal: + rule: "Host(`sabnzbd.sailmaker.fenix.lgbt`)" + service: sabnzbd + <<: *sailmaker-tls + sonarr-internal: + rule: "Host(`sonarr.sailmaker.fenix.lgbt`)" + service: sonarr + <<: *sailmaker-tls + tautulli-internal: + rule: "Host(`tautulli.sailmaker.fenix.lgbt`)" + service: tautulli + <<: *sailmaker-tls + traefik-internal: + rule: "Host(`traefik.sailmaker.fenix.lgbt`)" + service: traefik + <<: *sailmaker-tls + transmission-internal: + rule: "Host(`transmission.sailmaker.fenix.lgbt`)" + service: transmission + <<: *sailmaker-tls + webhook-internal: + rule: "Host(`webhook.sailmaker.fenix.lgbt`)" + service: webhook + <<: *sailmaker-tls + webhook-public: + rule: "Host(`webhook.phoenixinquis.net`)" + service: requestbin + <<: *public-tls + whisparr-internal: + rule: "Host(`whisparr.sailmaker.fenix.lgbt`)" + service: whisparr + <<: *sailmaker-tls + whoogle-internal: + rule: "Host(`whoogle.sailmaker.fenix.lgbt`)" + service: whoogle + <<: *sailmaker-tls + wireguard-dashboard-internal: + rule: "Host(`wireguard.sailmaker.fenix.lgbt`)" + service: wireguard-dashboard + <<: *sailmaker-tls + services: + freepbx: + loadBalancer: + servers: + - url: "http://192.168.1.20" + grafana: + loadBalancer: + servers: + - url: "http://reason.sailmaker:3001" + heimdall: + loadBalancer: + servers: + - url: "http://heimdall-dashboard.sailmaker.fenix.lgbt:7990" + homepage: + loadBalancer: + servers: + - url: "http://reason.sailmaker:3000" + hugo: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:1215" + jellyfin: + loadBalancer: + servers: + - url: "http://reason.sailmaker:8096" + lldap: + loadBalancer: + servers: + - url: "http://lldap.sailmaker.fenix.lgbt:17170" + loki: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:3100" + omada: + loadBalancer: + servers: + - url: "http://oc200_d12a99.sailmaker.fenix.lgbt" + plex: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:32400" + proxmox: + loadBalancer: + passHostHeader: true + serversTransport: pve + servers: + - url: "https://nomadix.sailmaker.fenix.lgbt:8006" + prowlarr: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:9696" + radarr: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:7878" + requestbin: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:8009" + roam: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:1214" + sabnzbd: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:8080" + sonarr: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:8989" + tautulli: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:80" + passHostHeader: true + traefik: + loadBalancer: + servers: + - url: "http://192.168.1.8:8080" + transmission: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:9091" + webhook: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:9000" + whisparr: + loadBalancer: + servers: + - url: "http://reason.sailmaker.fenix.lgbt:6969" + whoogle: + loadBalancer: + servers: + - url: "http://192.168.1.15:5000" + wireguard-dashboard: + loadBalancer: + servers: + # Reason (old) + - url: "http://192.168.1.183:51821" + # Nomadix (new) + # - url: "http://192.168.1.6:10086" + serversTransports: + pve: + insecureSkipVerify: true diff --git a/roles/traefik/files/conf.d/syncthing.yaml b/roles/traefik/files/conf.d/syncthing.yaml new file mode 100644 index 0000000..c478552 --- /dev/null +++ b/roles/traefik/files/conf.d/syncthing.yaml @@ -0,0 +1,14 @@ +http: + routers: + syncthing-local: + rule: "Host(`syncthing.sailmaker`)" + entryPoints: + - web + service: syncthing + + services: + syncthing: + loadBalancer: + servers: + - url: "http://reason.sailmaker:8384" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/tutor.yaml b/roles/traefik/files/conf.d/tutor.yaml new file mode 100644 index 0000000..f49de9e --- /dev/null +++ b/roles/traefik/files/conf.d/tutor.yaml @@ -0,0 +1,16 @@ +http: + routers: + tutor-public: + rule: "Host(`tutor.phoenixinquis.net`) || Host(`tutor.phoenixinquis.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certresolver: dyndns + service: tutor + + services: + tutor: + loadBalancer: + servers: + - url: "http://reason.sailmaker:80" + passHostHeader: true diff --git a/roles/traefik/files/conf.d/wallabag.yaml b/roles/traefik/files/conf.d/wallabag.yaml new file mode 100644 index 0000000..9e26468 --- /dev/null +++ b/roles/traefik/files/conf.d/wallabag.yaml @@ -0,0 +1,16 @@ +http: + routers: + wallabag-public: + rule: "Host(`wallabag.phoenixinquis.is-a-geek.org`)" + entryPoints: + - websecure + tls: + certresolver: dyndns + service: wallabag + + services: + wallabag: + loadBalancer: + servers: + - url: "http://reason.sailmaker:80" + passHostHeader: true diff --git a/roles/traefik/files/traefik.yaml b/roles/traefik/files/traefik.yaml new file mode 100644 index 0000000..7b3dbaf --- /dev/null +++ b/roles/traefik/files/traefik.yaml @@ -0,0 +1,75 @@ +providers: + file: + directory: /etc/traefik/conf.d/ + watch: true + +entryPoints: + web: + address: ':80' + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: ':443' + http: + tls: + certResolver: letsencrypt + traefik: + address: ':8080' + +certificatesResolvers: + # letsencrypt: + # acme: + # email: "correl@gmail.com" + # storage: /etc/traefik/ssl/acme.json + # dnsChallenge: + # provider: route53 + # delayBeforeCheck: 0 + fenix.lgbt: + acme: + email: "correl@gmail.com" + storage: /etc/traefik/ssl/acme-fenix.lgbt.json + dnsChallenge: + provider: route53 + delayBeforeCheck: 0 + dyndns: + acme: + email: "correl@gmail.com" + storage: /etc/traefik/ssl/acme-dyndns.json + tlsChallenge: {} + +api: + dashboard: true + insecure: true + +log: + filePath: /var/log/traefik/traefik.log + format: json + level: INFO + +accessLog: + filePath: /var/log/traefik/traefik-access.log + format: json + filters: + statusCodes: + - "200" + - "400-599" + retryAttempts: true + minDuration: "10ms" + bufferingSize: 0 + fields: + headers: + defaultMode: drop + names: + User-Agent: keep + +metrics: + prometheus: {} + +experimental: + plugins: + traefik-plugin-blockuseragent: + moduleName: "github.com/agence-gaya/traefik-plugin-blockuseragent" + version: "v0.1.7" diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml new file mode 100644 index 0000000..c27ad06 --- /dev/null +++ b/roles/traefik/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart traefik + service: + name: traefik + status: restarted diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml new file mode 100644 index 0000000..447da7d --- /dev/null +++ b/roles/traefik/tasks/main.yml @@ -0,0 +1,9 @@ +- name: Copy main configuration + copy: + src: traefik.yaml + dest: /etc/traefik/traefik.yaml + notify: restart traefik +- name: Copy additional configuration + copy: + src: conf.d + dest: /etc/traefik diff --git a/promtail.yml b/traefik.yml similarity index 84% rename from promtail.yml rename to traefik.yml index 76ce8c5..fc2abde 100644 --- a/promtail.yml +++ b/traefik.yml @@ -1,3 +1,8 @@ +- name: Manage traefik server + hosts: traefik + become: true + roles: + - traefik - name: Manage promtail service hosts: traefik become: true