Add traefik config

2020-02-02 21:10:29 +00:00
parent a42c1a4182
commit 035ff0ac24
5 changed files with 154 additions and 0 deletions
--- a/ansible/roles/docker/files/traefik/docker-compose.yml
+++ b/ansible/roles/docker/files/traefik/docker-compose.yml
@ -0,0 +1,12 @@
+version: "3"
+
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:v2.1.2
+    #command: "--log.level=DEBUG"
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik:/etc/traefik
+    restart: unless-stopped
--- a/ansible/roles/docker/files/traefik/file-provider.yml
+++ b/ansible/roles/docker/files/traefik/file-provider.yml
@ -0,0 +1,42 @@
+http:
+  middlewares:
+    internal-only:
+      ipWhiteList:
+        sourceRange:
+          - "{{ wireguard.cidr }}"
+          - "192.168.1.0/24"
+    hsts:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    hsts:
+      service: "ping@internal"
+      rule: "PathPrefix(`/`)"
+      entryPoints:
+        - web
+      middlewares:
+        - hsts
+    ping:
+      service: "ping@internal"
+      rule: "Host(`traefik.jakehoward.tech`) && Path(`/ping/`)"
+      middlewares:
+        - hsts
+      tls:
+        certResolver: le
+    dashboard:
+      service: "dashboard@internal"
+      rule: "Host(`traefik.jakehoward.tech`)"
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le
+    api:
+      service: "api@internal"
+      rule: "Host(`traefik.jakehoward.tech`) && PathPrefix(`/api`)"
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le
--- a/ansible/roles/docker/files/traefik/traefik.yml
+++ b/ansible/roles/docker/files/traefik/traefik.yml
@ -0,0 +1,38 @@
+entryPoints:
+  web:
+    address: ":80"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  web-secure:
+    address: ":443"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  matrix:
+    address: ":8448"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+
+ping:
+  manualRouting: true
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+  file:
+    filename: /etc/traefik/file-provider.yml
+
+api:
+  dashboard: true
+
+certificatesResolvers:
+  le:
+    acme:
+      email: "hosting@theorangeone.net"
+      storage: "/etc/traefik/acme.json"
+      httpChallenge:
+        entryPoint: web