Final changes to traefik and up and running

2023-02-15 15:15:33 -05:00
parent 901199d2b7
commit 76b2dccc5e
15 changed files with 101 additions and 36 deletions
--- a/ansible/roles/traefik/templates/conf/middlewares.yml
+++ b/ansible/roles/traefik/templates/conf/middlewares.yml
@@ -0,0 +1,17 @@
+http:
+  middlewares:
+    lan-whitelist:
+      ipWhitelist:
+        sourceRange:
+          - 10.0.0.0/24
+          - 10.67.115.0/24
+
+    secure-headers:
+      headers:
+        customFrameOptionsValue: SAMEORIGIN
+        forceSTSHeader: true
+        stsSeconds: 15552000
+        stsPreload: true
+        customResponseHeaders:
+          Permissions-Policy: interest-cohort() # Opts out of Google's FLoC network. See https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+          X-Robots-Tag: none
--- a/ansible/roles/traefik/templates/docker-compose.yml
+++ b/ansible/roles/traefik/templates/docker-compose.yml
@@ -3,11 +3,15 @@ version: "{{ docker_compose_version }}"
 networks:
  traefik:
    external: true
+  docker-socket-proxy:
+    external: false

 services:
  traefik:
    container_name: traefik
-    image: traefik:latest
+    image: traefik:v2.9
+    depends_on:
+      - docker_socket_proxy
    networks:
      - traefik
      - docker-socket-proxy
@@ -24,3 +28,15 @@ services:
      traefik.http.routers.traefik-dashboard.rule: "Host(`traefik.local.{{ personal_domain }}`)"
      traefik.http.routers.traefik-dashboard.service: api@internal
      traefik.http.routers.traefik-dashboard.middlewares: lan-whitelist@file
+
+  docker_socket_proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    restart: unless-stopped
+    networks:
+      - docker-socket-proxy
+    environment:
+      - CONTAINERS=1
+      - SERVICES=1
+      - INFO=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
--- a/ansible/roles/traefik/templates/traefik.yml
+++ b/ansible/roles/traefik/templates/traefik.yml
@@ -23,19 +23,25 @@ entryPoints:
  traefik:
    address: :8080

+api:
+  dashboard: true
+  debug: false
+
 certificatesResolvers:
  letsencrypt:
    acme:
      # Staging server
-      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory

      # Production server
-      # caServer: https://acme-v02.api.letsencrypt.org/directory
-    email: "{{ letsencrypt_email }}"
-    storage: /etc/traefik.acme.json
-    dnsChallenge:
-      provider: porkbun
-      delayBeforeCheck: 0
+      caServer: https://acme-v02.api.letsencrypt.org/directory
+      email: "{{ letsencrypt_email }}"
+      storage: /etc/traefik/acme.json
+      dnsChallenge:
+        provider: porkbun
+        delayBeforeCheck: 0
+        resolvers:
+          - "1.1.1.1:53"

 serversTransport:
  insecureSkipVerify: true