infrastructure/ansible/roles/traefik/files/traefik.yml
Jake Howard 393a947cb7
All checks were successful
/ terraform (push) Successful in 36s
/ ansible (push) Successful in 1m22s
Remove f2b gateway bouncer
To be replaced by something more sensible
2024-07-14 22:27:58 +01:00

88 lines
1.7 KiB
YAML

entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: web-secure
scheme: https
proxyProtocol:
trustedIPs:
- "{{ wireguard.cidr }}"
- "{{ pve_hosts.internal_cidr }}"
- "{{ nebula.cidr }}"
- "{{ tailscale_cidr }}"
web-secure:
address: :443
http:
middlewares:
- floc-block@file
- compress@file
tls:
certresolver: le
domains:
- main: theorangeone.net
sans: "*.theorangeone.net"
- main: jakehoward.tech
sans: "*.jakehoward.tech"
proxyProtocol:
trustedIPs:
- "{{ pve_hosts.ingress.ip }}/32"
forwardedHeaders:
trustedIPs:
- "{{ wireguard.server.ip }}/32" # This is obtained from the connecting `proxy_protocol`
traefik:
address: :8080
ping: {}
providers:
docker:
endpoint: tcp://docker_proxy:2375
watch: true
exposedByDefault: false
network: traefik
file:
directory: /etc/traefik/conf
api:
dashboard: true
insecure: true
certificatesResolvers:
le:
acme:
email: "{{ vault_letsencrypt_email }}"
storage: /etc/traefik/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 0
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
gandi:
acme:
email: "{{ vault_letsencrypt_email }}"
storage: /etc/traefik/acme.json
dnsChallenge:
provider: gandiv5
delayBeforeCheck: 0
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
serversTransport:
insecureSkipVerify: true
metrics:
prometheus:
entryPoint: traefik
tls:
options:
default:
minVersion: VersionTLS12
pilot:
dashboard: false