Refactor

coreos-config/plays/services/traefik/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=traefik

coreos-config/plays/services/traefik/docker-compose.yaml

@@ -0,0 +1,86 @@
+{% set deploy_traefik_fa = with_fa|default(false) %}
+---
+version: '3.9'
+services:
+  traefik:
+    image: traefik:v2.7
+    container_name: traefik
+    ulimits:
+      nofile:
+        soft: 4000
+        hard: 15000
+    restart: always
+    ports:
+      - "443:443"
+      - "80:80"
+    privileged: true
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "./traefik.yaml:/etc/traefik/traefik.yaml:Z,ro"
+      - "./dynamic.yaml:/etc/traefik/dynamic.yaml:Z,ro"
+      - "acme:/acme"
+    labels:
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=9091"
+    networks:
+      - gateway
+      - default
+
+{% if deploy_traefik_fa %}
+  traefik-fa:
+    image: quay.io/oauth2-proxy/oauth2-proxy:latest
+    restart: unless-stopped
+    networks:
+      - gateway
+    depends_on:
+      - traefik
+    labels:
+      traefik.enable: 'true'
+      traefik.http.routers.oauth.entrypoints: websecure
+      traefik.http.routers.oauth.rule: Host(`traefik-fa.tobiasmanske.de`) || PathPrefix(`/oauth2`)
+      traefik.http.services.oauth.loadbalancer.server.port: '4180'
+      prometheus-scrape.enabled: "true"
+      prometheus-scrape.port: "9091"
+    environment:
+      OAUTH2_PROXY_PROVIDER: 'keycloak-oidc'
+      OAUTH2_PROXY_CLIENT_ID: '{{ traefik.oidc.client_id }}'
+      OAUTH2_PROXY_CLIENT_SECRET: '{{ traefik.oidc.client_secret }}'
+      OAUTH2_PROXY_OIDC_ISSUER_URL: '{{ traefik.oidc.issuer_url }}'
+      OAUTH2_PROXY_COOKIE_DOMAIN: '.tobiasmanske.de'
+      OAUTH2_PROXY_COOKIE_REFRESH: '1h'
+      OAUTH2_PROXY_COOKIE_SECURE: 'true'
+      OAUTH2_PROXY_COOKIE_SECRET: '{{ traefik.oidc.cookie_secret }}'
+      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
+      OAUTH2_PROXY_FOOTER: '-'
+      OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180'
+      OAUTH2_PROXY_METRICS_ADDRESS: "0.0.0.0:9091"
+      OAUTH2_PROXY_PASS_BASIC_AUTH: 'false'
+      OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
+      OAUTH2_PROXY_REVERSE_PROXY: 'true'
+      OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
+      OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
+      OAUTH2_PROXY_WHITELIST_DOMAIN: '.tobiasmanske.de'
+
+  whoami:
+    image: containous/whoami
+    networks:
+      - gateway
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+      - "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)"
+      - "traefik.http.routers.whoami.entryPoints=websecure"
+      - "traefik.http.routers.whoami.middlewares=oauth@file"
+
+{% endif %}
+
+volumes:
+  acme:
+
+networks:
+  gateway:
+    name: gateway
+    internal: false
+  default:
+    driver: bridge
+...

coreos-config/plays/services/traefik/dynamic.yaml

@@ -0,0 +1,32 @@
+http:
+  middlewares:
+    auth-headers:
+      headers:
+        sslRedirect: true
+        stsSeconds: 315360000
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        sslHost: tobiasmanske.de
+        stsIncludeSubdomains: true
+        stsPreload: true
+        frameDeny: true
+    oauth-auth:
+      forwardAuth:
+        address: https://traefik-fa.tobiasmanske.de/oauth2/auth
+        trustForwardHeader: true
+    oauth-errors:
+      errors:
+        status:
+          - "401-403"
+        service: oauth@docker
+        query: "/oauth2/sign_in"
+    oauth:
+      chain:
+        middlewares:
+          - oauth-errors
+          - oauth-auth
+    deny-metrics:
+      replacePathRegex:
+        regex: "^/metrics$"
+        replacement: "/"

coreos-config/plays/services/traefik/traefik.yaml

@@ -0,0 +1,38 @@
+log:
+  level: ERROR
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+    addServicesLabels: true
+    addRoutersLabels: true
+    entryPoint: metrics
+providers:
+  docker:
+    network: gateway
+    exposedbydefault: false
+  file:
+    filename: /etc/traefik/dynamic.yaml
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  metrics:
+    address: ":9091"
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: webmaster@tobiasmanske.de
+      storage: /acme/acme.json
+      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      tlsChallenge: true