Refactoring

coreos-config/roles/compose_project/templates/traefik/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=traefik

coreos-config/roles/compose_project/templates/traefik/docker-compose.yaml

@@ -0,0 +1,61 @@
+---
+version: '3.9'
+services:
+  traefik:
+    image: traefik:v2.7
+    container_name: traefik
+    restart: always
+    ports:
+      - "443:443"
+      - "80:80"
+    privileged: true
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "./traefik.yaml:/etc/traefik/traefik.yaml:Z,ro"
+      - "./dynamic.yaml:/etc/traefik/dynamic.yaml:Z,ro"
+      - "acme:/acme"
+    networks:
+      - gateway
+      - default
+    environment:
+      CLOUDFLARE_DNS_API_TOKEN: "{{ traefik.CLOUDFLARE_DNS_API_TOKEN }}"
+
+  traefik-fa:
+    image: thomseddon/traefik-forward-auth:latest
+    restart: always
+    volumes:
+      - ./traefik-fa.ini:/forward.ini:ro,Z
+    environment:
+      - CONFIG=/forward.ini
+    networks:
+      - gateway
+    depends_on:
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-fa.rule=Host(`traefik-fa.tobiasmanske.de`)"
+      - "traefik.http.routers.traefik-fa.entryPoints=websecure"
+      - "traefik.http.services.traefik-fa.loadbalancer.server.port=4181"
+      - "traefik.http.routers.traefik-fa.middlewares=sso@file"
+
+  # whoami:
+  #   image: containous/whoami
+  #   networks:
+  #     - gateway
+  #   labels:
+  #     - "traefik.enable=true"
+  #     - "traefik.http.services.whoami.loadbalancer.server.port=80"
+  #     - "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)"
+  #     - "traefik.http.routers.whoami.entryPoints=websecure"
+  #     - "traefik.http.routers.whoami.middlewares=sso@file"
+
+volumes:
+  acme:
+
+networks:
+  gateway:
+    name: gateway
+    internal: false
+  default:
+    driver: bridge
+...

coreos-config/roles/compose_project/templates/traefik/dynamic.yaml

@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    sso:
+      forwardAuth:
+        address: http://traefik-fa:4181
+        authResponseHeaders:
+          - X-Forwarded-User

coreos-config/roles/compose_project/templates/traefik/traefik-fa.ini

@@ -0,0 +1,20 @@
+default-provider = oidc
+
+# Cookie signing nonce, replace this with something random
+secret = {{ traefik.oidc.cookie_secret }}
+
+# This client id / secret is defined in keycloak-realm-config/master-realm.json
+providers.oidc.client-id = {{ traefik.oidc.client_id }}
+providers.oidc.client-secret = {{ traefik.oidc.client_secret }}
+providers.oidc.issuer-url = {{ traefik.oidc.issuer_url }}
+
+log-level = error
+
+cookie-domain = tobiasmanske.de
+auth-host = traefik-fa.tobiasmanske.de
+
+# Add authorized users here
+{% for user in traefik.oidc.whitelist %}
+whitelist = {{ user }}
+{% endfor %}
+

coreos-config/roles/compose_project/templates/traefik/traefik.yaml

@@ -0,0 +1,31 @@
+log:
+  level: ERROR
+providers:
+  docker:
+    network: gateway
+    exposedbydefault: false
+  file:
+    filename: /etc/traefik/dynamic.yaml
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: webmaster@tobiasmanske.de
+      storage: /acme/acme.json
+      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      dnsChallenge:
+        provider: cloudflare