chore: upgrade reverseproxy role for use with vagrant and ssl

2025-11-07 11:52:41 +01:00 · 2025-11-07 11:52:41 +01:00 · 9e7b2b3b84
commit 9e7b2b3b84
parent a4aa64777e
7 changed files with 177 additions and 104 deletions
--- a/roles/reverseproxy/templates/docker-compose.yml.j2
+++ b/roles/reverseproxy/templates/docker-compose.yml.j2
@ -1,21 +1,39 @@
 services:
  traefik:
-    image: traefik:v3.5
-    container_name: traefik
+    image: traefik:latest
+    container_name: reverseproxy
    restart: always
+{% if cert_mode == 'acme' %}
+    environment:
+      RFC2136_NAMESERVER: "{{ acme_dns_nameserver }}"
+      RFC2136_TSIG_ALGORITHM: "{{ acme_tsig_algorithm }}"
+      RFC2136_TSIG_KEY: "{{ acme_tsig_key }}"
+      RFC2136_TSIG_SECRET: "{{ acme_tsig_secret }}"
+      RFC2136_PROPAGATION_TIMEOUT: "{{ acme_propagation_timeout }}"
+      RFC2136_POLLING_INTERVAL: "{{ acme_polling_interval }}"
+      RFC2136_TTL: "{{ acme_ttl }}"
+{% endif %}
    ports:
      - "80:80"
      - "443:443"
 {% if enable_dashboard %}
-      - "8080:8080"  # Dashboard
+      - "8080:8080"
 {% endif %}
    volumes:
-      - {{ docker_volume_dir }}/traefik/etc/traefik:/etc/traefik:ro
-      - {{ docker_volume_dir }}/traefik/letsencrypt:/letsencrypt
+      - {{ docker_volume_dir }}/traefik.yml:/traefik.yml:ro
+{% if cert_mode == 'acme' %}
+      - {{ docker_volume_dir }}/letsencrypt:/letsencrypt
+{% endif %}
+{% if reverseproxy_mode == 'dmz' %}
+      - {{ docker_volume_dir }}/config:/config:ro
+{% endif %}
+{% if reverseproxy_mode == 'backend' %}
      - /var/run/docker.sock:/var/run/docker.sock:ro
+{% endif %}
    networks:
-      - traefik
+      - {{ traefik_network }}

 networks:
-  traefik:
+  {{ traefik_network }}:
+    name: {{ traefik_network }}
    external: true
--- a/roles/reverseproxy/templates/middlewares.yml.j2
+++ b/roles/reverseproxy/templates/middlewares.yml.j2
@ -1,47 +1,11 @@
-{% if enable_dashboard %}
-api:
-  dashboard: true
-  insecure: true
-{% endif %}
-
-{% if enable_access_logs %}
-accessLog:
-  format: {{ access_log_format }}
-{% endif %}
-
-entryPoints:
-  web:
-    address: ":80"
-{% if use_ssl %}
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          scheme: https
-{% endif %}
-  websecure:
-    address: ":443"
-
-providers:
-{% if use_static_services | default(false) %}
-  file:
-    filename: /etc/traefik/services.yml
-    watch: true
-{% endif %}
-{% if use_docker_provider | default(true) %}
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-{% endif %}
-
-certificatesResolvers:
-  letsencrypt:
-    acme:
-      email: admin@digitalboard.ch
-      storage: /letsencrypt/acme.json
-      httpChallenge:
-        entryPoint: web
-
-global:
-  checkNewVersion: false
-  sendAnonymousUsage: false
+http:
+  middlewares:
+    secure-headers:
+      headers:
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
--- a/roles/reverseproxy/templates/services.yml.j2
+++ b/roles/reverseproxy/templates/services.yml.j2
@ -1,30 +1,35 @@
-{% if use_static_services | default(false) %}
 http:
  routers:
-{% for service in all_services %}
+{% for service in proxied_services %}
    {{ service.name }}:
      rule: "Host(`{{ service.domain }}`)"
      service: {{ service.name }}-service
      entryPoints:
-{% if use_ssl | default(false) %}
-        - websecure
+        - {{ 'websecure' if use_ssl else 'web' }}
+{% if use_ssl %}
      tls:
-        certResolver: letsencrypt
+{% if cert_mode == 'acme' %}
+        certResolver: {{ ssl_cert_resolver }}
 {% else %}
-        - web
+        {}
+{% endif %}
 {% endif %}
 {% endfor %}

  services:
-{% for service in all_services %}
+{% for service in proxied_services %}
    {{ service.name }}-service:
      loadBalancer:
+        passHostHeader: true
        servers:
-          - url: "{{ service.upstream_protocol }}://{{ service.backend_host }}:{{ service.port }}"
-{% if service.health_check is defined %}
-        healthCheck:
-          path: "{{ service.health_check }}"
-          interval: "30s"
+          - url: "{{ service.protocol }}://{{ service.backend_host }}:{{ service.port }}"
+{% if service.protocol == 'https' and cert_mode == 'selfsigned' %}
+        serversTransport: insecure-transport
 {% endif %}
 {% endfor %}
+
+{% if cert_mode == 'selfsigned' %}
+  serversTransports:
+    insecure-transport:
+      insecureSkipVerify: true
 {% endif %}
--- a/roles/reverseproxy/templates/traefik.yml.j2
+++ b/roles/reverseproxy/templates/traefik.yml.j2
@ -1,9 +1,17 @@
+log:
+  level: {{ log_level }}
+
 {% if enable_dashboard %}
 api:
  dashboard: true
  insecure: true
 {% endif %}

+{% if enable_access_logs %}
+accessLog:
+  format: {{ access_log_format }}
+{% endif %}
+
 entryPoints:
  web:
    address: ":80"
@ -18,24 +26,36 @@ entryPoints:
    address: ":443"

 providers:
-{% if use_static_services | default(false) %}
+{% if reverseproxy_mode == 'dmz' %}
  file:
-    filename: /etc/traefik/services.yml
+    directory: /config
    watch: true
 {% endif %}
-{% if use_docker_provider | default(true) %}
+{% if reverseproxy_mode == 'backend' %}
  docker:
    endpoint: "unix:///var/run/docker.sock"
+    network: {{ traefik_network }}
    exposedByDefault: false
 {% endif %}

+{% if use_ssl and cert_mode == 'acme' %}
 certificatesResolvers:
-  letsencrypt:
+  {{ ssl_cert_resolver }}:
    acme:
-      email: admin@digitalboard.ch
+      email: {{ ssl_email }}
      storage: /letsencrypt/acme.json
-      httpChallenge:
-        entryPoint: web
+      dnsChallenge:
+        provider: rfc2136
+        resolvers:
+          - "{{ acme_dns_nameserver }}"
+{% endif %}
+
+{% if use_ssl %}
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+{% endif %}

 global:
  checkNewVersion: false