feat(traefik): configurable extra_hosts for container DNS overrides

Add `traefik_extra_hosts` (list of `host:ip`) that maps straight into the traefik container's compose `extra_hosts`. Needed when a downstream middleware (e.g. ForwardAuth to authentik on a sibling LAN) has to resolve a public FQDN to an internal IP because the DMZ doesn't hairpin the public address back inside. Empty by default; behaviour unchanged for existing inventories.
2026-05-26 14:02:43 +02:00 · 2026-05-26 14:02:43 +02:00 · afe5950d77
commit afe5950d77
parent 02d45026a5
2 changed files with 13 additions and 0 deletions
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@ -11,6 +11,13 @@ service_name: traefik
 docker_compose_dir: "{{ docker_compose_base_dir }}/{{ service_name }}"
 docker_volume_dir: "{{ docker_volume_base_dir }}/{{ service_name }}"

+# Optional /etc/hosts entries injected into the traefik container. Useful
+# when downstream middlewares (e.g. ForwardAuth to an authentik instance
+# running on a sibling LAN) need a public FQDN to resolve to an internal
+# IP because the DMZ doesn't hairpin the public address back inside.
+# Example: ["auth.example.com:172.16.19.101"]
+traefik_extra_hosts: []
+
 # Deployment mode: 'dmz' or 'backend'
 # - dmz: Public-facing reverse proxy that routes to backend servers using file provider
 # - backend: Application server with docker provider for local container discovery
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@ -33,6 +33,12 @@ services:
 {% endif %}
    networks:
      - {{ traefik_network }}
+{% if traefik_extra_hosts | default([]) | length > 0 %}
+    extra_hosts:
+{%   for h in traefik_extra_hosts %}
+      - "{{ h }}"
+{%   endfor %}
+{% endif %}

 networks:
  {{ traefik_network }}: