c67e9aac43
- ACME via DNS-01 against internal NS (172.16.9.169) with TCP-only + disableANSChecks so the DMZ traefik can issue LE certs without reaching public NS IPs. - Migrate single-domain vars to `*_domains` lists (authentik, nextcloud, collabora, garage_s3) so public + *.int.* SANs share one cert and server-to-server traffic stays in the LAN. - Wire `traefik_dmz_exposed_services` per backend host (application, storage) with explicit `backend_host` overrides pointing at internal FQDNs — DMZ traefik now validates upstream certs against SAN names. - Nextcloud notify_push setup on internal FQDN to avoid DMZ hairpin; collabora WOPI / authentik LDAP outpost wired to *.int.* equivalents.
29 lines
1 KiB
YAML
29 lines
1 KiB
YAML
---
|
|
# Services hosted on `application` that the DMZ reverseproxy should
|
|
# forward public traffic to. The DMZ traefik picks this up via
|
|
# hostvars[backend].traefik_dmz_exposed_services and renders a router +
|
|
# service for each entry into /config/services.yml.
|
|
traefik_dmz_exposed_services:
|
|
- name: authentik
|
|
domain: auth.gymb.souveredu.ch
|
|
backend_host: auth.int.gymb.souveredu.ch
|
|
port: 443
|
|
protocol: https
|
|
- name: nextcloud
|
|
domain: cloud.gymb.souveredu.ch
|
|
backend_host: cloud.int.gymb.souveredu.ch
|
|
port: 443
|
|
protocol: https
|
|
- name: collabora
|
|
domain: office.gymb.souveredu.ch
|
|
backend_host: office.int.gymb.souveredu.ch
|
|
port: 443
|
|
protocol: https
|
|
- name: drawio
|
|
domain: draw.gymb.souveredu.ch
|
|
# No internal FQDN/cert for drawio yet — proxy by IP. Combined
|
|
# with serversTransport `insecureSkipVerify` (handled by the
|
|
# selfsigned-mode branch in the template), or accept the route's
|
|
# 500 until the cert is wired up.
|
|
port: 443
|
|
protocol: https
|