c67e9aac43
- ACME via DNS-01 against internal NS (172.16.9.169) with TCP-only + disableANSChecks so the DMZ traefik can issue LE certs without reaching public NS IPs. - Migrate single-domain vars to `*_domains` lists (authentik, nextcloud, collabora, garage_s3) so public + *.int.* SANs share one cert and server-to-server traffic stays in the LAN. - Wire `traefik_dmz_exposed_services` per backend host (application, storage) with explicit `backend_host` overrides pointing at internal FQDNs — DMZ traefik now validates upstream certs against SAN names. - Nextcloud notify_push setup on internal FQDN to avoid DMZ hairpin; collabora WOPI / authentik LDAP outpost wired to *.int.* equivalents.
22 lines
997 B
YAML
22 lines
997 B
YAML
---
|
|
traefik_mode: dmz
|
|
|
|
# The DMZ traefik discovers which services to expose by reading
|
|
# traefik_dmz_exposed_services from each backend host's host_vars
|
|
# (application/traefik.yml, storage/traefik.yml). See the role's
|
|
# tasks/main.yml — set_fact "Build service registry from backend
|
|
# servers (DMZ mode)".
|
|
|
|
# From the DMZ network the public ns1 IP (193.43.183.169) is not
|
|
# reachable on port 53, but the internal address (172.16.9.169) is.
|
|
# Override the group-level traefik_acme_dns_nameserver from bao so
|
|
# lego's RFC2136 updates land at the internal interface. The TSIG
|
|
# key/secret are the same; only the transport target changes.
|
|
traefik_acme_dns_nameserver: "172.16.9.169"
|
|
|
|
# Lego's propagation check normally polls the NS hostnames listed in
|
|
# the zone's SOA (ns1.digitalboard.ch.) — which resolves to the
|
|
# public IP that's unreachable from this DMZ host. Skip that check;
|
|
# lego still polls via the resolver above before asking LE to
|
|
# validate.
|
|
traefik_acme_disable_ans_checks: true
|