c67e9aac43
- ACME via DNS-01 against internal NS (172.16.9.169) with TCP-only + disableANSChecks so the DMZ traefik can issue LE certs without reaching public NS IPs. - Migrate single-domain vars to `*_domains` lists (authentik, nextcloud, collabora, garage_s3) so public + *.int.* SANs share one cert and server-to-server traffic stays in the LAN. - Wire `traefik_dmz_exposed_services` per backend host (application, storage) with explicit `backend_host` overrides pointing at internal FQDNs — DMZ traefik now validates upstream certs against SAN names. - Nextcloud notify_push setup on internal FQDN to avoid DMZ hairpin; collabora WOPI / authentik LDAP outpost wired to *.int.* equivalents.
16 lines
599 B
YAML
16 lines
599 B
YAML
---
|
|
# Services hosted on `storage` that the DMZ reverseproxy should forward
|
|
# public traffic to. See application/traefik.yml for the mechanism.
|
|
traefik_dmz_exposed_services:
|
|
- name: garage-s3
|
|
domain: s3.gymb.souveredu.ch
|
|
backend_host: s3.int.gymb.souveredu.ch
|
|
port: 443
|
|
protocol: https
|
|
- name: garage-webui
|
|
domain: console.s3.gymb.souveredu.ch
|
|
# No internal FQDN/cert SAN for console.s3 yet — would need an
|
|
# extra_domain on garage-webui. Until then this route will 500
|
|
# against the storage backend (cert mismatch on raw IP).
|
|
port: 443
|
|
protocol: https
|