From 00d1cd522f430ed34dea858fecc3a303673ed6b3 Mon Sep 17 00:00:00 2001 From: Nathan Date: Sun, 31 May 2026 11:21:09 -0400 Subject: [PATCH] feat: add Traefik dynamic configs to GitOps management --- .../core/traefik/dynamic/middleware.yml | 53 ++++++++++++ .../core/traefik/dynamic/static-backends.yml | 82 +++++++++++++++++++ 2 files changed, 135 insertions(+) create mode 100644 nodes/heimdall/core/traefik/dynamic/middleware.yml create mode 100644 nodes/heimdall/core/traefik/dynamic/static-backends.yml diff --git a/nodes/heimdall/core/traefik/dynamic/middleware.yml b/nodes/heimdall/core/traefik/dynamic/middleware.yml new file mode 100644 index 0000000..366eed5 --- /dev/null +++ b/nodes/heimdall/core/traefik/dynamic/middleware.yml @@ -0,0 +1,53 @@ +--- +# Traefik dynamic middleware configuration +# Managed by homelab-registry-mcp write path +# Source of truth: nodes/heimdall/core/traefik/dynamic/ +# Do not edit /mnt/appdata/traefik/dynamic/ directly + +http: + middlewares: + + security-headers: + headers: + stsSeconds: 63072000 + stsIncludeSubdomains: true + stsPreload: true + frameDeny: true + contentTypeNosniff: true + browserXssFilter: true + referrerPolicy: "same-origin" + + ratelimit-basic: + rateLimit: + average: 50 + burst: 100 + + dashboard-auth: + basicAuth: + users: + - "chester:$2y$05$li5tJ0g9IN.QCfX1Q/QJu.ygbpuVQQmnEe1.jFdfFg9R8OvZiMNEi" + + https-redirect: + redirectScheme: + scheme: https + permanent: true + + dashboard-slash: + redirectregex: + regex: ^/dashboard$ + replacement: /dashboard/ + permanent: true + + authentik-auth: + forwardAuth: + # If your Authentik container is on the same network as Traefik, + # use the container name. Otherwise, use the internal IP. + address: "http://10.0.0.151:9000/outpost.goauthentik.io/auth/traefik" + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt diff --git a/nodes/heimdall/core/traefik/dynamic/static-backends.yml b/nodes/heimdall/core/traefik/dynamic/static-backends.yml new file mode 100644 index 0000000..ed1f815 --- /dev/null +++ b/nodes/heimdall/core/traefik/dynamic/static-backends.yml @@ -0,0 +1,82 @@ +--- +# Traefik static backend routes for non-containerised lab services +# Managed by homelab-registry-mcp write path +# Source of truth: nodes/heimdall/core/traefik/dynamic/ +# Do not edit /mnt/appdata/traefik/dynamic/ directly + +http: + + serversTransports: + insecure-transport: + insecureSkipVerify: true + + routers: + tnas-router: + rule: "Host(`tnas.castaldifamily.com`)" + entryPoints: + - websecure + tls: + certResolver: cloudflare + service: tnas-service + middlewares: + - security-headers@file + dsm-router: + rule: "Host(`dsm.castaldifamily.com`)" + entryPoints: + - websecure + tls: + certResolver: cloudflare + service: dsm-service + middlewares: + - security-headers@file + watchtower-router: + rule: "Host(`watchtower.castaldifamily.com`)" + entryPoints: + - websecure + tls: + certResolver: cloudflare + service: watchtower-service + middlewares: + - security-headers@file + gitvana-router: + rule: "Host(`gitvana.castaldifamily.com`)" + entryPoints: + - websecure + tls: + certResolver: cloudflare + service: gitvana-service + middlewares: + - security-headers@file + immich-router: + rule: "Host(`photos.castaldifamily.com`)" + entryPoints: + - websecure + tls: + certResolver: cloudflare + service: immich-service + + services: + tnas-service: + loadBalancer: + servers: + - url: "https://10.0.0.250:5443/tos/#/" + serversTransport: insecure-transport + dsm-service: + loadBalancer: + servers: + - url: "https://10.0.0.249:5001" + serversTransport: insecure-transport + watchtower-service: + loadBalancer: + servers: + - url: "https://10.0.0.200:9090" + serversTransport: insecure-transport + gitvana-service: + loadBalancer: + servers: + - url: "http://10.0.0.201:3000" + immich-service: + loadBalancer: + servers: + - url: "http://10.0.0.251:2283" +