Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/edge-traefik/templates/traefik.yml.j2
Pieter 13685eb454 feat: Add infrastructure roles for multi-tenant architecture 
Add new Ansible roles and configuration for the edge proxy and
private network architecture:

## New Roles:
- **edge-traefik**: Edge reverse proxy that routes to private clients
  - Dynamic routing configuration for multiple clients
  - SSL termination at the edge
  - Routes traffic to private IPs (10.0.0.x)

- **nat-gateway**: NAT/gateway configuration for edge server
  - IP forwarding and masquerading
  - Allows private network clients to access internet
  - iptables rules for Docker integration

- **diun**: Docker Image Update Notifier
  - Monitors containers for available updates
  - Email notifications via Mailgun
  - Per-client configuration

- **kuma**: Uptime monitoring integration
  - Registers HTTP monitors for client services
  - Automated monitor creation via API
  - Checks Authentik, Nextcloud, Collabora endpoints

## New Playbooks:
- **setup-edge.yml**: Configure edge server with proxy and NAT

## Configuration:
- **host_vars**: Per-client Ansible configuration (valk, white)
  - SSH bastion configuration for private IPs
  - Client-specific secrets file references

This enables the scalable multi-tenant architecture where:
- Edge server has public IP and routes traffic
- Client servers use private IPs only (cost savings)
- All traffic flows through edge proxy with SSL termination

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:05:51 +01:00

47 lines
980 B
Django/Jinja
Raw Blame History

# Edge Traefik Static Configuration
# Managed by Ansible - do not edit manually
# This configuration proxies to backend servers on private network
api:
dashboard: {{ traefik_dashboard_enabled | lower }}
{% if traefik_dashboard_enabled %}
insecure: false
{% endif %}
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
providers:
# File provider for static backend configurations
file:
filename: /etc/traefik/dynamic.yml
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: {{ traefik_acme_email }}
storage: /letsencrypt/acme.json
{% if traefik_acme_staging %}
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
{% endif %}
httpChallenge:
entryPoint: web
log:
level: INFO
accessLog:
filePath: /var/log/traefik/access.log
Reference in a new issue View git blame Copy permalink