Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/edge-traefik/templates/dynamic.yml.j2
Pieter 13685eb454 feat: Add infrastructure roles for multi-tenant architecture 
Add new Ansible roles and configuration for the edge proxy and
private network architecture:

## New Roles:
- **edge-traefik**: Edge reverse proxy that routes to private clients
  - Dynamic routing configuration for multiple clients
  - SSL termination at the edge
  - Routes traffic to private IPs (10.0.0.x)

- **nat-gateway**: NAT/gateway configuration for edge server
  - IP forwarding and masquerading
  - Allows private network clients to access internet
  - iptables rules for Docker integration

- **diun**: Docker Image Update Notifier
  - Monitors containers for available updates
  - Email notifications via Mailgun
  - Per-client configuration

- **kuma**: Uptime monitoring integration
  - Registers HTTP monitors for client services
  - Automated monitor creation via API
  - Checks Authentik, Nextcloud, Collabora endpoints

## New Playbooks:
- **setup-edge.yml**: Configure edge server with proxy and NAT

## Configuration:
- **host_vars**: Per-client Ansible configuration (valk, white)
  - SSH bastion configuration for private IPs
  - Client-specific secrets file references

This enables the scalable multi-tenant architecture where:
- Edge server has public IP and routes traffic
- Client servers use private IPs only (cost savings)
- All traffic flows through edge proxy with SSL termination

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:05:51 +01:00

97 lines
2.2 KiB
Django/Jinja
Raw Blame History

# Edge Traefik Dynamic Configuration
# Managed by Ansible - do not edit manually
# Routes traffic to backend servers on private network
http:
# Routers for white client
routers:
white-auth:
rule: "Host(`auth.white.vrije.cloud`)"
service: white-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
white-nextcloud:
rule: "Host(`nextcloud.white.vrije.cloud`)"
service: white-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
white-collabora:
rule: "Host(`office.white.vrije.cloud`)"
service: white-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-auth:
rule: "Host(`auth.valk.vrije.cloud`)"
service: valk-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-nextcloud:
rule: "Host(`nextcloud.valk.vrije.cloud`)"
service: valk-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-collabora:
rule: "Host(`office.valk.vrije.cloud`)"
service: valk-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
# Services (backend servers)
services:
white-auth:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
white-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
white-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
valk-auth:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
valk-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
valk-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
# Server transport (allow self-signed certs from backends)
serversTransports:
insecureTransport:
insecureSkipVerify: true
Reference in a new issue View git blame Copy permalink