traefik: lan a & b bindings

padhi-homelab · Jan 6, 2025 · a954540 · a954540
1 parent 23f071c
commit a954540
Show file tree

Hide file tree

Showing 20 changed files with 52 additions and 30 deletions.
diff --git a/docker_sock/docker-compose.labels.yml b/docker_sock/docker-compose.labels.yml
@@ -6,4 +6,4 @@ services:
       traefik.http.services.docker_sock.loadBalancer.server.port: 9000
       #
       traefik.http.routers.docker_sock.rule: Host(`${SERVER_LAN_FQDN:?}`) && PathPrefix(`/docker_sock`)
-      traefik.http.routers.docker_sock.entryPoints: lan-https
+      traefik.http.routers.docker_sock.entryPoints: lan-https-b
diff --git a/gitea/docker-compose.labels.yml b/gitea/docker-compose.labels.yml
@@ -8,5 +8,5 @@ services:
       traefik.http.middlewares.strip-gitea-prefix.stripPrefix.prefixes: "/${GITEA_BASE_PATH:?}"
       #
       traefik.http.routers.gitea.rule: Host(`${SERVER_LAN_FQDN:?}`) && PathPrefix(`/${GITEA_BASE_PATH:?}`)
-      traefik.http.routers.gitea.entryPoints: lan-https
+      traefik.http.routers.gitea.entryPoints: lan-https-b
       traefik.http.routers.gitea.middlewares: only-https-forwarded-proto, strip-gitea-prefix
diff --git a/gitea/extra/gitea/etc/gitea/app.template.ini b/gitea/extra/gitea/etc/gitea/app.template.ini
@@ -34,7 +34,7 @@ DOMAIN       = ${SERVER_LAN_FQDN}
 ENABLE_GZIP  = true
 HTTP_PORT    = 3000
 OFFLINE_MODE = true
-ROOT_URL     = https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT}/${GITEA_BASE_PATH}/
+ROOT_URL     = https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT_B}/${GITEA_BASE_PATH}/
 
 [service]
 DISABLE_REGISTRATION = true
diff --git a/gitea/meta.yml b/gitea/meta.yml
@@ -3,7 +3,7 @@ messages:
     post:
     - >-
       ${_THIS_COMPOSITION_} may now be accessed on
-      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT}/${GITEA_BASE_PATH}/${_RESET_FONT_}
+      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT_B}/${GITEA_BASE_PATH}/${_RESET_FONT_}
 
 pre_reqs:
 - traefik
diff --git a/indexarr/meta.yml b/indexarr/meta.yml
@@ -2,7 +2,7 @@ messages:
   up:
     post:
     - >-
-      ${_THIS_COMPOSITION_} may now be accessed on
+      ${_THIS_COMPOSITION_}:jackett may now be accessed on
       ${_LINK_FONT_}https://${SERVER_WAN_FQDN}:${SERVER_WAN_HTTPS_PORT}/${JACKETT_BASE_PATH}/${_RESET_FONT_}
 
 pre_reqs:

diff --git a/monitarr/meta.yml b/monitarr/meta.yml
@@ -2,13 +2,13 @@ messages:
   up:
     post:
     - >-
-      ${_bold_}${_CUR_COMP_}-lidarr${_RESET_FONT_} may now be accessed on
+      ${_THIS_COMPOSITION_}:lidarr may now be accessed on
       ${_LINK_FONT_}https://${SERVER_WAN_FQDN}:${SERVER_WAN_HTTPS_PORT}/${LIDARR_BASE_PATH}/${_RESET_FONT_}
     - >-
-      ${_bold_}${_CUR_COMP_}-radarr${_RESET_FONT_} may now be accessed on
+      ${_THIS_COMPOSITION_}:radarr may now be accessed on
       ${_LINK_FONT_}https://${SERVER_WAN_FQDN}:${SERVER_WAN_HTTPS_PORT}/${RADARR_BASE_PATH}/${_RESET_FONT_}
     - >-
-      ${_bold_}${_CUR_COMP_}-sonarr${_RESET_FONT_} may now be accessed on
+      ${_THIS_COMPOSITION_}:sonarr may now be accessed on
       ${_LINK_FONT_}https://${SERVER_WAN_FQDN}:${SERVER_WAN_HTTPS_PORT}/${SONARR_BASE_PATH}/${_RESET_FONT_}
 
 pre_reqs:

diff --git a/netbox/docker-compose.labels.yml b/netbox/docker-compose.labels.yml
@@ -4,4 +4,4 @@ services:
       traefik.enable: true
       #
       traefik.http.routers.netbox.rule: Host(`${SERVER_LAN_FQDN:?}`) && PathPrefix(`/${NETBOX_BASE_PATH:?}`)
-      traefik.http.routers.netbox.entryPoints: lan-https
+      traefik.http.routers.netbox.entryPoints: lan-https-b
diff --git a/netbox/env/netbox b/netbox/env/netbox
@@ -4,5 +4,5 @@ SECRET_KEY: 'a988a1a6d5b1c49753bf185a7ef3b40fec60ff05b88c2dec237382b71e53e919'
 NETBOX_BASE_PATH: ${NETBOX_BASE_PATH:?}
 HOUSEKEEPING_INTERVAL_SECONDS: 7200
 ALLOWED_HOSTS: '*'
-CSRF_TRUSTED_ORIGINS: "https://${SERVER_LAN_FQDN:?}:${SERVER_LAN_HTTPS_PORT:?}"
+CSRF_TRUSTED_ORIGINS: "https://${SERVER_LAN_FQDN:?}:${SERVER_LAN_HTTPS_PORT_B:?}"
 CORS_ORIGIN_ALLOW_ALL: True      
diff --git a/netbox/meta.yml b/netbox/meta.yml
@@ -3,7 +3,7 @@ messages:
     post:
     - >-
       ${_THIS_COMPOSITION_} may now be accessed on
-      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT}/${NETBOX_BASE_PATH}/${_RESET_FONT_}
+      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT_B}/${NETBOX_BASE_PATH}/${_RESET_FONT_}
 
 pre_reqs:
 - traefik
diff --git a/pihole/docker-compose.labels.yml b/pihole/docker-compose.labels.yml
@@ -8,14 +8,14 @@ services:
       traefik.http.middlewares.add-admin-prefix.addPrefix.prefix: "/admin"
       #
       traefik.http.routers.pihole.rule: Host(`${SERVER_LAN_FQDN:?}`) && PathPrefix(`/${PIHOLE_BASE_PATH:?}`)
-      traefik.http.routers.pihole.entryPoints: lan-https
+      traefik.http.routers.pihole.entryPoints: lan-https-b
       traefik.http.routers.pihole.middlewares: strip-pihole-prefix, add-admin-prefix
       #
       # FIXME: The rule below is necessary to correctly redirect after login.
       # The `/admin` redirect seems to be hard coded (unlike the rest of the application, thankfully!).
       #
       traefik.http.routers.pihole-admin.rule: Host(`${SERVER_LAN_FQDN:?}`) && Path(`/admin/`)
-      traefik.http.routers.pihole-admin.entryPoints: lan-https
+      traefik.http.routers.pihole-admin.entryPoints: lan-https-b
       traefik.http.routers.pihole-admin.service: pihole@docker
       traefik.http.middlewares.pihole-postlogin-redirect.redirectRegex.permanent: true
       traefik.http.middlewares.pihole-postlogin-redirect.redirectRegex.regex: "^https://(.+)/admin/(.*)$"

diff --git a/pihole/meta.yml b/pihole/meta.yml
@@ -3,7 +3,7 @@ messages:
     post:
     - >-
       ${_THIS_COMPOSITION_} may now be accessed on
-      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT}/${PIHOLE_BASE_PATH}/${_RESET_FONT_}
+      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT_B}/${PIHOLE_BASE_PATH}/${_RESET_FONT_}
 
 pre_reqs:
 - traefik
diff --git a/static.global.env b/static.global.env
@@ -1,11 +1,16 @@
 SERVER_LAN_BINDING_IP=127.0.0.1
 SERVER_LAN_FQDN=localhost
-SERVER_LAN_HTTP_PORT=9080
-SERVER_LAN_HTTPS_PORT=9443
+
+SERVER_LAN_HTTP_PORT_A=8080
+SERVER_LAN_HTTPS_PORT_A=8443
+
+SERVER_LAN_HTTP_PORT_B=9080
+SERVER_LAN_HTTPS_PORT_B=9443
 
 SERVER_LETS_ENCRYPT_ACME_EMAIL=someone@some.domain.net
 SERVER_LETS_ENCRYPT_ACME_CA_SERVER_USE_STAGING=YES
 
 SERVER_WAN_BINDING_IP=127.0.0.1
 SERVER_WAN_FQDN=localhost
+
 SERVER_WAN_HTTPS_PORT=443
diff --git a/tang/docker-compose.labels.yml b/tang/docker-compose.labels.yml
@@ -6,5 +6,5 @@ services:
       traefik.http.middlewares.strip-tang-prefix.stripPrefix.prefixes: "/${TANG_BASE_PATH:?}"
       #
       traefik.http.routers.tang.rule: Host(`${SERVER_LAN_FQDN:?}`) && PathPrefix(`/${TANG_BASE_PATH:?}`)
-      traefik.http.routers.tang.entryPoints: lan-http
+      traefik.http.routers.tang.entryPoints: lan-http-b
       traefik.http.routers.tang.middlewares: strip-tang-prefix
diff --git a/tang/meta.yml b/tang/meta.yml
@@ -3,7 +3,7 @@ messages:
     post:
     - >-
       ${_THIS_COMPOSITION_} is now listening on
-      ${_LINK_FONT_}http://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTP_PORT}/${_RESET_FONT_}
+      ${_LINK_FONT_}http://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTP_PORT_B}/${_RESET_FONT_}
 
 pre_reqs:
 - traefik
diff --git a/telegraf/docker-compose.yml b/telegraf/docker-compose.yml
@@ -27,8 +27,6 @@ services:
       HOST_PROC: /host/proc
       HOST_SYS: /host/sys
       HOST_MOUNT_PREFIX: /host
-      SERVER_LAN_FQDN: ${SERVER_LAN_FQDN:?}
-      SERVER_LAN_HTTPS_PORT: ${SERVER_LAN_HTTPS_PORT:?}
       TELEGRAF_LOGGING_FILE: STDOUT
       TELEGRAF_REPORTING_ENABLED: 'false'
       INFLUXDB_URL: http://${SERVER_LAN_FQDN:?}:8086

diff --git a/teslamate/docker-compose.labels.yml b/teslamate/docker-compose.labels.yml
@@ -8,9 +8,9 @@ services:
       traefik.http.middlewares.only-wss-forwarded-proto.headers.customRequestHeaders.X-Forwarded-Proto: wss
       #
       traefik.http.routers.teslamate.rule: Host(`${SERVER_LAN_FQDN:?}`) && PathPrefix(`/${TESLAMATE_BASE_PATH:?}`)
-      traefik.http.routers.teslamate.entryPoints: lan-https
+      traefik.http.routers.teslamate.entryPoints: lan-https-b
       traefik.http.routers.teslamate.middlewares: strip-teslamate-prefix, only-https-forwarded-proto
       #
       traefik.http.routers.teslamate-websocket.rule: Host(`${SERVER_LAN_FQDN:?}`) && PathPrefix(`/${TESLAMATE_BASE_PATH:?}/live/websocket`)
-      traefik.http.routers.teslamate-websocket.entryPoints: lan-https
+      traefik.http.routers.teslamate-websocket.entryPoints: lan-https-b
       traefik.http.routers.teslamate-websocket.middlewares: strip-teslamate-prefix, only-wss-forwarded-proto
diff --git a/teslamate/meta.yml b/teslamate/meta.yml
@@ -3,7 +3,7 @@ messages:
     post:
     - >-
       ${_THIS_COMPOSITION_} may now be accessed on
-      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT}/${TESLAMATE_BASE_PATH}/${_RESET_FONT_}
+      ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:${SERVER_LAN_HTTPS_PORT_B}/${TESLAMATE_BASE_PATH}/${_RESET_FONT_}
 
 pre_reqs:
 - traefik
diff --git a/traefik/docker-compose.ports.yml b/traefik/docker-compose.ports.yml
@@ -1,7 +1,12 @@
 services:
   traefik:
     ports:
+    # Traefik internal dashboard & API
     - ${SERVER_LAN_BINDING_IP:?}:34443:34443
+    # HTTP and HTTPS bindings intended for LAN exposure
+    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTP_PORT_A:?}:${SERVER_LAN_HTTP_PORT_A:?}
+    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTPS_PORT_A:?}:${SERVER_LAN_HTTPS_PORT_A:?}
+    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTP_PORT_B:?}:${SERVER_LAN_HTTP_PORT_B:?}
+    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTPS_PORT_B:?}:${SERVER_LAN_HTTPS_PORT_B:?}
+    # HTTPS binding intended for WAN exposure
     - ${SERVER_WAN_BINDING_IP:?}:${SERVER_WAN_HTTPS_PORT:?}:${SERVER_WAN_HTTPS_PORT:?}
-    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTP_PORT:?}:${SERVER_LAN_HTTP_PORT:?}
-    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTPS_PORT:?}:${SERVER_LAN_HTTPS_PORT:?}
diff --git a/traefik/extra/traefik/traefik.template.yml b/traefik/extra/traefik/traefik.template.yml
@@ -43,14 +43,28 @@ entryPoints:
       - default@file
       - add-ssl-headers@file
       tls: true
-  lan-http:
-    address: ":${SERVER_LAN_HTTP_PORT}"
+  lan-http-a:
+    address: ":${SERVER_LAN_HTTP_PORT_A}"
     http:
       middlewares:
       - restrict-to-lan-ip@file
       - default@file
-  lan-https:
-    address: ":${SERVER_LAN_HTTPS_PORT}"
+  lan-https-a:
+    address: ":${SERVER_LAN_HTTPS_PORT_A}"
+    http:
+      middlewares:
+      - restrict-to-lan-ip@file
+      - default@file
+      - add-ssl-headers@file
+      tls: true
+  lan-http-b:
+    address: ":${SERVER_LAN_HTTP_PORT_B}"
+    http:
+      middlewares:
+      - restrict-to-lan-ip@file
+      - default@file
+  lan-https-b:
+    address: ":${SERVER_LAN_HTTPS_PORT_B}"
     http:
       middlewares:
       - restrict-to-lan-ip@file

diff --git a/traefik/meta.yml b/traefik/meta.yml
@@ -2,7 +2,7 @@ messages:
   up:
     post:
     - >-
-      ${_THIS_COMPOSITION_} may now be accessed on
+      ${_THIS_COMPOSITION_} dashboard may now be accessed on
       ${_LINK_FONT_}https://${SERVER_LAN_FQDN}:34443/dashboard/${_RESET_FONT_}
 
 pre_reqs: