nomad
/
traefik
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
19 Commits 1 Branch 0 Tags 286 KiB
HCL 63.2%
Smarty 30.4%
Dockerfile 5.7%
Shell 0.7%
Go to file
Daniel Berteaud cbf84f0530 Use bundles.yml to handle dependencies 2023-09-28 15:16:41 +02:00
consul/policies Global enhancements 2023-08-28 14:15:16 +02:00
images Update lemonldap image to 2.17.1 and rebase on alma 9 2023-09-26 15:16:16 +02:00
prep.d Cleanup + build our own Docker image 2023-08-29 23:19:28 +02:00
templates Add Content-Type autodetection 2023-09-13 08:46:23 +02:00
vault/policies Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
.gitmodules Use bundles.yml to handle dependencies 2023-09-28 15:16:41 +02:00
README.md Fix display of bcrypt header 2023-08-21 23:29:43 +02:00
bundles.yml Use bundles.yml to handle dependencies 2023-09-28 15:16:41 +02:00
traefik.nomad.hcl New syntaxe for regex 2023-09-10 23:57:28 +02:00
variables.yml Update lemonldap image to 2.17.1 and rebase on alma 9 2023-09-26 15:16:16 +02:00

README.md

Initial configuration

Before running Traefik, you have to create a role on vault, to get a Consul token for traefik. This token will be used by Traefik to query consul service catalog and adjust routes dynamicaly

vault write consul/roles/traefik consul_policies=traefik ttl=72h max_ttl=168h

IP whitelist / blacklist

The job support getting lists of IP addresses/CIDR dynamycally from Consul K/V store. To create a new list, go on Consul Key/Value from the web interface, in common/ip (create the tree if needed), then create an entry. For example, an entry named trusted, with the following content:

- 10.99.9.1       # fw-dc for healthcheck
- 192.168.7.0/24  # Private LAN
- 10.99.20.0/24   # VPN roadwarriors
- 10.99.23.0/24   # VPN Wireguard

Format it as a YAML document. Now, as soon as you save this, a new middleware named ip-trusted@file will be available on Traefik, and can be used by routers to protect sensitive applications. You can also include an IP list in another one. For example, another IP list named admin could contain

- include:trusted
- 10.29.0.0/16

Now the ip-admin@file middleware contains all the IP of the trusted list, plus 10.29.0.0/16

Basic authentication middlewares

You can configure basic auth middlewares by putting user/password in vault. For example

vault kv put kv/service/traefik/basicauth/monitoring john='S3cr3t.' marie='p@ssw0rd'

Then, a basicauth-monitoring@file middleware will be automaticaly created and available for routers to protect the app you want. The password can be either plain text, or an already bcrypt encrypted password (starting with $2y$).

Note that while creating new or updating existing basicauth entry will be reloaded without a need to restart Traefik, it can take up to 5 min for the change to propagate.

Lemonldap::NG Handler

The job support running a Lemonldap::NG handler, but in a very specific configuration only for now. You have to use a MySQL or MariaDB for the config and the sessions, and this DB must be reachable through the Consul service mesh. Then you need to enable support for the handler, in your variables.yml file

lemonldap:
  enabled: True
  db:
    service_name: mariadb
    user: lemonldap
    db: lemonldap

And the password for the DB is stored in vault

vault kv put kv/service/traefik llng_handler_db_pwd='ThisIsNotAVeryStrongPassword'