knight/docker-stacks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add traefik routing configs to GitOps
Some checks failed
Deploy Stacks / deploy-prod (push) Failing after 1s
Details
Deploy Stacks / deploy-dev (push) Has been cancelled
Details

Browse Source 
Sync all conf.d routing configs from core:
- authentik.yml - routes to ubuntu-prod:9000
- gitea.yml - routes to ubuntu-prod:3001
- middlewares.yaml - forward-auth, redirects, security headers
- dynamic.yml, library.yaml, meshmon.yaml, minecraft.yaml
- radio.yml, spider.yml, tlc.yml, wille.yaml

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
knight
2026-01-21 11:43:17 -05:00
parent 244794d15f
commit f46817fa7a
11 changed files with 411 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
stacks/traefik/conf.d/middlewares.yaml Normal file → Executable file
View File

@@ -1,28 +1,211 @@
# Core middlewares for traefik
# External service routers should be added as separate files or via docker labels
core:
defaultRuleSyntax: v2
http:
routers:
# Redirect HTTP to HTTPS
https-redirect:
entryPoints:
- http
rule: "HostRegexp(`{host:.+}`)"
service: noop@internal
# Activate this Router on any Host requested
rule: "hostregexp(`{host:.+}`)"
service: dummy
middlewares:
- redirect-to-https
priority: 1
# (NEW) Redirect immich.ghost.tel to photos.ghost.tel
immich-redirect:
entryPoints:
- http
- https # Catch both HTTP and HTTPS requests
rule: Host(`immich.ghost.tel`)
service: dummy # Dummy service since it's a redirect, not proxying
middlewares:
- redirect-immich-to-photos
tls:
certResolver: http
homeassist:
entryPoints:
- https
rule: Host(`home.ghost.tel`)
service: HomeAssistant
tls:
certResolver: http
middlewares:
- securityHeaders
dynmap:
entryPoints:
- http
- https
rule: Host(`dynmap.ghost.tel`)
service: dynmap
tls:
certResolver: http
amp:
entryPoints:
- http
rule: Host(`amped.ghost.tel`)
service: amp
tls:
certResolver: http
# Uncomment if you need them; included for reference
# brake:
# entryPoints:
# - http
# rule: Host(`parker.ramz.cc`) || Host(`whoami.brake.tel`) || Host(`electrate.brake.tel`) || Host(`sarah.brake.tel`) || Host(`brake.tel`)
# service: brake
# brakehttps:
# entryPoints:
# - https
# rule: Host(`parker.ramz.cc`) || Host(`whoami.brake.tel`) || Host(`electrate.brake.tel`) || Host(`sarah.brake.tel`) || Host(`brake.tel`)
# service: brakehttps
invid:
entryPoints:
- http
- https
rule: Host(`inv.ghost.tel`) && !(Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))
service: invid
tls:
certResolver: http
# (NEW) Route /companion path to Invidious Companion
invid-companion:
entryPoints:
- http
- https
rule: Host(`inv.ghost.tel`) && (Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/youtubei/v1/player`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))
service: invid-companion
tls:
certResolver: http
middlewares:
- invid-companion-prefix
# tempai:
# entryPoints:
# - http
# - https
# rule: Host(`shell.ghost.tel`)
# service: tempai
# tls:
# certResolver: http
# middlewares:
# - dashboard-auth
picam:
entryPoints:
- http
- https
rule: Host(`printview.ghost.tel`)
service: picam
tls:
certResolver: http
# Example internal API / dashboard config (for reference)
# my-api:
# entryPoints:
# - dashboard
# rule: "PathPrefix(`/dashboard`) || PathPrefix(`/api`)"
# service: api@internal
# middlewares:
# - dashboard-auth
my-secure-api:
entryPoints:
- https
rule: "Host(`traefik.ghost.tel`)"
service: api@internal
middlewares:
- auth
tls:
certResolver: http
services:
HomeAssistant:
loadBalancer:
passHostHeader: true
servers:
- url: "http://homeassistant.localdomain:8123"
dummy:
loadBalancer:
servers:
- url: "localhost"
dynmap:
loadBalancer:
servers:
- url: "http://ramiel:8123/"
amp:
loadBalancer:
passHostHeader: true
servers:
- url: "http://192.168.1.205:8080"
# brake:
# loadBalancer:
# passHostHeader: true
# servers:
# - url: "http://192.168.1.231:3333"
# brakehttps:
# loadBalancer:
# passHostHeader: true
# servers:
# - url: "http://192.168.1.231:3333"
invid:
loadBalancer:
passHostHeader: true
servers:
- url: "http://192.168.5.123:3000"
# (NEW) Invidious Companion service at port 8282
invid-companion:
loadBalancer:
passHostHeader: true
servers:
- url: "http://192.168.5.123:8282"
picam:
loadBalancer:
passHostHeader: true
servers:
- url: "http://192.168.1.80:8080"
# tempai:
# loadBalancer:
# passHostHeader: true
# servers:
# - url: "http://192.168.5.10:3001"
middlewares:
# HTTPS redirect
# (NEW) Middleware to redirect immich.ghost.tel to photos.ghost.tel
redirect-immich-to-photos:
redirectRegex:
regex: "^https?://immich\\.ghost\\.tel(/.*)?$"
replacement: "https://photos.ghost.tel$1"
permanent: true
dashboard-auth:
basicAuth:
usersFile: "/basicAuth"
redirect-to-https:
redirectScheme:
scheme: https
# permanent: true
# Authentik forward auth - update URL after authentik is deployed
auth:
forwardAuth:
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
address: http://192.168.5.123:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
@@ -37,7 +220,6 @@ http:
- X-authentik-meta-app
- X-authentik-meta-version
# Security headers
securityHeaders:
headers:
customResponseHeaders:
@@ -56,6 +238,24 @@ http:
stsSeconds: 63072000
stsPreload: true
# Gzip compression
# (NEW) Adds /companion prefix before passing to Companion
invid-companion-prefix:
addPrefix:
prefix: "/companion"
gzip:
compress: {}
# Example for TCP routing (commented out)
# tcp:
# routers:
# router-ssh:
# entryPoints:
# - web-secure
# rule: HostSNI(`*`)
# service: service-ssh
# services:
# service-ssh:
# loadBalancer:
# servers:
# - address: 192.168.1.203:2245