Skip to content

Commit

Permalink
move allowlist middleware to file
Browse files Browse the repository at this point in the history
  • Loading branch information
@ahembree
ahembree committed Jun 1, 2024
1 parent 6cfdf10 commit 01206cd
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 27 deletions.
52 changes: 25 additions & 27 deletions roles/hmsdocker/templates/docker-compose.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ services:
- traefik.http.services.portainer-${COMPOSE_PROJECT}.loadbalancer.server.port=9000
- traefik.http.routers.portainer-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['portainer']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_portainer %}
- traefik.http.routers.portainer-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.portainer-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_portainer %}
- traefik.http.routers.portainer-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-portainer-midware@docker
Expand Down Expand Up @@ -76,7 +76,7 @@ services:
- traefik.http.services.homepage-${COMPOSE_PROJECT}.loadbalancer.server.port=3000
- traefik.http.routers.homepage-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['homepage']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_homepage %}
- traefik.http.routers.homepage-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.homepage-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_homepage %}
- traefik.http.routers.homepage-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-homepage-midware@docker
Expand Down Expand Up @@ -145,9 +145,7 @@ services:
- traefik.enable=true
- traefik.http.routers.traefik-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['traefik']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
- traefik.http.services.traefik-${COMPOSE_PROJECT}.loadbalancer.server.port=8080
- traefik.http.middlewares.internal-ipallowlist.ipwhitelist.sourcerange=127.0.0.1/32, {{ traefik_subnet_allow_list }}
- traefik.http.middlewares.external-ipallowlist.ipwhitelist.sourcerange=0.0.0.0/0
- traefik.http.routers.traefik-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.traefik-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% if hmsdocker_authentik_enabled_traefik %}
- traefik.http.routers.traefik-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-traefik-midware@docker
{% endif %}
Expand Down Expand Up @@ -238,7 +236,7 @@ services:
- traefik.http.services.authentik-server-${COMPOSE_PROJECT}.loadbalancer.server.scheme=https
- traefik.http.routers.authentik-server-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['authentik']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_authentik %}
- traefik.http.routers.authentik-server-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.authentik-server-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_authentik %}
- traefik.http.routers.authentik-server-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-authentik-server-midware@docker
Expand Down Expand Up @@ -333,7 +331,7 @@ services:
- traefik.http.services.nzbget-${COMPOSE_PROJECT}.loadbalancer.server.port=6789
- traefik.http.routers.nzbget-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['nzbget']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_nzbget %}
- traefik.http.routers.nzbget-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.nzbget-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_nzbget %}
- traefik.http.routers.nzbget-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-nzbget-midware@docker
Expand Down Expand Up @@ -385,7 +383,7 @@ services:
- traefik.http.services.sabnzbd-${COMPOSE_PROJECT}.loadbalancer.server.port=8080
- traefik.http.routers.sabnzbd-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['sabnzbd']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_sabnzbd %}
- traefik.http.routers.sabnzbd-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.sabnzbd-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_sabnzbd %}
- traefik.http.routers.sabnzbd-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-sabnzbd-midware@docker
Expand Down Expand Up @@ -499,7 +497,7 @@ services:
- traefik.http.routers.transmission-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['transmission']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
- traefik.http.services.transmission-${COMPOSE_PROJECT}.loadbalancer.server.port=8080
{% if not hmsdocker_expose_public_enabled_transmission %}
- traefik.http.routers.transmission-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.transmission-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_transmission %}
- traefik.http.routers.transmission-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-transmission-midware@docker
Expand Down Expand Up @@ -543,7 +541,7 @@ services:
- traefik.http.services.requestrr-${COMPOSE_PROJECT}.loadbalancer.server.port=4545
- traefik.http.routers.requestrr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['requestrr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_requestrr %}
- traefik.http.routers.requestrr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.requestrr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_requestrr %}
- traefik.http.routers.requestrr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-requestrr-midware@docker
Expand Down Expand Up @@ -578,7 +576,7 @@ services:
- traefik.http.services.prowlarr-${COMPOSE_PROJECT}.loadbalancer.server.port=9696
- traefik.http.routers.prowlarr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['prowlarr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_prowlarr %}
- traefik.http.routers.prowlarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.prowlarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_prowlarr %}
- traefik.http.routers.prowlarr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-prowlarr-midware@docker
Expand Down Expand Up @@ -621,7 +619,7 @@ services:
- traefik.http.services.sonarr-${COMPOSE_PROJECT}.loadbalancer.server.port=8989
- traefik.http.routers.sonarr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['sonarr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_sonarr %}
- traefik.http.routers.sonarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.sonarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_sonarr %}
- traefik.http.routers.sonarr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-sonarr-midware@docker
Expand Down Expand Up @@ -683,7 +681,7 @@ services:
- traefik.http.services.sonarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.loadbalancer.server.port=8989
- traefik.http.routers.sonarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['sonarr']['proxy_host_rule'] }}-{{ separate_4k_instances_suffix }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_sonarr %}
- traefik.http.routers.sonarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.sonarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_sonarr %}
- traefik.http.routers.sonarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-sonarr-{{ separate_4k_instances_suffix }}-midware@docker
Expand Down Expand Up @@ -745,7 +743,7 @@ services:
- traefik.http.services.radarr-${COMPOSE_PROJECT}.loadbalancer.server.port=7878
- traefik.http.routers.radarr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['radarr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_radarr %}
- traefik.http.routers.radarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.radarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_radarr %}
- traefik.http.routers.radarr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-radarr-midware@docker
Expand Down Expand Up @@ -807,7 +805,7 @@ services:
- traefik.http.services.radarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.loadbalancer.server.port=7878
- traefik.http.routers.radarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['radarr']['proxy_host_rule'] }}-{{ separate_4k_instances_suffix }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_radarr %}
- traefik.http.routers.radarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.radarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_radarr %}
- traefik.http.routers.radarr-{{ separate_4k_instances_suffix }}-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-radarr-{{ separate_4k_instances_suffix }}-midware@docker
Expand Down Expand Up @@ -880,7 +878,7 @@ services:
- traefik.http.services.bazarr-${COMPOSE_PROJECT}.loadbalancer.server.port=6767
- traefik.http.routers.bazarr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['bazarr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_bazarr %}
- traefik.http.routers.bazarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.bazarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_bazarr %}
- traefik.http.routers.bazarr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-bazarr-midware@docker
Expand Down Expand Up @@ -923,7 +921,7 @@ services:
- traefik.enable=true
- traefik.http.services.overseerr-${COMPOSE_PROJECT}.loadbalancer.server.port=5055
- traefik.http.routers.overseerr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['overseerr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
- traefik.http.routers.overseerr-${COMPOSE_PROJECT}.middlewares=external-ipallowlist
- traefik.http.routers.overseerr-${COMPOSE_PROJECT}.middlewares=external-ipallowlist@file
{% if hmsdocker_authentik_enabled_overseerr %}
- traefik.http.routers.overseerr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-overseerr-midware@docker
{% endif %}
Expand Down Expand Up @@ -1005,7 +1003,7 @@ services:
- traefik.http.services.plex-${COMPOSE_PROJECT}.loadbalancer.server.scheme=https
- traefik.http.routers.plex-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['plex']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_plex %}
- traefik.http.routers.plex-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.plex-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_plex %}
- traefik.http.routers.plex-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-plex-midware@docker
Expand Down Expand Up @@ -1071,7 +1069,7 @@ services:
- traefik.http.services.jellyfin-${COMPOSE_PROJECT}.loadbalancer.server.port=8096
- traefik.http.routers.jellyfin-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['jellyfin']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_jellyfin %}
- traefik.http.routers.jellyfin-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.jellyfin-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_jellyfin %}
- traefik.http.routers.jellyfin-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-jellyfin-midware@docker
Expand Down Expand Up @@ -1141,7 +1139,7 @@ services:
- traefik.http.services.emby-${COMPOSE_PROJECT}.loadbalancer.server.port=8096
- traefik.http.routers.emby-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['emby']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_emby %}
- traefik.http.routers.emby-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.emby-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_emby %}
- traefik.http.routers.emby-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-emby-midware@docker
Expand Down Expand Up @@ -1184,7 +1182,7 @@ services:
- traefik.http.services.tautulli-${COMPOSE_PROJECT}.loadbalancer.server.port=8181
- traefik.http.routers.tautulli-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['tautulli']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_tautulli %}
- traefik.http.routers.tautulli-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.tautulli-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_tautulli %}
- traefik.http.routers.tautulli-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-tautulli-midware@docker
Expand Down Expand Up @@ -1310,7 +1308,7 @@ services:
- traefik.http.services.tdarr-${COMPOSE_PROJECT}.loadbalancer.server.port=8265
- traefik.http.routers.tdarr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['tdarr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_tdarr %}
- traefik.http.routers.tdarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.tdarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_tdarr %}
- traefik.http.routers.tdarr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-tdarr-midware@docker
Expand Down Expand Up @@ -1391,7 +1389,7 @@ services:
- traefik.http.services.uptimekuma-${COMPOSE_PROJECT}.loadbalancer.server.port=3001
- traefik.http.routers.uptimekuma-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['uptimekuma']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_uptimekuma %}
- traefik.http.routers.uptimekuma-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.uptimekuma-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_uptimekuma %}
- traefik.http.routers.uptimekuma-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-uptimekuma-midware@docker
Expand Down Expand Up @@ -1425,7 +1423,7 @@ services:
- traefik.http.services.heimdall-${COMPOSE_PROJECT}.loadbalancer.server.scheme=https
- traefik.http.routers.heimdall-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['heimdall']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
{% if not hmsdocker_expose_public_enabled_heimdall %}
- traefik.http.routers.heimdall-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.heimdall-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% endif %}
{% if hmsdocker_authentik_enabled_heimdall %}
- traefik.http.routers.heimdall-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-heimdall-midware@docker
Expand Down Expand Up @@ -1471,7 +1469,7 @@ services:
- traefik.enable=true
- traefik.http.services.readarr-${COMPOSE_PROJECT}.loadbalancer.server.port=8787
- traefik.http.routers.readarr-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['readarr']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
- traefik.http.routers.readarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.readarr-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% if hmsdocker_authentik_enabled_readarr %}
- traefik.http.routers.readarr-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-readarr-midware@docker
{% endif %}
Expand Down Expand Up @@ -1521,7 +1519,7 @@ services:
- traefik.enable=true
- traefik.http.services.kavita-${COMPOSE_PROJECT}.loadbalancer.server.port=5000
- traefik.http.routers.kavita-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['kavita']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
- traefik.http.routers.kavita-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.kavita-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% if hmsdocker_authentik_enabled_kavita %}
- traefik.http.routers.kavita-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-kavita-midware@docker
{% endif %}
Expand Down Expand Up @@ -1560,7 +1558,7 @@ services:
- traefik.http.services.calibre-${COMPOSE_PROJECT}.loadbalancer.server.port=8181
- traefik.http.services.calibre-${COMPOSE_PROJECT}.loadbalancer.server.scheme=https
- traefik.http.routers.calibre-${COMPOSE_PROJECT}.rule=Host(`{{ hms_docker_container_map['calibre']['proxy_host_rule'] }}.${HMSD_DOMAIN}`)
- traefik.http.routers.calibre-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist
- traefik.http.routers.calibre-${COMPOSE_PROJECT}.middlewares=internal-ipallowlist@file
{% if hmsdocker_authentik_enabled_calibre %}
- traefik.http.routers.calibre-${COMPOSE_PROJECT}.middlewares=authentik-proxy-${COMPOSE_PROJECT}-calibre-midware@docker
{% endif %}
Expand Down
13 changes: 13 additions & 0 deletions roles/hmsdocker/templates/hmsd_traefik_middlewares.yml.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
http:
middlewares:
internal-ipallowlist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
{% for address in traefik_subnet_allow_list | split(', ') %}
- "{{ address }}"
{% endfor %}
external-ipallowlist:
ipWhiteList:
sourceRange:
- "0.0.0.0/0"

0 comments on commit 01206cd

Please sign in to comment.