disable allowIp middleware while fixing ip filtering - upgrade traefik and fix gitea admin urls by adding prefix

2025-08-04 17:35:11 +02:00
parent b185999478
commit 58aece92b6
5 changed files with 48 additions and 27 deletions
--- a/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea.yml
+++ b/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea.yml
@@ -1,3 +1,5 @@
+gitea_version: 1.23.3
+
 gitea_partition: |-
  {{
  hard_disk__partitions | dict2items | selectattr(
@@ -21,7 +23,7 @@ gitea:
        external: true
    services:
      gitea:
-        image: gitea/gitea:1.22.2
+        image: gitea/gitea:{{ gitea_version }}
        container_name: gitea
        restart: always
        environment:
--- a/ansible/arcodange/factory/inventory/hosts.yml
+++ b/ansible/arcodange/factory/inventory/hosts.yml
@@ -11,13 +11,13 @@ raspberries:
      ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
    
    internetPi1:
-      ansible_host: arcodange.duckdns.org
+      ansible_host: rg-evry.changeip.co # arcodange.duckdns.org is dependent on duckdns registrty update while changeip is managed with the firewall
      ansible_port: 51022
    internetPi2:
-      ansible_host: arcodange.duckdns.org
+      ansible_host: rg-evry.changeip.co
      ansible_port: 52022
    internetPi3:
-      ansible_host: arcodange.duckdns.org
+      ansible_host: rg-evry.changeip.co
      ansible_port: 53022
  
  vars:
--- a/ansible/arcodange/factory/playbooks/01_system.yml
+++ b/ansible/arcodange/factory/playbooks/01_system.yml
@@ -72,10 +72,11 @@

 - name: k3s
  tags: never
-  ansible.builtin.import_playbook: k3s.orchestration.site
+  # ansible.builtin.import_playbook: k3s.orchestration.site
+  ansible.builtin.import_playbook: k3s.orchestration.upgrade
  # ansible.builtin.import_playbook: k3s.orchestration.reset
  vars:
-    k3s_version: v1.31.3+k3s1
+    k3s_version: v1.32.2+k3s1
    extra_server_args: "--docker --disable traefik"
    extra_agent_args: "--docker"
    api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
@@ -122,7 +123,7 @@
              spec:
                repo: https://traefik.github.io/charts
                chart: traefik
-                version: v30.1.0
+                version: v37.0.0
                targetNamespace: kube-system
                valuesContent: |-
                  {{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }}
@@ -162,15 +163,20 @@
                      - websecure
                middlewares:
                  localIp:
-                    IPAllowList:
+                    ipAllowList:
                      sourceRange:
-                        - "192.168.1.0/24"
-                        - "{{ ipify_public_ip }}/32"
+                      - "0.0.0.0/0"
+                    #     - "192.168.1.0/24"
+                    #     - "{{ ipify_public_ip }}/32"
+                      # ipStrategy:
+                      #   depth: 2
            traefik_helm_values:
+              deployment:
+                kind: "Deployment"
              # default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
              # current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml
              nodeSelector:
-                node-role.kubernetes.io/master: true # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP
+                node-role.kubernetes.io/master: 'true' # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP
              service:
                spec:
                  externalTrafficPolicy: Local
@@ -182,6 +188,17 @@
                dashboard:
                  enabled: true
              globalArguments: [] # deactivate --global.sendanonymoususage
+              env:
+                - name: POD_NAME
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.name
+                - name: POD_NAMESPACE
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.namespace
+                - name: LEGO_DISABLE_CNAME_SUPPORT
+                  value: 'true'
              logs:
                general:
                  level: DEBUG
@@ -209,18 +226,19 @@
              additionalArguments:
                - '--providers.file.filename=/config/dynamic.yaml'
                - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
-              certResolvers:
+              certificatesResolvers:
                letsencrypt:
-                  # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
-                  email: arcodange@gmail.com
-                  tlsChallenge: true
-                  dnsChallenge:
-                    # requires env variable DUCKDNS_TOKEN
-                    provider: duckdns
-                  httpChallenge:
-                    entryPoint: "web"
-                  # It has to match the path with a persistent volume
-                  storage: /data/acme.json
+                  acme:
+                    # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
+                    email: arcodange@gmail.com
+                    tlsChallenge: true
+                    dnsChallenge:
+                      # requires env variable DUCKDNS_TOKEN
+                      provider: duckdns
+                    httpChallenge:
+                      entryPoint: "web"
+                    # It has to match the path with a persistent volume
+                    storage: /data/acme.json
              envFrom:
                - secretRef:
                    name: traefik-duckdns-token
--- a/ansible/arcodange/factory/playbooks/setup/gitea.yml
+++ b/ansible/arcodange/factory/playbooks/setup/gitea.yml
@@ -68,8 +68,9 @@
            docker exec -u git {{ applications.gitea.dockercompose.services.gitea.container_name }}
            gitea admin user create
            --username {{ gitea_user.name }}
-            --email {{ gitea_user.name }}
+            --email {{ gitea_user.email }}
            --random-password
+            --admin
        
        - name: Generate Gitea Token
          include_role:
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js
@@ -50,7 +50,7 @@ async function isLoggedIn() {
 async function setupApp() {
  const appName = process.env.GITEA_APP_NAME || 'Arcodange Hashicorp Vault';
  
-  await page.goto(`${giteaAddress}/admin/applications`);
+  await page.goto(`${giteaAddress}/-/admin/applications`);

  const applicationsPanel = await page.locator('.admin-setting-content');
  const applicationNameClass = await applicationsPanel.getByText('Git Credential Manager').getAttribute('class');
@@ -65,7 +65,7 @@ async function setupApp() {
    await appElem.highlight();
    await appElem.locator('a.button').click();

-    await page.waitForURL( new RegExp(`${giteaAddress}/admin/applications/oauth2/\\d+$`) );
+    await page.waitForURL( new RegExp(`${giteaAddress}/-/admin/applications/oauth2/\\d+$`) );
    
    await applicationsPanel.locator('form[action$="/regenerate_secret"] > button').click();
  } else {
@@ -76,9 +76,9 @@ async function setupApp() {
      `${vaultAddress}/ui/vault/auth/gitea/oidc/callback`,
      'https://webapp.arcodange.duckdns.org/oauth-callback',
    ].join('\n'));
-    await applicationsPanel.locator('form[action="/admin/applications/oauth2"] > button').dblclick()
+    await applicationsPanel.locator('form[action="/-/admin/applications/oauth2"] > button').dblclick()

-    await page.waitForURL(`${giteaAddress}/admin/applications/oauth2`);
+    await page.waitForURL(`${giteaAddress}/-/admin/applications/oauth2`);
  }

  app.id = await applicationsPanel.locator('input[id="client-id"]').getAttribute('value');