disable allowIp middleware while fixing ip filtering - upgrade traefik and fix gitea admin urls by adding prefix
This commit is contained in:
@@ -1,3 +1,5 @@
|
|||||||
|
gitea_version: 1.23.3
|
||||||
|
|
||||||
gitea_partition: |-
|
gitea_partition: |-
|
||||||
{{
|
{{
|
||||||
hard_disk__partitions | dict2items | selectattr(
|
hard_disk__partitions | dict2items | selectattr(
|
||||||
@@ -21,7 +23,7 @@ gitea:
|
|||||||
external: true
|
external: true
|
||||||
services:
|
services:
|
||||||
gitea:
|
gitea:
|
||||||
image: gitea/gitea:1.22.2
|
image: gitea/gitea:{{ gitea_version }}
|
||||||
container_name: gitea
|
container_name: gitea
|
||||||
restart: always
|
restart: always
|
||||||
environment:
|
environment:
|
||||||
|
|||||||
@@ -11,13 +11,13 @@ raspberries:
|
|||||||
ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
||||||
|
|
||||||
internetPi1:
|
internetPi1:
|
||||||
ansible_host: arcodange.duckdns.org
|
ansible_host: rg-evry.changeip.co # arcodange.duckdns.org is dependent on duckdns registrty update while changeip is managed with the firewall
|
||||||
ansible_port: 51022
|
ansible_port: 51022
|
||||||
internetPi2:
|
internetPi2:
|
||||||
ansible_host: arcodange.duckdns.org
|
ansible_host: rg-evry.changeip.co
|
||||||
ansible_port: 52022
|
ansible_port: 52022
|
||||||
internetPi3:
|
internetPi3:
|
||||||
ansible_host: arcodange.duckdns.org
|
ansible_host: rg-evry.changeip.co
|
||||||
ansible_port: 53022
|
ansible_port: 53022
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
|
|||||||
@@ -72,10 +72,11 @@
|
|||||||
|
|
||||||
- name: k3s
|
- name: k3s
|
||||||
tags: never
|
tags: never
|
||||||
ansible.builtin.import_playbook: k3s.orchestration.site
|
# ansible.builtin.import_playbook: k3s.orchestration.site
|
||||||
|
ansible.builtin.import_playbook: k3s.orchestration.upgrade
|
||||||
# ansible.builtin.import_playbook: k3s.orchestration.reset
|
# ansible.builtin.import_playbook: k3s.orchestration.reset
|
||||||
vars:
|
vars:
|
||||||
k3s_version: v1.31.3+k3s1
|
k3s_version: v1.32.2+k3s1
|
||||||
extra_server_args: "--docker --disable traefik"
|
extra_server_args: "--docker --disable traefik"
|
||||||
extra_agent_args: "--docker"
|
extra_agent_args: "--docker"
|
||||||
api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
|
api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
|
||||||
@@ -122,7 +123,7 @@
|
|||||||
spec:
|
spec:
|
||||||
repo: https://traefik.github.io/charts
|
repo: https://traefik.github.io/charts
|
||||||
chart: traefik
|
chart: traefik
|
||||||
version: v30.1.0
|
version: v37.0.0
|
||||||
targetNamespace: kube-system
|
targetNamespace: kube-system
|
||||||
valuesContent: |-
|
valuesContent: |-
|
||||||
{{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }}
|
{{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }}
|
||||||
@@ -162,15 +163,20 @@
|
|||||||
- websecure
|
- websecure
|
||||||
middlewares:
|
middlewares:
|
||||||
localIp:
|
localIp:
|
||||||
IPAllowList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- "192.168.1.0/24"
|
- "0.0.0.0/0"
|
||||||
- "{{ ipify_public_ip }}/32"
|
# - "192.168.1.0/24"
|
||||||
|
# - "{{ ipify_public_ip }}/32"
|
||||||
|
# ipStrategy:
|
||||||
|
# depth: 2
|
||||||
traefik_helm_values:
|
traefik_helm_values:
|
||||||
|
deployment:
|
||||||
|
kind: "Deployment"
|
||||||
# default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
|
# default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
|
||||||
# current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml
|
# current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/master: true # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP
|
node-role.kubernetes.io/master: 'true' # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP
|
||||||
service:
|
service:
|
||||||
spec:
|
spec:
|
||||||
externalTrafficPolicy: Local
|
externalTrafficPolicy: Local
|
||||||
@@ -182,6 +188,17 @@
|
|||||||
dashboard:
|
dashboard:
|
||||||
enabled: true
|
enabled: true
|
||||||
globalArguments: [] # deactivate --global.sendanonymoususage
|
globalArguments: [] # deactivate --global.sendanonymoususage
|
||||||
|
env:
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: LEGO_DISABLE_CNAME_SUPPORT
|
||||||
|
value: 'true'
|
||||||
logs:
|
logs:
|
||||||
general:
|
general:
|
||||||
level: DEBUG
|
level: DEBUG
|
||||||
@@ -209,18 +226,19 @@
|
|||||||
additionalArguments:
|
additionalArguments:
|
||||||
- '--providers.file.filename=/config/dynamic.yaml'
|
- '--providers.file.filename=/config/dynamic.yaml'
|
||||||
- '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
|
- '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
|
||||||
certResolvers:
|
certificatesResolvers:
|
||||||
letsencrypt:
|
letsencrypt:
|
||||||
# for challenge options cf. https://doc.traefik.io/traefik/https/acme/
|
acme:
|
||||||
email: arcodange@gmail.com
|
# for challenge options cf. https://doc.traefik.io/traefik/https/acme/
|
||||||
tlsChallenge: true
|
email: arcodange@gmail.com
|
||||||
dnsChallenge:
|
tlsChallenge: true
|
||||||
# requires env variable DUCKDNS_TOKEN
|
dnsChallenge:
|
||||||
provider: duckdns
|
# requires env variable DUCKDNS_TOKEN
|
||||||
httpChallenge:
|
provider: duckdns
|
||||||
entryPoint: "web"
|
httpChallenge:
|
||||||
# It has to match the path with a persistent volume
|
entryPoint: "web"
|
||||||
storage: /data/acme.json
|
# It has to match the path with a persistent volume
|
||||||
|
storage: /data/acme.json
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: traefik-duckdns-token
|
name: traefik-duckdns-token
|
||||||
|
|||||||
@@ -68,8 +68,9 @@
|
|||||||
docker exec -u git {{ applications.gitea.dockercompose.services.gitea.container_name }}
|
docker exec -u git {{ applications.gitea.dockercompose.services.gitea.container_name }}
|
||||||
gitea admin user create
|
gitea admin user create
|
||||||
--username {{ gitea_user.name }}
|
--username {{ gitea_user.name }}
|
||||||
--email {{ gitea_user.name }}
|
--email {{ gitea_user.email }}
|
||||||
--random-password
|
--random-password
|
||||||
|
--admin
|
||||||
|
|
||||||
- name: Generate Gitea Token
|
- name: Generate Gitea Token
|
||||||
include_role:
|
include_role:
|
||||||
|
|||||||
@@ -50,7 +50,7 @@ async function isLoggedIn() {
|
|||||||
async function setupApp() {
|
async function setupApp() {
|
||||||
const appName = process.env.GITEA_APP_NAME || 'Arcodange Hashicorp Vault';
|
const appName = process.env.GITEA_APP_NAME || 'Arcodange Hashicorp Vault';
|
||||||
|
|
||||||
await page.goto(`${giteaAddress}/admin/applications`);
|
await page.goto(`${giteaAddress}/-/admin/applications`);
|
||||||
|
|
||||||
const applicationsPanel = await page.locator('.admin-setting-content');
|
const applicationsPanel = await page.locator('.admin-setting-content');
|
||||||
const applicationNameClass = await applicationsPanel.getByText('Git Credential Manager').getAttribute('class');
|
const applicationNameClass = await applicationsPanel.getByText('Git Credential Manager').getAttribute('class');
|
||||||
@@ -65,7 +65,7 @@ async function setupApp() {
|
|||||||
await appElem.highlight();
|
await appElem.highlight();
|
||||||
await appElem.locator('a.button').click();
|
await appElem.locator('a.button').click();
|
||||||
|
|
||||||
await page.waitForURL( new RegExp(`${giteaAddress}/admin/applications/oauth2/\\d+$`) );
|
await page.waitForURL( new RegExp(`${giteaAddress}/-/admin/applications/oauth2/\\d+$`) );
|
||||||
|
|
||||||
await applicationsPanel.locator('form[action$="/regenerate_secret"] > button').click();
|
await applicationsPanel.locator('form[action$="/regenerate_secret"] > button').click();
|
||||||
} else {
|
} else {
|
||||||
@@ -76,9 +76,9 @@ async function setupApp() {
|
|||||||
`${vaultAddress}/ui/vault/auth/gitea/oidc/callback`,
|
`${vaultAddress}/ui/vault/auth/gitea/oidc/callback`,
|
||||||
'https://webapp.arcodange.duckdns.org/oauth-callback',
|
'https://webapp.arcodange.duckdns.org/oauth-callback',
|
||||||
].join('\n'));
|
].join('\n'));
|
||||||
await applicationsPanel.locator('form[action="/admin/applications/oauth2"] > button').dblclick()
|
await applicationsPanel.locator('form[action="/-/admin/applications/oauth2"] > button').dblclick()
|
||||||
|
|
||||||
await page.waitForURL(`${giteaAddress}/admin/applications/oauth2`);
|
await page.waitForURL(`${giteaAddress}/-/admin/applications/oauth2`);
|
||||||
}
|
}
|
||||||
|
|
||||||
app.id = await applicationsPanel.locator('input[id="client-id"]').getAttribute('value');
|
app.id = await applicationsPanel.locator('input[id="client-id"]').getAttribute('value');
|
||||||
|
|||||||
Reference in New Issue
Block a user