disable allowIp middleware while fixing ip filtering - upgrade traefik and fix gitea admin urls by adding prefix
This commit is contained in:
@@ -1,3 +1,5 @@
|
||||
gitea_version: 1.23.3
|
||||
|
||||
gitea_partition: |-
|
||||
{{
|
||||
hard_disk__partitions | dict2items | selectattr(
|
||||
@@ -21,7 +23,7 @@ gitea:
|
||||
external: true
|
||||
services:
|
||||
gitea:
|
||||
image: gitea/gitea:1.22.2
|
||||
image: gitea/gitea:{{ gitea_version }}
|
||||
container_name: gitea
|
||||
restart: always
|
||||
environment:
|
||||
|
||||
@@ -11,13 +11,13 @@ raspberries:
|
||||
ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
||||
|
||||
internetPi1:
|
||||
ansible_host: arcodange.duckdns.org
|
||||
ansible_host: rg-evry.changeip.co # arcodange.duckdns.org is dependent on duckdns registrty update while changeip is managed with the firewall
|
||||
ansible_port: 51022
|
||||
internetPi2:
|
||||
ansible_host: arcodange.duckdns.org
|
||||
ansible_host: rg-evry.changeip.co
|
||||
ansible_port: 52022
|
||||
internetPi3:
|
||||
ansible_host: arcodange.duckdns.org
|
||||
ansible_host: rg-evry.changeip.co
|
||||
ansible_port: 53022
|
||||
|
||||
vars:
|
||||
|
||||
@@ -72,10 +72,11 @@
|
||||
|
||||
- name: k3s
|
||||
tags: never
|
||||
ansible.builtin.import_playbook: k3s.orchestration.site
|
||||
# ansible.builtin.import_playbook: k3s.orchestration.site
|
||||
ansible.builtin.import_playbook: k3s.orchestration.upgrade
|
||||
# ansible.builtin.import_playbook: k3s.orchestration.reset
|
||||
vars:
|
||||
k3s_version: v1.31.3+k3s1
|
||||
k3s_version: v1.32.2+k3s1
|
||||
extra_server_args: "--docker --disable traefik"
|
||||
extra_agent_args: "--docker"
|
||||
api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
|
||||
@@ -122,7 +123,7 @@
|
||||
spec:
|
||||
repo: https://traefik.github.io/charts
|
||||
chart: traefik
|
||||
version: v30.1.0
|
||||
version: v37.0.0
|
||||
targetNamespace: kube-system
|
||||
valuesContent: |-
|
||||
{{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }}
|
||||
@@ -162,15 +163,20 @@
|
||||
- websecure
|
||||
middlewares:
|
||||
localIp:
|
||||
IPAllowList:
|
||||
ipAllowList:
|
||||
sourceRange:
|
||||
- "192.168.1.0/24"
|
||||
- "{{ ipify_public_ip }}/32"
|
||||
- "0.0.0.0/0"
|
||||
# - "192.168.1.0/24"
|
||||
# - "{{ ipify_public_ip }}/32"
|
||||
# ipStrategy:
|
||||
# depth: 2
|
||||
traefik_helm_values:
|
||||
deployment:
|
||||
kind: "Deployment"
|
||||
# default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
|
||||
# current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: true # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP
|
||||
node-role.kubernetes.io/master: 'true' # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP
|
||||
service:
|
||||
spec:
|
||||
externalTrafficPolicy: Local
|
||||
@@ -182,6 +188,17 @@
|
||||
dashboard:
|
||||
enabled: true
|
||||
globalArguments: [] # deactivate --global.sendanonymoususage
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: LEGO_DISABLE_CNAME_SUPPORT
|
||||
value: 'true'
|
||||
logs:
|
||||
general:
|
||||
level: DEBUG
|
||||
@@ -209,8 +226,9 @@
|
||||
additionalArguments:
|
||||
- '--providers.file.filename=/config/dynamic.yaml'
|
||||
- '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
|
||||
certResolvers:
|
||||
certificatesResolvers:
|
||||
letsencrypt:
|
||||
acme:
|
||||
# for challenge options cf. https://doc.traefik.io/traefik/https/acme/
|
||||
email: arcodange@gmail.com
|
||||
tlsChallenge: true
|
||||
|
||||
@@ -68,8 +68,9 @@
|
||||
docker exec -u git {{ applications.gitea.dockercompose.services.gitea.container_name }}
|
||||
gitea admin user create
|
||||
--username {{ gitea_user.name }}
|
||||
--email {{ gitea_user.name }}
|
||||
--email {{ gitea_user.email }}
|
||||
--random-password
|
||||
--admin
|
||||
|
||||
- name: Generate Gitea Token
|
||||
include_role:
|
||||
|
||||
@@ -50,7 +50,7 @@ async function isLoggedIn() {
|
||||
async function setupApp() {
|
||||
const appName = process.env.GITEA_APP_NAME || 'Arcodange Hashicorp Vault';
|
||||
|
||||
await page.goto(`${giteaAddress}/admin/applications`);
|
||||
await page.goto(`${giteaAddress}/-/admin/applications`);
|
||||
|
||||
const applicationsPanel = await page.locator('.admin-setting-content');
|
||||
const applicationNameClass = await applicationsPanel.getByText('Git Credential Manager').getAttribute('class');
|
||||
@@ -65,7 +65,7 @@ async function setupApp() {
|
||||
await appElem.highlight();
|
||||
await appElem.locator('a.button').click();
|
||||
|
||||
await page.waitForURL( new RegExp(`${giteaAddress}/admin/applications/oauth2/\\d+$`) );
|
||||
await page.waitForURL( new RegExp(`${giteaAddress}/-/admin/applications/oauth2/\\d+$`) );
|
||||
|
||||
await applicationsPanel.locator('form[action$="/regenerate_secret"] > button').click();
|
||||
} else {
|
||||
@@ -76,9 +76,9 @@ async function setupApp() {
|
||||
`${vaultAddress}/ui/vault/auth/gitea/oidc/callback`,
|
||||
'https://webapp.arcodange.duckdns.org/oauth-callback',
|
||||
].join('\n'));
|
||||
await applicationsPanel.locator('form[action="/admin/applications/oauth2"] > button').dblclick()
|
||||
await applicationsPanel.locator('form[action="/-/admin/applications/oauth2"] > button').dblclick()
|
||||
|
||||
await page.waitForURL(`${giteaAddress}/admin/applications/oauth2`);
|
||||
await page.waitForURL(`${giteaAddress}/-/admin/applications/oauth2`);
|
||||
}
|
||||
|
||||
app.id = await applicationsPanel.locator('input[id="client-id"]').getAttribute('value');
|
||||
|
||||
Reference in New Issue
Block a user