1 files changed, 86 insertions, 14 deletions

diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
index 6362b31..46f5503 100644
--- a/playbooks/roles/traefik/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
@@ -15,7 +15,7 @@ services:
       timeout: 5s
       retries: 10
     volumes:
-      - {{ traefik_base }}/volumes/headscale:/var/lib/tailscale
+      - "{{ traefik_base }}/volumes/headscale:/var/lib/tailscale"
       - /dev/net/tun:/dev/net/tun
     cap_add:
       - NET_ADMIN
@@ -53,10 +53,12 @@ services:
       - CF_DNS_API_TOKEN={{ cloudflare_dns_api_token }}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - {{ traefik_base }}/stacks/traefik.yml:/traefik.yml
-      - {{ traefik_base }}/volumes/certs:/certs
+      - "{{ traefik_base }}/stacks/traefik.yml:/traefik.yml"
+      - "{{ traefik_base }}/volumes/certs:/certs"
     networks:
+      - metrics
       - proxy
+      - oauth_proxy
       - headnet
     deploy:
       mode: global
@@ -66,21 +68,91 @@ services:
         failure_action: rollback
         monitor: 2s # go go go.
       labels:
-        - traefik.enable=true
-        - traefik.http.routers.dashboard.rule=Host(`{{ traefik_domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
-        - traefik.http.routers.dashboard.service=api@internal
-        - traefik.http.routers.dashboard.tls=true
-        - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
-        - traefik.http.routers.ping.rule=Host(`{{ traefik_domain }}`) && PathPrefix(`/ping`)
-        - traefik.http.routers.ping.service=ping@internal
-        - traefik.http.routers.ping.tls=true
-        - traefik.http.routers.ping.tls.certresolver=letsencrypt
-        - traefik.http.services.dashboard.loadbalancer.server.port=8080
-        - traefik.http.services.ping.loadbalancer.server.port=8080
+        - "traefik.enable=true"
+        - "traefik.http.routers.dashboard.rule=Host(`{{ traefik_domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+        - "traefik.http.routers.dashboard.service=api@internal"
+        - "traefik.http.routers.dashboard.tls=true"
+        - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
+        - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
+        - "traefik.http.routers.ping.rule=Host(`{{ traefik_domain }}`) && PathPrefix(`/ping`)"
+        - "traefik.http.routers.ping.service=ping@internal"
+        - "traefik.http.routers.ping.tls=true"
+        - "traefik.http.routers.ping.tls.certresolver=letsencrypt"
+        - "traefik.http.services.ping.loadbalancer.server.port=8080"
+
+        - "traefik.http.middlewares.auth-headers.headers.stsSeconds=315360000"
+        - "traefik.http.middlewares.auth-headers.headers.browserXssFilter=true"
+        - "traefik.http.middlewares.auth-headers.headers.contentTypeNosniff=true"
+        - "traefik.http.middlewares.auth-headers.headers.forceSTSHeader=true"
+        - "traefik.http.middlewares.auth-headers.headers.stsIncludeSubdomains=true"
+        - "traefik.http.middlewares.auth-headers.headers.stsPreload=true"
+        - "traefik.http.middlewares.auth-headers.headers.frameDeny=true"
+
+        - "traefik.http.middlewares.oauth-verify.forwardAuth.address=http://oauth2-proxy:4180"
+        - "traefik.http.middlewares.oauth-verify.forwardAuth.trustForwardHeader=true"
+        - "traefik.http.middlewares.oauth-verify.forwardAuth.authResponseHeaders={{ forwardauth_headers }}"
+
+        - "traefik.http.middlewares.oauth-verify-noredirect.forwardAuth.address=http://oauth2-proxy:4180/oauth2/auth"
+        - "traefik.http.middlewares.oauth-verify-noredirect.forwardAuth.trustForwardHeader=true"
+        - "traefik.http.middlewares.oauth-verify-noredirect.forwardAuth.authResponseHeaders={{ forwardauth_headers }}"
+
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:latest
+    command: --alpha-config /conf/oauth_proxy_alpha.yml --config /conf/oauth_proxy.cfg
+    volumes:
+      - "{{ traefik_base }}/volumes/oauth2proxy:/conf"
+    environment:
+      - TZ={{ timezone }}
+      - DEPLOYMENT_TIME={{ deployment_time }}
+    networks:
+      - oauth_cache
+      - proxy
+      - oauth_proxy
+      - metrics
+    deploy:
+      mode: replicated
+      update_config:
+        parallelism: 1
+        failure_action: rollback
+        order: start-first
+        delay: 5s
+      replicas: 1
+      labels:
+        "traefik.enable": "true"
+        "traefik.swarm.network": "proxy"
+        "traefik.http.routers.fwdauth.tls": "true"
+        "traefik.http.routers.fwdauth.tls.certResolver": "letsencrypt"
+        "traefik.http.routers.fwdauth.rule": "!Host(`{{ idm_domain }}`) && (PathPrefix(`/oauth2`) || Host(`{{ oauth_proxy_domain }}`))"
+        "traefik.http.routers.fwdauth.entrypoints": "websecure"
+        "traefik.http.routers.fwdauth.middlewares": "auth-headers"
+        "traefik.http.services.fwdauth.loadbalancer.server.port": "4180"
+  oauth2-cache:
+    image: redis:8-alpine
+    restart: always
+    command: redis-server --save 20 1 --loglevel warning
+    volumes:
+      - "{{ traefik_base }}/volumes/redis:/data"
+    environment:
+      - TZ={{ timezone }}
+      - DEPLOYMENT_TIME={{ deployment_time }}
+    networks:
+      - oauth_cache
+    deploy:
+      mode: replicated
+      update_config:
+        parallelism: 1
+        failure_action: rollback
+        order: start-first
+        delay: 5s
+      replicas: 1
 
 networks:
+  metrics:
+    external: true
   proxy:
     name: proxy
     driver: overlay
     attachable: true
+  oauth_proxy:
+  oauth_cache:
   headnet: