traefik: trust cloudflared forwarded headers on tunnel entrypoint

Add audiomuse router to Traefik internal.yaml
fix: escaped triple quotes in oidc-rewrite-proxy.py tangle block
2026-06-06 23:21:23 +00:00 · 2026-06-06 20:08:22 +00:00 · 2026-06-06 19:16:42 +00:00 · 2026-06-06 19:15:36 +00:00 · 2026-06-06 18:20:51 +00:00 · 2026-06-06 18:17:29 +00:00
5 changed files with 2041 additions and 1300 deletions
--- a/audiomuse.yaml
+++ b/audiomuse.yaml
@@ -26,9 +26,9 @@ services:
      - traefik.enable=true
      - traefik.http.routers.audiomuse.service=audiomuse
      - traefik.http.routers.audiomuse.rule=Host(`audiomuse.${CLOUDFLARE_DNS_ZONE:?err}`)
-      - traefik.http.routers.audiomuse.entrypoints=tunnel
+      - traefik.http.routers.audiomuse.entrypoints=tunnel,web,secureweb
      - traefik.http.routers.audiomuse.middlewares=authentik-forwardauth@file,security-headers@file
-      - traefik.http.services.audiomuse.loadbalancer.server.scheme=http
+      - traefik.http.services.audiomuse.loadbalancer.server.port=8000
      - traefik.http.services.audiomuse.loadbalancer.server.port=8000

  audiomuse-worker:
--- a/infrastructure.org
+++ b/infrastructure.org
--- a/tangle-deploy.sh
+++ b/tangle-deploy.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # tangle-deploy — Tangle infrastructure.org and restart affected services
-GITEA_URL='http://amr:tangle-deploy-2026@10.10.10.201:3001/amr/infrastructure.git'
+GITEA_URL='ssh://git@git.gharbeia.net:2222/amr/infrastructure.git'
 REPO_DIR="${1:-/docker/compose/infrastructure}"
 ORG_FILE="${REPO_DIR}/infrastructure.org"
 if [ -z "${1:-}" ]; then
@@ -17,13 +17,14 @@ fi
 echo "=== Tangling $ORG_FILE ==="
 emacs --batch -Q --load /usr/share/emacs/28.2/lisp/org/org-loaddefs.el \
  --eval "(require 'org)" \
-  --eval "(org-babel-tangle-file \"$ORG_FILE\")" 2>&1
+  --eval "(require 'ob-shell)" \
+  --eval '(let ((org-confirm-babel-evaluate nil)) (org-babel-tangle-file "'"$ORG_FILE"'"))' 2>&1
 echo "=== Restarting services ==="
 cd /docker/compose
-if [ -f /docker/compose/traefik-static.yaml ] || \
-   [ -f /docker/compose/traefik-internal.yaml ] || \
-   [ -f /docker/compose/traefik-internal-noauth.yaml ] || \
-   [ -f /docker/compose/traefik-dynamic.yaml ]; then
+if [ -f /docker/appdata/traefik/traefik.yaml ] || \
+   [ -f /docker/appdata/traefik/internal.yaml ] || \
+   [ -f /docker/appdata/traefik/internal-noauth.yaml ] || \
+   [ -f /docker/appdata/traefik/dynamic.yaml ]; then
  echo 'Traefik config changed -- restarting...'
  docker compose up -d traefik
 fi
--- a/tubearchivist.yaml
+++ b/tubearchivist.yaml
@@ -0,0 +1,63 @@
+services:
+  tubearchivist:
+    image: bbilly1/tubearchivist:latest
+    container_name: tubearchivist
+    restart: unless-stopped
+    depends_on:
+      gluetun:
+        condition: service_healthy
+        restart: true
+    network_mode: service:gluetun
+    volumes:
+      - ${FOLDER_FOR_MORE:?err}/media/youtube:/youtube
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/cache:/cache
+    environment:
+      - TZ=${TIMEZONE:?err}
+      - TA_USERNAME=${TA_USERNAME:?err}
+      - TA_PASSWORD=${TA_PASSWORD:?err}
+      - ES_URL=http://tubearchivist-es:9200
+      - REDIS_CON=redis://tubearchivist-redis:6379
+      - TA_HOST=https://tubearchivist.gharbeia.net
+      - ELASTIC_PASSWORD=tubearchivist
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.tubearchivist.service=tubearchivist
+      - traefik.http.routers.tubearchivist.rule=Host(`tubearchivist.${CLOUDFLARE_DNS_ZONE:?err}`)
+      - traefik.http.routers.tubearchivist.entrypoints=tunnel
+      - traefik.http.routers.tubearchivist.middlewares=authentik-forwardauth@file,security-headers@file,traefik-bouncer@file
+      - traefik.http.services.tubearchivist.loadbalancer.server.scheme=http
+      - traefik.http.services.tubearchivist.loadbalancer.server.port=8000
+
+  tubearchivist-es:
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.17.0
+    container_name: tubearchivist-es
+    restart: unless-stopped
+    networks:
+      - networking
+    environment:
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - xpack.security.enabled=false
+      - path.repo=/usr/share/elasticsearch/data/snapshot
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/es:/usr/share/elasticsearch/data
+    healthcheck:
+      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  tubearchivist-redis:
+    image: redis:7-alpine
+    container_name: tubearchivist-redis
+    restart: unless-stopped
+    networks:
+      - networking
+    command: --save 60 1 --loglevel warning
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/redis:/data
+    healthcheck:
+      test: redis-cli ping | grep PONG
+      interval: 30s
+      timeout: 10s
+      retries: 3
--- a/tubearchivist_fixed.yaml
+++ b/tubearchivist_fixed.yaml
@@ -0,0 +1,65 @@
+services:
+  tubearchivist:
+    image: bbilly1/tubearchivist:latest
+    container_name: tubearchivist
+    restart: unless-stopped
+    depends_on:
+      gluetun:
+        condition: service_healthy
+        restart: true
+    network_mode: service:gluetun
+    volumes:
+      - ${FOLDER_FOR_MORE:?err}/media/youtube:/youtube
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/cache:/cache
+    environment:
+      - TZ=${TIMEZONE:?err}
+      - TA_USERNAME=${TA_USERNAME:?err}
+      - TA_PASSWORD=${TA_PASSWORD:?err}
+      - ES_URL=http://tubearchivist-es:9200
+      - REDIS_CON=redis://tubearchivist-redis:6379
+      - TA_HOST=https://tubearchivist.gharbeia.net
+      - ELASTIC_PASSWORD=tubearchivist
+      - HOST_UID=${PUID:?err}
+      - HOST_GID=${PGID:?err}
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.tubearchivist.service=tubearchivist
+      - traefik.http.routers.tubearchivist.rule=Host(`tubearchivist.${CLOUDFLARE_DNS_ZONE:?err}`)
+      - traefik.http.routers.tubearchivist.entrypoints=tunnel
+      - traefik.http.routers.tubearchivist.middlewares=authentik-forwardauth@file,security-headers@file,traefik-bouncer@file
+      - traefik.http.services.tubearchivist.loadbalancer.server.scheme=http
+      - traefik.http.services.tubearchivist.loadbalancer.server.port=8000
+
+  tubearchivist-es:
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.17.0
+    container_name: tubearchivist-es
+    restart: unless-stopped
+    networks:
+      - networking
+    environment:
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - xpack.security.enabled=false
+      - path.repo=/usr/share/elasticsearch/data/snapshot
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/es:/usr/share/elasticsearch/data
+    healthcheck:
+      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  tubearchivist-redis:
+    image: redis:7-alpine
+    container_name: tubearchivist-redis
+    restart: unless-stopped
+    networks:
+      - networking
+    command: --save 60 1 --loglevel warning
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/redis:/data
+    healthcheck:
+      test: redis-cli ping | grep PONG
+      interval: 30s
+      timeout: 10s
+      retries: 3
Author	SHA1	Message	Date
Hermes	9a421a9783	traefik: trust cloudflared forwarded headers on tunnel entrypoint	2026-06-06 23:21:23 +00:00
Hermes	41aaf19032	Add audiomuse router to Traefik internal.yaml	2026-06-06 20:08:22 +00:00
Hermes	3cd699d312	fix: escaped triple quotes in oidc-rewrite-proxy.py tangle block	2026-06-06 19:16:42 +00:00
Hermes	e62bd88527	fix: systemd tangle-deploy missing ob-shell, add OIDC proxy, chmod fix - Replaced stale /usr/local/bin/tangle-deploy (no (require 'ob-shell)) with correct repo version — was writing crowdsecLapiKey: nil every 5min - Added chmod +x to tangle-deploy.sh so git pull doesn't strip exec bit - Added oidc-rewrite-proxy.py and oidc-proxy.service as tangle targets - Documented Gitea OIDC discovery rewrite fix - Added systemd unit detection to tangle-deploy restart logic - Updated changelog	2026-06-06 19:15:36 +00:00
Hermes	5fff6d9cfa	docs: document Gitea OIDC CustomURLMapping fix in infrastructure.org The OIDC auto-discovery uses internal Docker hostnames. The browser can't resolve authentik:9000, so CustomURLMapping.auth_url must be set to the public URL in Gitea's database. This change is manual (not tangled), so document the SQL and rationale.	2026-06-06 18:20:51 +00:00
Hermes	43741f17e4	fix: add ob-shell and org-confirm-babel-evaluate to tangle-deploy block in infrastructure.org The tangle-deploy.sh is tangled FROM infrastructure.org, but the org block was missing (require 'ob-shell) and org-confirm-babel-evaluate nil. This caused the CrowdSec noweb block (sh src) to evaluate as nil, making crowdsecLapiKey = nil in dynamic.yaml and blocking ALL traffic through the CrowdSec bouncer with 403. Fix the org block so the system is self-consistent: tangle always produces a correct tangle-deploy.sh that can load ob-shell and evaluate noweb blocks without confirmation prompts.	2026-06-06 18:17:29 +00:00
Hermes	642679f442	feat: add Traefik file-provider routes for bazarr, tdarr, stash, unpackerr	2026-06-06 17:45:24 +00:00
Hermes	971b2e7789	docs: document webhook ALLOWED_HOST_LIST env var in Gitea section	2026-06-06 17:17:01 +00:00
Hermes	5d4b6bcd70	fix: add GITEA__webhook__ALLOWED_HOST_LIST=private for auto-deploy	2026-06-06 17:15:41 +00:00
Hermes	ab16b2a86e	Revert "test: verify deploy webhook" This reverts commit `2b85c7bfc9`.	2026-06-06 17:15:41 +00:00
Hermes	2b85c7bfc9	test: verify deploy webhook	2026-06-06 17:11:52 +00:00
Hermes	92efd13929	docs: add qBittorrent documented section, merge Authentik fixes	2026-06-06 17:04:28 +00:00
root	7a1af0f153	fix: restore tangle-deploy.sh with noweb support from `ce03644`	2026-06-06 12:57:16 -04:00
root	f3e559a3bb	cleanup: remove .bak file	2026-06-06 12:56:37 -04:00
root	ce03644b0a	fix: restore tangle-deploy.sh with ob-shell and let binding from correct commit	2026-06-06 12:55:53 -04:00
root	9b916235bb	fix: use :results output for noweb, printf for no newline, sync tangle-deploy from HEAD	2026-06-06 12:54:58 -04:00
root	13a583a081	fix: use printf instead of echo to avoid trailing newline in noweb output	2026-06-06 12:51:46 -04:00
root	c12910d0f1	infrastructure: move .env + CrowdSec key into org with noweb references	2026-06-06 12:49:32 -04:00
root	54827a4256	infrastructure: use __CROWDSEC_LAPI_KEY__ placeholder in dynamic.yaml tangle block	2026-06-06 12:27:21 -04:00
root	7556ed75f5	tangle-deploy: substitute CROWDSEC_LAPI_KEY from .env + verify after deploy	2026-06-06 12:27:11 -04:00
Hermes	6ecfa3e0e9	brain.gharbeia.net: add Traefik router + update gharbeia-site to external LXC nginx - Add brain router with Authentik forward-auth pointing to LXC nginx on 8082 - Update gharbeia-site-internal from production-1 Docker nginx to LXC nginx on 8083 - Add brain-internal service (10.10.10.29:8082)	2026-05-23 23:30:11 +00:00
Hermes	61687cf5ad	audiomuse: fix .org source — entrypoints, no bouncer, port=8000, bridge network Plus new tubearchivist yaml configs	2026-05-21 06:47:34 +00:00