How to publish HTTP services as <svc>.mf01.makerfloss.eu (VPS-terminated TLS, wg1 inner hop, mf01 internal Traefik). Built + verified 2026-06-09. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.7 KiB
Runbook — publishing a service on mf01
mf01 publishes HTTP services as https://<svc>.mf01.makerfloss.eu. TLS
terminates on the makerfloss VPS; the VPS proxies *.mf01 over wg1 to
mf01's internal Traefik (10.13.0.8:80), which routes by Host label to the
container.
- Design:
AnsibleBaobabV4/docs/superpowers/specs/2026-06-09-mf01-service-publishing-design.md - Plan:
AnsibleBaobabV4/docs/superpowers/plans/2026-06-09-mf01-service-publishing.md - Built and verified live 2026-06-09 (first service:
whoami.mf01.makerfloss.eu).
How a request flows
browser ─https─▶ <svc>.mf01.makerfloss.eu (DNS *.mf01 A → 88.99.32.236)
─▶ VPS Traefik :443 (wildcard cert *.mf01.makerfloss.eu, TLS ends here)
─▶ plain HTTP over wg1 ─▶ mf01 Traefik 10.13.0.8:80
─▶ container (routed by Host label)
The VPS side is configured once (in host_vars/makerfloss.yml):
traefik_wildcard_sets (anchors the *.mf01 DNS-01 cert), a
traefik_extra_dynamic_files catch-all router → http://10.13.0.8:80, and the
mf01 / *.mf01 A records. You never touch the VPS to add a service.
mf01 is configured once (in host_vars/mf01.yml): internal Traefik
(traefik_acme_enabled: false, traefik_bind_address: 10.13.0.8),
traefik_zone: mf01.makerfloss.eu, and host-wide
container_traefik_overrides: {entrypoints: [web], tls: false, certresolver: ""}.
Add a new service
- Enable a container role on mf01 in
host_vars/mf01.yml, e.g.:
Its router auto-publishes ascontainer_<svc>_enabled: true<container_name>.mf01.makerfloss.eubecausetraefik_zoneismf01.makerfloss.euand the host-widecontainer_traefik_overridesforce the plainwebentrypoint with no TLS. - Deploy (note: the tag is the role's short name, e.g.
whoami, notcontainer-whoami):cd ~/Projects/AnsibleBaobabV4 .venv/bin/ansible-playbook play_containers.yml --limit mf01 -t <svc> - Live at
https://<container_name>.mf01.makerfloss.eu— no DNS, cert, or VPS change (covered by the wildcard cert + catch-all route). Verify:curl -s https://<container_name>.mf01.makerfloss.eu
To use a hostname other than the container's default name, set that service's
hostnames via its own container_traefik_overrides (do not put hostnames
in the host-wide dict — that would force every service to the same name).
Reach / management
- Ansible reaches mf01 at its stable wg IP
10.13.0.8via ProxyJump through the VPS (ansible_host: 10.13.0.8,ProxyJump="sjat@makerfloss.eu:7576"). - Shell:
ssh -J sjat@makerfloss.eu:7576 -p 7576 sjat@10.13.0.8.
Troubleshooting
| Symptom | Check |
|---|---|
https://<svc>.mf01... → 404, valid cert |
Request reached mf01 Traefik but no router matches. Confirm the container is up (docker ps on mf01) and has the traefik.http.routers.<svc>.rule=Host(...) label. |
tls_verify != 0 / cert error |
VPS Traefik isn't serving the *.mf01 cert. Check docker logs traefik on the VPS for ACME (acme: ... mf01), and that /srv/traefik/config/dynamic/mf01-delegate.yml parses (a YAML error there breaks the whole file provider — keep regex rules single-quoted). |
| 502/504 from the VPS | wg1 tunnel down or mf01 Traefik down. Check wg show wg1 on the VPS (mf01 = 10.13.0.8) and the traefik container on mf01. |
| Service restricted access wanted | The internal-only@file middleware lives on the VPS Traefik; a restricted service must be routed VPS-side or use an mf01-side allowlist middleware (future work). |
Known limitation
container_traefik_overrides is host-wide on mf01 (correct for entrypoint/tls,
which are constant). Per-service hostnames must come from each service's own
role override, not the host-wide dict.