From 274d8736cbf6817567433409b332695ccdfba794 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <KrisPublicEmail@gmail.com>
Date: Fri, 11 Sep 2020 23:16:02 -0400
Subject: [PATCH] Set local only access for Prometheus and Traefik

---
 roles/prometheus/defaults/main.yml | 1 +
 roles/prometheus/tasks/main.yml    | 3 +++
 roles/traefik/tasks/main.yml       | 3 ++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
index a5776dd..74508bb 100644
--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
@@ -2,3 +2,4 @@ prom_name: prometheus
 grafana_name: grafana
 prom_root: "/opt/{{ prom_name }}"
 grafana_root: "/opt/{{ prom_name }}/grafana"
+traefik_localonly: "192.168.1.0/24"
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index de06ce4..f19fead 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -44,6 +44,9 @@
     labels:
       traefik.http.routers.prometheus.rule: "Host(`{{ prom_domain }}`)"
       traefik.http.routers.prometheus.entrypoints: websecure
+      traefik.http.routers.prometheus.middlewares: "securehttps@file,localonly"
+      traefik.http.routers.prometheus.tls.certresolver: letsencrypt
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
       traefik.docker.network: traefik
       traefik.enable: "true"
 
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index a71883e..67e04d1 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -35,8 +35,9 @@
     labels:
       traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
       traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
       traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker"
+      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
       traefik.http.routers.traefik.service: "api@internal"
       traefik.http.routers.traefik.entrypoints: websecure
       traefik.http.routers.traefik.tls: "true"