server_init/resources/pangolin/dynamic_config.yml.j2

http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https

  routers:
    # --- Pangolin dashboard ---
    main-app-router-redirect:
      rule: "Host(`{{ pangolin_domain }}`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https
        - badger

    next-router:
      rule: "Host(`{{ pangolin_domain }}`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt

    api-router:
      rule: "Host(`{{ pangolin_domain }}`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt

    ws-router:
      rule: "Host(`{{ pangolin_domain }}`)"
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt

    # --- Forgejo (public, no auth) ---
    forgejo-redirect:
      rule: "Host(`{{ forgejo_domain }}`)"
      service: forgejo-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    forgejo-router:
      rule: "Host(`{{ forgejo_domain }}`)"
      service: forgejo-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"

    forgejo-service:
      loadBalancer:
        servers:
          - url: "http://forgejo:3001"

tcp:
  serversTransports:
    pp-transport-v1:
      proxyProtocol:
        version: 1
    pp-transport-v2:
      proxyProtocol:
        version: 2
Initial server init setup with Ansible playbook Automated server provisioning with Pangolin reverse proxy, Forgejo git server with SSH passthrough, and OpenCode dev environment. Includes server hardening (UFW, fail2ban, SSH lockdown), Docker, Rust, Python/uv, and unattended security upgrades. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-28 10:34:20 +00:00			`http:`
			`middlewares:`
			`badger:`
			`plugin:`
			`badger:`
			`disableForwardAuth: true`
			`redirect-to-https:`
			`redirectScheme:`
			`scheme: https`

			`routers:`
			`# --- Pangolin dashboard ---`
			`main-app-router-redirect:`
			rule: "Host(`{{ pangolin_domain }}`)"
			`service: next-service`
			`entryPoints:`
			`- web`
			`middlewares:`
			`- redirect-to-https`
			`- badger`

			`next-router:`
			rule: "Host(`{{ pangolin_domain }}`) && !PathPrefix(`/api/v1`)"
			`service: next-service`
			`entryPoints:`
			`- websecure`
			`middlewares:`
			`- badger`
			`tls:`
			`certResolver: letsencrypt`

			`api-router:`
			rule: "Host(`{{ pangolin_domain }}`) && PathPrefix(`/api/v1`)"
			`service: api-service`
			`entryPoints:`
			`- websecure`
			`middlewares:`
			`- badger`
			`tls:`
			`certResolver: letsencrypt`

			`ws-router:`
			rule: "Host(`{{ pangolin_domain }}`)"
			`service: api-service`
			`entryPoints:`
			`- websecure`
			`middlewares:`
			`- badger`
			`tls:`
			`certResolver: letsencrypt`

			`# --- Forgejo (public, no auth) ---`
			`forgejo-redirect:`
			rule: "Host(`{{ forgejo_domain }}`)"
			`service: forgejo-service`
			`entryPoints:`
			`- web`
			`middlewares:`
			`- redirect-to-https`

			`forgejo-router:`
			rule: "Host(`{{ forgejo_domain }}`)"
			`service: forgejo-service`
			`entryPoints:`
			`- websecure`
			`tls:`
			`certResolver: letsencrypt`

			`services:`
			`next-service:`
			`loadBalancer:`
			`servers:`
			`- url: "http://pangolin:3002"`

			`api-service:`
			`loadBalancer:`
			`servers:`
			`- url: "http://pangolin:3000"`

			`forgejo-service:`
			`loadBalancer:`
			`servers:`
			`- url: "http://forgejo:3001"`

			`tcp:`
			`serversTransports:`
			`pp-transport-v1:`
			`proxyProtocol:`
			`version: 1`
			`pp-transport-v2:`
			`proxyProtocol:`
			`version: 2`