Questions about access restriction and configuration preservation.

[MrEddX]

First of all, great project!
Тhanks for sharing your work and knowledge.

The questions I have:

• Is there any way to restrict access to some/all of the installed services by IP address or country?

For example: I want to make Healthchecks and Uptime Kuma available from one country, while WG Easy accessible from two IP addresses. Suppose I would have to add additional lines in /mash/<service>/labels file. And if it is true, then here comes the second question:

• How can I make this custom configuration persistent on subsequent Ansible playbook runs?

Thanks.

[moan0s]

So AFAIK no such thing has been discussed yet.

Traefik supports IP whitelisting so for WG Easy you should be able to do something like

wg_easy_container_labels_additional_labels: |
  traefik.http.middlewares.wg-easy.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7

This will persistent between runs. Denylists seem more difficult but you could check out this answer on stackoverflow

[spantaleev]

This label merely defines a middleware.

To actually use it, it needs to be added to the middlewares list for the service. Not all roles define variables for doing this, so you may be out of luck until something is done about it.

[MrEddX]

I made the changes suggested by @moan0s in inventory/host_vars/<domain>/vars.yml, which are successfully reflected in the file /mash/<service>/labels on the remote server, but unfortunately this label does not lead to to the desired result, just as @spantaleev suggested.

Thank you both for your time.