Skip to content

Commit

Permalink
traefik: user customization, traefik.toml.j2
Browse files Browse the repository at this point in the history
- Updates traefik v2.4->v2.5 (I've done an in-place upgrade and it worked with no issues)
- Adds ability to even further customize traefik2 configuration but keeps all the current settings as default
    - parametrize container image using `traefik_image`
    - parametrize templated files with `traefik_template_files{,_custom}` template custom files
    - parametrize container volumes with `traefik_docker_volumes{,_custom}` mount custom volumes to container
    - parametrize entryPoint.web port `traefik_port_http`
    - use `ansible_nas_domain_root` as added in #495 to allow more customization for domain names
    - parametrize domains used to generate certificates using `traefik_domain_san{,_custom}`
- Optionaly add `certificatesResolvers.letsencryptTls` that uses TLS to authenticate for domain certificates, usefull if you have some domains that aren't using default `ansible_nas_domain` or `*.ansible_nas_domain` domain

Example for templating:
I'm using this to seed the account-file.json to multiple server that I use as a failover. `acme-dns` uses it to store the "passwords" for domain certs it tries to / issues.
  • Loading branch information
khartahk authored and Primoz Cankar committed Jun 30, 2022
1 parent d0cae2c commit c990a62
Show file tree
Hide file tree
Showing 4 changed files with 110 additions and 64 deletions.
20 changes: 19 additions & 1 deletion roles/traefik/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,36 @@ traefik_enabled: false
# directories
traefik_data_directory: "{{ docker_home }}/traefik"

# files
traefik_template_files:
- src: traefik.toml.j2
dest: "{{ traefik_data_directory }}/traefik.toml"
force: "Yes"
traefik_template_files_custom: []

# network
traefik_port_http: "80"
traefik_port_https: "443"
traefik_port_ui: "8083"
traefik_trusted_ips: []

traefik_docker_image: traefik:latest
traefik_image: traefik:v2.5
traefik_volumes:
- "{{ traefik_data_directory }}/letsencrypt:/letsencrypt:rw"
- "{{ traefik_data_directory }}/traefik.toml:/etc/traefik/traefik.toml:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
traefik_volumes_custom: []
traefik_log_level: "INFO"

# find the relevant name and environment variables for your DNS provider at https://go-acme.github.io/lego/dns/
traefik_dns_provider: cloudflare
traefik_environment_variables:
CF_DNS_API_TOKEN: "abcdabcd123412341234"
traefik_letsencrypt_tls: no

traefik_domain_san:
- "*.{{ ansible_nas_domain_root }}"
traefik_domain_san_custom: []

# Ansible-NAS requests a wildcard certificate for your domain, so there should be no reason to have to use the staging
# letsencrypt acme server. If you do want to flip between staging/production, you might need to stop Traefik and clear
Expand Down
46 changes: 29 additions & 17 deletions roles/traefik/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,29 +1,41 @@
---
- name: Create Traefik Directories
file:
path: "{{ item }}"
state: directory
mode: "{{ item.mode | default('0750') }}"
path: "{{ item.path }}"
state: "directory"
tags:
- traefik
- traefik:dir
with_items:
- "{{ traefik_data_directory }}"
- "{{ traefik_data_directory }}/letsencrypt"
- path: "{{ traefik_data_directory }}"
mode: "0755"
- path: "{{ traefik_data_directory }}/letsencrypt"
mode: "0700"

- name: Template Traefik config.toml
template:
src: traefik.toml
dest: "{{ traefik_data_directory }}/traefik.toml"
- name: Template Traefik Files
register: template_config
tags:
- traefik
- traefik:template
template:
dest: "{{ item.dest }}"
force: "{{ item.force | default('No') }}"
mode: "{{ item.mode | default('0600') }}"
src: "{{ item.src }}"
with_items: "{{ traefik_template_files + traefik_template_files_custom | sort }}"

- name: Traefik Docker Container
docker_container:
name: traefik
image: "{{ traefik_docker_image }}"
pull: true
network_mode: host
volumes:
- "{{ traefik_data_directory }}/traefik.toml:/etc/traefik/traefik.toml:ro"
- "{{ traefik_data_directory }}/letsencrypt:/letsencrypt:rw"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
env: "{{ traefik_environment_variables }}"
restart_policy: unless-stopped
image: "{{ traefik_image }}"
memory: "{{ traefik_memory }}"
name: traefik
network_mode: host
pull: true
recreate: "{{ template_config is changed }}"
restart_policy: unless-stopped
volumes: "{{ traefik_volumes + traefik_volumes_custom | sort }}"
tags:
- traefik
- traefik:docker
46 changes: 0 additions & 46 deletions roles/traefik/templates/traefik.toml

This file was deleted.

62 changes: 62 additions & 0 deletions roles/traefik/templates/traefik.toml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
[entryPoints]
[entryPoints.web]
address = ":{{ traefik_port_http }}"

{% if traefik_trusted_ips %}
[entryPoints.web.forwardedHeaders]
trustedIPs = {{ traefik_trusted_ips | to_nice_json(indent=2) | trim | indent(6) }}
{% endif %}
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"

[entryPoints.websecure]
address = ":{{ traefik_port_https }}"

{% if traefik_trusted_ips %}
[entryPoints.websecure.forwardedHeaders]
trustedIPs = {{ traefik_trusted_ips | to_nice_json(indent=2) | trim | indent(6) }}
{% endif %}
[entryPoints.websecure.http.tls]
certResolver = "letsencrypt"

[entryPoints.websecure.http.tls.domains]
main = "{{ ansible_nas_domain_root }}"
sans = {{ (traefik_domain_san + traefik_domain_san_custom ) | to_nice_json(indent=2) | trim | indent(10) }}

[entryPoints.traefik]
address = ":{{ traefik_port_ui }}"

[providers]
providersThrottleDuration = "2s"
[providers.docker]
exposedbydefault = false

[api]
insecure = true
dashboard = true

[log]
level = "{{ traefik_log_level | upper }}"

[ping]
terminatingStatusCode = 0

[certificatesResolvers]
[certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "{{ ansible_nas_email }}"
storage = "/letsencrypt/acme.json"
caserver = "{{ traefik_acme_server }}"

[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "{{ traefik_dns_provider }}"

{% if traefik_letsencrypt_tls %}
[certificatesResolvers.letsencryptTls]
[certificatesResolvers.letsencryptTls.acme]
email = "{{ ansible_nas_email }}"
storage = "/letsencrypt/acme.json"
caserver = "https://acme-v02.api.letsencrypt.org/directory"

[certificatesResolvers.letsencryptTls.acme.tlsChallenge]
{% endif %}

0 comments on commit c990a62

Please sign in to comment.