jfraeysd/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/traefik/tasks/main.yml
Jeremie Fraeys 2ce1af3b1e
Update Traefik reverse proxy configuration 
- Enhance home-docker-compose.yml template with improved networking
- Update deployment tasks for better label handling
- Improve TLS certificate verification flow
2026-02-21 18:31:25 -05:00

180 lines
4.7 KiB
YAML
Raw Blame History

---
- name: Determine Traefik directory
set_fact:
traefik_dir: >-
{{
'/opt/traefik' if not use_temp_dir else
(traefik_tempdir.path if use_temp_dir | default(false)
else '/opt/traefik')
}}
- name: Read Cloudflare DNS API token
set_fact:
traefik_cloudflare_dns_api_token: >-
{{
CF_DNS_API_TOKEN
| default(lookup('env', 'CF_DNS_API_TOKEN'))
}}
- name: Fail if Cloudflare DNS API token is missing
fail:
msg: "CF_DNS_API_TOKEN is required for Traefik DNS-01"
when: traefik_cloudflare_dns_api_token | length == 0
- name: Create permanent directory for Traefik Docker Compose
file:
path: /opt/traefik
state: directory
when: not use_temp_dir
- name: Create temporary directory for Traefik Docker Compose (for testing)
tempfile:
state: directory
suffix: traefik
register: traefik_tempdir
when: use_temp_dir | default(false)
- name: Copy Docker Compose file for Traefik
template:
src: home-docker-compose.yml.j2
dest: "{{ traefik_dir }}/docker-compose.yml"
- name: Create Traefik subdirectories
file:
path: "{{ traefik_dir }}/{{ item }}"
state: directory
loop:
- letsencrypt
- dynamic
- name: Ensure ACME storage file exists
file:
path: "{{ traefik_dir }}/letsencrypt/acme.json"
state: file
mode: "0600"
- name: Copy base dynamic configuration
copy:
dest: "{{ traefik_dir }}/dynamic/base.yml"
content: |
http:
routers:
authelia:
rule: "Host(`{{ auth_hostname }}`)"
entryPoints:
- websecure
tls:
certResolver: "{{ traefik_certresolver }}"
service: authelia
middlewares:
- security-headers
- compress
app:
rule: "Host(`{{ app_hostname }}`)"
entryPoints:
- websecure
tls:
certResolver: "{{ traefik_certresolver }}"
service: webapps
middlewares:
- security-headers
- compress
grafana:
rule: "Host(`{{ grafana_hostname }}`)"
entryPoints:
- websecure
tls:
certResolver: "{{ traefik_certresolver }}"
service: grafana
middlewares:
- security-headers
- compress
forgejo:
rule: "Host(`{{ forgejo_hostname }}`)"
entryPoints:
- websecure
tls:
certResolver: "{{ traefik_certresolver }}"
service: forgejo
middlewares:
- security-headers
- compress
- rate-limit
prometheus:
rule: "Host(`{{ prometheus_hostname }}`)"
entryPoints:
- websecure
tls:
certResolver: "{{ traefik_certresolver }}"
service: prometheus
middlewares:
- security-headers
- compress
- authelia
services:
authelia:
loadBalancer:
servers:
- url: "http://authelia:9091"
webapps:
loadBalancer:
servers:
- url: "{{ web_apps_scheme }}://{{ hostvars['web'].public_ipv4 }}:{{ web_apps_port }}"
grafana:
loadBalancer:
servers:
- url: "http://grafana:3000"
forgejo:
loadBalancer:
servers:
- url: "http://forgejo:3000"
prometheus:
loadBalancer:
servers:
- url: "http://prometheus:9090"
middlewares:
security-headers:
headers:
frameDeny: true
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: "no-referrer"
compress:
compress: {}
rate-limit:
rateLimit:
average: 100
burst: 50
period: 1m
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://{{ auth_hostname }}/"
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Email
- Remote-Name
- name: Ensure proxy network exists
command: docker network inspect proxy
register: proxy_network
changed_when: false
failed_when: false
- name: Create proxy network if missing
command: docker network create proxy
when: proxy_network.rc != 0
- name: Deploy Traefik container
command: docker compose up -d
args:
chdir: "{{ traefik_dir }}"
Reference in a new issue View git blame Copy permalink