From 696586279901d5b43460abd2f16cb0c0929ba704 Mon Sep 17 00:00:00 2001 From: David Thurstenson Date: Fri, 11 Nov 2022 00:57:09 -0600 Subject: [PATCH] Added traefik role --- roles/traefik/defaults/main.yml | 13 ++++++ roles/traefik/tasks/main.yml | 71 +++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 roles/traefik/defaults/main.yml create mode 100644 roles/traefik/tasks/main.yml diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml new file mode 100644 index 0000000..5fbcb0b --- /dev/null +++ b/roles/traefik/defaults/main.yml @@ -0,0 +1,13 @@ +--- + +image_name: docker.io/traefik +image_tag: latest + +docker_sock_path: # TODO: figure out how to determine this + +letsencrypt_email: thurstylark@gmail.com + +traefik_config_dir: +traefik_certs_dir: + +traefik_dashboard_host: diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml new file mode 100644 index 0000000..dae5ad0 --- /dev/null +++ b/roles/traefik/tasks/main.yml @@ -0,0 +1,71 @@ +--- + +- name: Ensure podman extras are installed + pacman: + name: + - podman-docker + - podman-dnsname + state: present + become: true + become_method: sudo + +# TODO: This is going to be problematic unless I can figure out a way to +# get the calling user's dbus session up... +# Ref: https://wiki.archlinux.org/title/Podman#Docker_Compose +- name: Start podman service + systemd: + scope: user + name: podman.service + state: started + enabled: yes + +- name: Pull traefik container image + podman_image: + name: {{ image_name }} + tag: {{ image_tag }} + pull: yes + state: present + +- name: Set up podman network for traefik-public + podman_network: + name: traefik-public + +- name: Create and start traefik container + podman_container: + name: traefik + hostname: traefik + image: "{{ image_name }}:{{ image_tag }}" + state: started + restart_policy: always + network: traefik-public + command: + - "--entrypoints.web.address=:80" + - "--entrypoints.websecure.address=:433" + - "--providers.docker" + - "--providers.docker.exposedByDefault=false" + - "--api" + - "--certificatesresolvers.le.acme.email={{ letsencrypt_email }}" + - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json" + - "--certificatesrecolvers.le.acme.tlschallenge=true" + - "--accesslog=true" + publish: + - 80:80 + - 443:443 + volumes: + - "{{ docker_sock_path }}:/var/run/docker.sock:ro" + - "{{ traefik_config_dir }}:/etc/traefik" + - "{{ traefik_certs_dir }}:/letsencrypt" + label: + - "traefik.enable=true" + # Enable dashboard + - "traefik.http.routers.traefik.rule=Host({{ traefik_dashboard_host }})" + - "traefik.http.routers.traefik.service=api@internal" + # Use TLS + - "traefik.http.routers.traefik.tls=true" + # Set up LetsEncrypt for automatic cert generation + - "traefik.http.routers.traefik.tls.certresolver=le" + - "traefik.http.routers.traefik.entrypoints=websecure" + # Set up global redirect to https + - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.*)" + - "traefik.http.routers.http-catchall.entrypoints=web" + - "traefik.http.routers.http-catchall-middlewares=redirect-to-https"