Lazalatin/demo_ansible
1
0
Fork 0
Code Issues Pull Requests Releases Activity

initial commit, here be dragons

Browse Source
This commit is contained in:
Chris
2021-04-04 18:45:11 +02:00
commit 58137668b7
39 changed files with 1237 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
roles/traefik/files/traefik Normal file
View File

@ -0,0 +1,8 @@
/srv/traefik/logs/access.log
/srv/traefik/logs/traefik.log
{
rotate 12
monthly
compress
missingok
}

128
roles/traefik/files/traefik.yml Normal file
View File

@ -0,0 +1,128 @@
---
# Traefik static config options
# Only loaded on startup!
global:
sendAnonymousUsage: false
#serversTransport:
# insecureSkipVerify: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
file:
filename: "/etc/traefik/traefik.yml"
docker:
watch: true
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: traefik
api:
dashboard: true
metrics:
prometheus: { }
ping: { }
log:
level: WARN
accessLog:
filePath: "/data/logs/access.log"
bufferingSize: 128
certificatesResolvers:
letsencrypt:
acme:
email: "changeme@chaospott.de"
caServer: "https://acme-v02.api.letsencrypt.org/directory"
storage: "/data/acme.json"
keyType: "EC384"
#httpChallenge:
# entryPoint: web
dnsChallenge:
provider: inwx # more available at: https://doc.traefik.io/traefik/https/acme/#providers
# Checked by traefik before issuing LE, need to be public DNS server!
# Quad9
resolvers: [ "9.9.9.9", "2620:fe::fe" ]
letsencrypt-staging: # this is for testing new services
acme:
email: "changeme@chaospott.de"
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
storage: "/data/acme-staging.json"
keyType: "EC384"
#httpChallenge:
# entryPoint: web
dnsChallenge:
provider: inwx
# Checked by traefik before issuing LE, need to be public DNS server!
# Quad9
resolvers: [ "9.9.9.9", "2620:fe::fe" ]
###
# Traefik dynamic configuration options
# File is live-reloaded.
# Not all dynamic options can be set via labels. This is why some general, dynamic
# traefik options are configured here instead on labels.
# See also: https://github.com/traefik/traefik/issues/5507
tls:
options:
default:
sniStrict: true
# # Forced TLS v1.3 still causes issues like renovate failing to check our repos
# minVersion: "VersionTLS13"
# # TLS v1.2 Alternative config for more compatibility
minVersion: "VersionTLS12"
cipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
# global HTTP config
http:
routers:
api:
rule: "Host(`traefik.chaospott.de`)"
service: api@internal
middlewares: [ "dashboard-auth" ]
tls:
certResolver: "letsencrypt"
# generate cert for main domain and wildcard (requires DNS-01)
domains:
- main: "chaospott.de"
- main: "*.chaospott.de"
middlewares:
redirect-to-https:
redirectScheme:
scheme: "https"
hsts-header:
headers:
# HSTSPreload is an initiative that forces browsers to only access a website
# via HTTPS. This implies some requirements. https://hstspreload.org/
customResponseHeaders:
frameDeny: true # forbid embedding into frames
sslRedirect: true
stsSeconds: 3600 # Must be at least 31536000 (1-year) for HSTSPreload
stsPreload: true # HSTSPreload requirement
stsIncludeSubdomains: true # HSTSPreload requirement
browserXssFilter: true
dashboard-auth:
basicauth:
users: "admin:htpasswd-generated-password"

14
roles/traefik/handlers/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: "Stop {{ docker_compose.project_name }}"
community.general.docker_compose:
project_name: "{{ docker_compose.project_name }}"
project_src: "{{ docker_compose.path }}"
files: "{{ docker_compose.file }}"
state: absent
- name: "Start {{ docker_compose.project_name }}"
community.general.docker_compose:
project_name: "{{ docker_compose.project_name }}"
project_src: "{{ docker_compose.path }}"
files: "{{ docker_compose.file }}"

26
roles/traefik/tasks/main.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Create service directory if needed
ansible.builtin.file: { path: "/opt/service/{{ docker_compose.project_name }}", state: directory, mode: '0700' }
- name: create traefik network
community.general.docker_network:
name: "traefik"
- name: Copy config file
ansible.builtin.copy: { src: "traefik.yml", dest: "{{ docker_compose.path }}/traefik.yml" }
notify: [ "Stop {{ docker_compose.project_name }}", "Start {{ docker_compose.project_name }}" ]
- name: Copy logrotate traefik config
ansible.builtin.copy: { src: "traefik", dest: "/etc/logrotate.d/" }
- name: Copy docker compose files
ansible.builtin.template:
src: "{{ docker_compose.file }}.j2"
dest: "{{ docker_compose.path }}/{{ docker_compose.file }}"
mode: "u=rw,go-rwx"
validate: docker-compose -f %s config
notify: [ "Stop {{ docker_compose.project_name }}", "Start {{ docker_compose.project_name }}" ]
- name: Flush handlers
ansible.builtin.meta: flush_handlers

24
roles/traefik/templates/docker-compose.yml.j2 Normal file
View File

@ -0,0 +1,24 @@
---
version: '3'
services:
traefik:
image: traefik:v2.4.8
restart: unless-stopped
ports:
- "80:80" # HTTP
- "443:443" # HTTPS
environment:
- INWX_USERNAME={{ vault.traefik.inwx.username | mandatory }}
- INWX_PASSWORD={{ vault.traefik.inwx.password | mandatory }}
- INWX_POLLING_INTERVAL=60
- INWX_PROPAGATION_TIMEOUT=3600 # 1h to make sure DNS-01 works
volumes:
- /srv/{{ docker_compose.project_name }}/:/data/
- ./traefik.yml:/etc/traefik/traefik.yml
- /var/run/docker.sock:/var/run/docker.sock:ro
networks: [ traefik ]
networks:
traefik:
external: true

4
roles/traefik/vars/main.yml Normal file
View File

@ -0,0 +1,4 @@
docker_compose:
path: "/opt/service/traefik"
file: "docker-compose.yml"
project_name: "traefik"