a good starting point for traefik

4 files changed, 93 insertions, 0 deletions

diff --git a/playbooks/roles/traefik/tasks/main.yml b/playbooks/roles/traefik/tasks/main.yml
new file mode 100644
index 0000000..c365f55
--- /dev/null
+++ b/playbooks/roles/traefik/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Build traefik compose dirs
+  ansible.builtin.file:
+    state: directory
+    dest: '{{ traefik_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'directory'
+
+- name: Build traefik compose files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ traefik_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'file'
+
+- name: Deploy Traefik stack
+  ansible.builtin.command:
+    cmd: "docker stack deploy -c {{ traefik_base }}/stacks/docker-compose.yml traefik"
diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..4504af9
--- /dev/null
+++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
@@ -0,0 +1,39 @@
+version: '3.8'
+services:
+  traefik:
+    image: traefik:v3
+    ports:
+      - 80:80
+      - 443:443
+    environment:
+      - TZ={{ timezone }}
+      - CF_API_EMAIL={{ cloudflare_email }}
+      - CF_DNS_API_TOKEN={{ cloudflare_dns_api_token }}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - {{ traefik_base }}/stacks/traefik.yml:/traefik.yml
+      - {{ traefik_base }}/volumes/certs:/certs
+    networks:
+      - proxy
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.dashboard.rule=Host(`traefik.{{ traefik_domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard/`))
+        - traefik.http.routers.dashboard.service=api@internal
+        - traefik.http.routers.dashboard.tls=true
+        - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
+        - traefik.http.routers.ping.rule=Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
+        - traefik.http.routers.ping.service=ping@internal
+        - traefik.http.routers.ping.tls=true
+        - traefik.http.routers.ping.tls.certresolver=letsencrypt
+        - traefik.http.services.dashboard.loadbalancer.server.port=8080
+        - traefik.http.services.ping.loadbalancer.server.port=8080
+
+networks:
+  proxy:
+    name: proxy
+    driver: overlay
+    attachable: true
diff --git a/playbooks/roles/traefik/templates/stacks/traefik.yml b/playbooks/roles/traefik/templates/stacks/traefik.yml
new file mode 100644
index 0000000..a80c261
--- /dev/null
+++ b/playbooks/roles/traefik/templates/stacks/traefik.yml
@@ -0,0 +1,35 @@
+ping: {}
+accessLog: {}
+log:
+  level: DEBUG
+api:
+  dashboard: true
+  insecure: true
+  debug: false
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+serversTransport:
+  insecureSkipVerify: true
+providers:
+  swarm:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: proxy
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: {{ certs_email }}
+      storage: /certs/acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
+      dnsChallenge:
+        provider: cloudflare
+        delayBeforeCheck: 10
diff --git a/playbooks/roles/traefik/templates/volumes/certs/.gitkeep b/playbooks/roles/traefik/templates/volumes/certs/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/traefik/templates/volumes/certs/.gitkeep