|
2 years ago | |
---|---|---|
defaults | 2 years ago | |
handlers | 2 years ago | |
meta | 2 years ago | |
tasks | 2 years ago | |
templates | 2 years ago | |
tests | 2 years ago | |
.travis.yml | 2 years ago | |
LICENSE | 2 years ago | |
README.md | 2 years ago |
README.md
Ansible role for Traefik
Ansible role for a traefik installation without docker
Requirements
- An e-mail address when using letsencrypt
Role Variables
Variable Name | Function | Default value | Comment |
---|---|---|---|
traefik_user |
User created for running the traefik service | traefik | |
traefik_group |
Group for the user created for the traefik service | {{ traefik_user }} |
|
traefik_version |
Version of traefik that is going to be installed | v2.3.6 |
|
traefik_source |
Source of the wekan Installtion package | https://github.com/containous/traefik/releases/download/{{ traefik_version }}/traefik_{{ traefik_version }}_linux_amd64.tar.gz |
|
traefik_systemd_service_name |
The name of the systemd service file | traefik |
|
traefik_base_path |
Installation base path | /opt/traefik |
Without trailing slash |
traefik_config_directory |
Configuration directory path | {{ traefik_base_path }}/config |
Without trailing slash |
traefik_dynamic_config_directory |
Dynamic configuration directory path | {{ traefik_config_directory }}/dynamic |
Without trailing slash |
traefik_dynamic_config_watch |
Enable/Disable watching for changes in dynamic configuration directory | yes |
|
traefik_dynamic_config_files_paths |
List containing paths to dynamic config files | ["traefik/*"] |
|
traefik_loglevel |
Loglevel specified in traefik.yml | INFO |
|
traefik_environment_variables |
A Dict of additional environment options | {} |
Extra Options
TLS + Let's Encrypt
By default, TLS is enabled with the following config.
traefik_tls:
enable: yes
min_verison: "VersionTLS12"
ciphersuites:
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
But no letsencrypt challenges are activated by default. Supported are HTTP and TLS Challenges. You only have to use one, but you can use more. For all is an example in the following code block.
# HTTP-Challenge
traefik_tls_letsencrypt_challenges_http:
enable: yes
email: "test@example.org"
name: "le_http" # Name of the certificate resolver
entryPoint: "http"
storage: "{{ traefik_base_path }}/acme_http.json"
key_type: "RSA4096" # optional, per default RSA4096
# TLS-Challenge
traefik_tls_letsencrypt_challenges_tls:
enable: yes
email: "test@example.org"
name: "le_tls" # Name of the certificate resolver
storage: "{{ traefik_base_path }}/acme_tls.json"
key_type: "RSA4096" # optional, per default RSA4096
# DNS-Challenge
traefik_tls_letsencrypt_challenges_dns:
enable: yes
provider: acme-dns
email: "test@example.org"
storage: "{{ traefik_base_path }}/acme_dns.json"
delay: 0 # optional, default 0
disablePropagationCheck: "false" # optional, default false
resolvers: # optional
- 1.1.1.1
name: "le_dns" # Name of the certificate resolver
key_type: "RSA4096" # optional, per default RSA4096
And please set the traefik_default_cert_resovler
to the default cert resolver which you want to use for example for the dashboard.
Middlewares
HTTPS-Redirect
The HTTPS-Redirect middleware is activated by default when TLS is activated with the name https_redirect
, which can be modified with the traefik_middlewares_https_redirect_name
variable. If you wanna disable this middleware use the following environment variable.
traefik_middlewares_https_redirect_enable: no
WWW to non-WWW redirect
The HTTPS-Redirect middleware is deactivated by default. If you want to enable this middleware set the following environment variable to enable.
traefik_middlewares_www_to_non_www_redirect:
enable: yes
name: "www_redirect" # required
persistent: true # whether 301 redirect should be used; defaults to true
Dashboard Basic Authentication
By default this middleware is deactivated, so anybody can access the traefik dashboard. But you can enable this middleware with the following variable. If you activate the middleware and also enable the traefik_dashboard
variable, the middleware will be used.
traefik_middlewares_dashboard_authentication:
enable: yes
name: "dashboard_authentication"
realm: "Traefik Dashboard"
remove_header: yes
users:
- "username:$apr1$Kpsun2tt$O2uS3psQlKasIpO1JqSza1" # Password can be generated by htpasswd tool
CORS
traefik_middlewares_cors:
enable: yes
name: "cors"
add_vary_header: yes
allow_credentials: yes
allow_origin: "*"
HSTS
The HTTPS-Redirect middleware is activated by default when TLS is activated with the name https_redirect
, which can be modified with the traefik_middlewares_https_redirect_name
variable. If you want to disable this middleware use set enable
of the following environment variable to false
. You can also customize the middleware with the variable.
traefik_middlewares_hsts:
enable: yes
name: "hsts"
seconds: "31536000"
preload: yes
include_sub_domains: no
Dashboard
The default is that traefik dashboard is enabled and listens on traefik.{{ ansible_fqdn }}
, as shown below.
traefik_dashboard:
enable: yes
rule: "Host(`traefik.{{ ansible_fqdn }}`)"
name: "internal_dashboard"
tls_cert_resolver: "{{ traefik_default_cert_resovler }}"
https_redirect: yes
additional_middlewares: []
Metrics
It's possible to store the metrics of traefik in different backends. Supported is Datadog (traefik_metrics_datadog
), InfluxDB (traefik_metrics_influxdb
), Prometheus (traefik_metrics_prometheus
) and StatsD (traefik_metrics_statsd
).
Here is an example with Prometheus:
traefik_metrics_prometheus:
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
addEntryPointsLabels: true
manualRouting: true
Have a look at the traefik docs for possible configuration values. These are directly passed into the configuration file.
Other
Providers
Your can specify additional providers via the traefik_additional_providers
ansible variable. This is directly passed into traefik.yml
EntryPoints
You can specify additional entryPoints via the traefik_additional_entrypoints
ansible variable. This is directly passed into traefik.yml
traefik_additional_entrypoints: |
entryPointName:
address: ":222"
Dependencies
This role does not have any dependencies.
License
GPL-3.0