You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

6.5 KiB

Ansible role for Traefik

Ansible role for a traefik installation without docker

Requirements

  • An e-mail address when using letsencrypt

Role Variables

Variable Name Function Default value Comment
traefik_user User created for running the traefik service traefik
traefik_group Group for the user created for the traefik service {{ traefik_user }}
traefik_version Version of traefik that is going to be installed v2.3.6
traefik_source Source of the wekan Installtion package https://github.com/containous/traefik/releases/download/{{ traefik_version }}/traefik_{{ traefik_version }}_linux_amd64.tar.gz
traefik_systemd_service_name The name of the systemd service file traefik
traefik_base_path Installation base path /opt/traefik Without trailing slash
traefik_config_directory Configuration directory path {{ traefik_base_path }}/config Without trailing slash
traefik_dynamic_config_directory Dynamic configuration directory path {{ traefik_config_directory }}/dynamic Without trailing slash
traefik_dynamic_config_watch Enable/Disable watching for changes in dynamic configuration directory yes
traefik_dynamic_config_files_paths List containing paths to dynamic config files ["traefik/*"]
traefik_loglevel Loglevel specified in traefik.yml INFO
traefik_environment_variables A Dict of additional environment options {}

Extra Options

TLS + Let's Encrypt

By default, TLS is enabled with the following config.

traefik_tls:
  enable: yes
  min_verison: "VersionTLS12"
  ciphersuites:
    - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
    - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
    - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
    - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

But no letsencrypt challenges are activated by default. Supported are HTTP and TLS Challenges. You only have to use one, but you can use more. For all is an example in the following code block.

# HTTP-Challenge
traefik_tls_letsencrypt_challenges_http:
  enable: yes
  email: "test@example.org"
  name: "le_http" # Name of the certificate resolver
  entryPoint: "http"
  storage: "{{ traefik_base_path }}/acme_http.json"
  key_type: "RSA4096" # optional, per default RSA4096

# TLS-Challenge
traefik_tls_letsencrypt_challenges_tls:
  enable: yes
  email: "test@example.org"
  name: "le_tls" # Name of the certificate resolver
  storage: "{{ traefik_base_path }}/acme_tls.json"
  key_type: "RSA4096" # optional, per default RSA4096

# DNS-Challenge
traefik_tls_letsencrypt_challenges_dns:
  enable: yes
  provider: acme-dns
  email: "test@example.org"
  storage: "{{ traefik_base_path }}/acme_dns.json"
  delay: 0 # optional, default 0
  disablePropagationCheck: "false" # optional, default false
  resolvers: # optional
    - 1.1.1.1
  name: "le_dns" # Name of the certificate resolver
  key_type: "RSA4096" # optional, per default RSA4096

And please set the traefik_default_cert_resovler to the default cert resolver which you want to use for example for the dashboard.

Middlewares

HTTPS-Redirect

The HTTPS-Redirect middleware is activated by default when TLS is activated with the name https_redirect, which can be modified with the traefik_middlewares_https_redirect_name variable. If you wanna disable this middleware use the following environment variable.

traefik_middlewares_https_redirect_enable: no
WWW to non-WWW redirect

The HTTPS-Redirect middleware is deactivated by default. If you want to enable this middleware set the following environment variable to enable.

traefik_middlewares_www_to_non_www_redirect:
  enable: yes
  name: "www_redirect" # required
  persistent: true # whether 301 redirect should be used; defaults to true 
Dashboard Basic Authentication

By default this middleware is deactivated, so anybody can access the traefik dashboard. But you can enable this middleware with the following variable. If you activate the middleware and also enable the traefik_dashboard variable, the middleware will be used.

traefik_middlewares_dashboard_authentication:
  enable: yes
  name: "dashboard_authentication"
  realm: "Traefik Dashboard"
  remove_header: yes
  users:
    - "username:$apr1$Kpsun2tt$O2uS3psQlKasIpO1JqSza1" # Password can be generated by htpasswd tool
CORS
traefik_middlewares_cors:
  enable: yes
  name: "cors"
  add_vary_header: yes
  allow_credentials: yes
  allow_origin: "*"
HSTS

The HTTPS-Redirect middleware is activated by default when TLS is activated with the name https_redirect, which can be modified with the traefik_middlewares_https_redirect_name variable. If you want to disable this middleware use set enable of the following environment variable to false. You can also customize the middleware with the variable.

traefik_middlewares_hsts:
  enable: yes
  name: "hsts"
  seconds: "31536000"
  preload: yes
  include_sub_domains: no

Dashboard

The default is that traefik dashboard is enabled and listens on traefik.{{ ansible_fqdn }}, as shown below.

traefik_dashboard:
  enable: yes
  rule: "Host(`traefik.{{ ansible_fqdn }}`)"
  name: "internal_dashboard"
  tls_cert_resolver: "{{ traefik_default_cert_resovler }}"
  https_redirect: yes
  additional_middlewares: []

Metrics

It's possible to store the metrics of traefik in different backends. Supported is Datadog (traefik_metrics_datadog), InfluxDB (traefik_metrics_influxdb), Prometheus (traefik_metrics_prometheus) and StatsD (traefik_metrics_statsd).

Here is an example with Prometheus:

traefik_metrics_prometheus:
  buckets:
    - 0.1
    - 0.3
    - 1.2
    - 5.0
  addEntryPointsLabels: true
  manualRouting: true

Have a look at the traefik docs for possible configuration values. These are directly passed into the configuration file.

Other

Providers

Your can specify additional providers via the traefik_additional_providers ansible variable. This is directly passed into traefik.yml

EntryPoints

You can specify additional entryPoints via the traefik_additional_entrypoints ansible variable. This is directly passed into traefik.yml

traefik_additional_entrypoints: |
  entryPointName:
      address: ":222"  

Dependencies

This role does not have any dependencies.

License

GPL-3.0