Move traefik into its own role

ansible/roles/traefik/files/docker-compose.yml

@@ -0,0 +1,12 @@
+version: "2.3"
+
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:v2.2.0
+    # command: "--log.level=DEBUG"
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik:/etc/traefik
+    restart: unless-stopped

ansible/roles/traefik/files/file-provider.yml

@@ -0,0 +1,43 @@
+http:
+  middlewares:
+    internal-only:
+      ipWhiteList:
+        sourceRange:
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+          - "192.168.0.0/16"
+    hsts:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    hsts:
+      service: ping@internal
+      rule: PathPrefix(`/`)
+      entryPoints:
+        - web
+      middlewares:
+        - hsts
+    ping:
+      service: ping@internal
+      rule: Host(`traefik.jakehoward.tech`) && Path(`/ping/`)
+      middlewares:
+        - hsts
+      tls:
+        certResolver: le
+    dashboard:
+      service: dashboard@internal
+      rule: Host(`traefik.jakehoward.tech`)
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le
+    api:
+      service: api@internal
+      rule: Host(`traefik.jakehoward.tech`) && PathPrefix(`/api`)
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le

ansible/roles/traefik/files/traefik.yml

@@ -0,0 +1,38 @@
+entryPoints:
+  web:
+    address: ":80"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  web-secure:
+    address: ":443"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  matrix:
+    address: ":8448"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+
+ping:
+  manualRouting: true
+
+providers:
+  docker:
+    endpoint: unix:///var/run/docker.sock
+    watch: true
+    exposedByDefault: false
+  file:
+    filename: /etc/traefik/file-provider.yml
+
+api:
+  dashboard: true
+
+certificatesResolvers:
+  le:
+    acme:
+      email: hosting@theorangeone.net
+      storage: /etc/traefik/acme.json
+      httpChallenge:
+        entryPoint: web

ansible/roles/traefik/tasks/main.yml

@@ -0,0 +1,54 @@
+- name: Create install directory
+  file:
+    path: /opt/traefik
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Create config directory
+  file:
+    path: /opt/traefik/traefik
+    state: directory
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/traefik/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: /usr/bin/docker-compose -f %s config
+  register: compose_file
+  become: true
+
+- name: Install config
+  template:
+    src: files/traefik.yml
+    dest: /opt/traefik/traefik/traefik.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+  register: config_file
+  become: true
+
+- name: Install file provider
+  template:
+    src: files/file-provider.yml
+    dest: /opt/traefik/traefik/file-provider.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+  register: file_provider
+  become: true
+
+- name: Cycle container
+  docker_compose:
+    project_src: /opt/traefik
+    pull: true
+    remove_orphans: true
+    remove_volumes: true
+    state: "{{ item }}"
+  when: compose_file.changed or config_file.changed or file_provider.changed
+  loop:
+    - absent
+    - present