Move traefik into its own role

2020-04-23 20:49:43 +01:00
parent 9962d9103f
commit 89ba23719c
9 changed files with 14 additions and 23 deletions
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@ -0,0 +1,12 @@
+version: "2.3"
+
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:v2.2.0
+    # command: "--log.level=DEBUG"
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik:/etc/traefik
+    restart: unless-stopped
--- a/ansible/roles/traefik/files/file-provider.yml
+++ b/ansible/roles/traefik/files/file-provider.yml
@ -0,0 +1,43 @@
+http:
+  middlewares:
+    internal-only:
+      ipWhiteList:
+        sourceRange:
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+          - "192.168.0.0/16"
+    hsts:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    hsts:
+      service: ping@internal
+      rule: PathPrefix(`/`)
+      entryPoints:
+        - web
+      middlewares:
+        - hsts
+    ping:
+      service: ping@internal
+      rule: Host(`traefik.jakehoward.tech`) && Path(`/ping/`)
+      middlewares:
+        - hsts
+      tls:
+        certResolver: le
+    dashboard:
+      service: dashboard@internal
+      rule: Host(`traefik.jakehoward.tech`)
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le
+    api:
+      service: api@internal
+      rule: Host(`traefik.jakehoward.tech`) && PathPrefix(`/api`)
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -0,0 +1,38 @@
+entryPoints:
+  web:
+    address: ":80"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  web-secure:
+    address: ":443"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  matrix:
+    address: ":8448"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+
+ping:
+  manualRouting: true
+
+providers:
+  docker:
+    endpoint: unix:///var/run/docker.sock
+    watch: true
+    exposedByDefault: false
+  file:
+    filename: /etc/traefik/file-provider.yml
+
+api:
+  dashboard: true
+
+certificatesResolvers:
+  le:
+    acme:
+      email: hosting@theorangeone.net
+      storage: /etc/traefik/acme.json
+      httpChallenge:
+        entryPoint: web