diff --git a/roles/traefik/README.md b/roles/traefik/README.md
deleted file mode 100644
index e215211..0000000
--- a/roles/traefik/README.md
+++ /dev/null
@@ -1,33 +0,0 @@
-Traefik
-=========
-
-This will setup a [Traefik](https://docs.traefik.io/v2.0/) server that acts as a dynamic reverse proxy and uses docker labels to route traffic. It also takes care about enabling/renewing Let's Encrypt certificates if specified.
-
-**Note: If using the IPv6 configuration: When changing the address etc, you will need to manually take care about removing old/unused firewall rules!**
-
-Requirements
-------------
-
-You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
-
-Role Variables
---------------
-
-**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
-
-**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
-
-### Global variables, that are used:
-
-- `docker_package`: Defined by the docker role, this is the package name of docker within your package manager.
-
-Dependencies
-------------
-
-- docker
-- docker-compose
-
-License
--------
-
-GPL-3.0-only
diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
deleted file mode 100644
index 398b3c4..0000000
--- a/roles/traefik/defaults/main.yml
+++ /dev/null
@@ -1,132 +0,0 @@
----
-# Default variables for the traefik role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-# The install locations
-traefik_install_location: /srv/traefik
-traefik_acme_location: "{{ traefik_install_location }}/acme"
-traefik_config_location: "{{ traefik_install_location }}/dynamic_conf"
-
-# The traefik/dockersocketproxy version to be used
-# renovate: depName=docker.io/library/traefik
-traefik_version: v2.11.13
-# renovate: depName=quay.io/sheogorath/docker-socket-proxy
-traefik_dockersocketproxy_version: "2.3"
-
-# The domain for the traefik debug dashboard (only shown if the dashboard auth variable is defined)
-traefik_dashboard_domain: "traefik.example.com"
-
-# A basic auth users string (see https://docs.traefik.io/v2.0/middlewares/basicauth/)
-# traefik_dashboard_auth: ''
-
-# The email to use for letencrypt certificate requests
-traefik_letsencrypt_email: no-reply@example.com
-
-# The proxy network name and the bridge name (you usually do not touch these)
-# ! Note these are used globally, as every container that wants to use traefik,
-# ! has to be reachable for traefik and all containers, routed with traefik, are connected to the proxy network.
-proxy_network: proxy # noqa var-naming[no-role-prefix]
-traefik_docker_bridge_name: docker-proxy
-
-# Traefik IPv6 settings
-# Enabling these will lead to traefik being reachable via the specified IPv6 address.
-# Without any special handling of IPv6, the containers may still be reached via IPv6 but may use the docker internal IPv4 proxy,
-# which results in the containers only seeing clients connecting with the internal network IPv4 gateway address.
-traefik_ipv6:
- enabled: false
- # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP).
- # TL;DR: Should IPv6 traffic be forwarded/allowed to traefik.
- firewall_rules_enabled: false
- # The subnet that should be used. Usually has to have a size of at least `/80`
- # (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster)
- subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}"
- # The traefik container will use this static address, unless you explicitly use `{{ omit }}`
- ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ansible.utils.ipaddr('2') | ansible.utils.ipaddr('address') }}"
- # The name of the special ipv6 network which will be created and added to the traefik container
- name: traefik_ipv6
-
-# Should a general https redirect middleware be enabled for all hosts on the web endpoint?
-traefik_https_redirect_all: true
-
-# Should the letsencrypt certresolver be enabled/defined?
-# Useful eg. for local testing/LAN setups
-traefik_https_letsencrypt_enabled: true
-
-# Extra configuration (dynamic) via a config file
-# This has to be used, because setting default TLS configs etc. cannot be done via labels/commandline parameters
-# This will by default set the minimum TLS version to v1.2 and only enable a few secure ciphers
-traefik_dynamic_conf:
- tls:
- options:
- default:
- minVersion: "VersionTLS12"
- sniStrict: true # Can be disabled for local testing, which will lead to traefik serving it's default certificate if none can be found
- cipherSuites:
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-
-# This config allows to add new entrypoints to traefik which are also automatically exposed / the port is automatically allocated.
-# Can be used in cases where traefik needs to be used as a proxy because of the certificates it holds. Eg. gitlab registry on the
-# same domain, where we want to use the existing certificate for the registry too.
-#
-# Example entry:
-# - name: gitlabregistry
-# port: 5050
-traefik_additional_entrypoints: []
-
-# Enables debug log level
-traefik_debug: false
-
-# Should traefik log access?
-traefik_access_log_enabled: false
-
-# Optional environment variables that should be added (key value pairs)
-traefik_options: {}
-
-# Enables the tor container, to allow reaching traefik via an onion address/the tor network
-traefik_tor_enabled: false
-
-# The tor container version
-traefik_tor_version: 0.4
-
-# The tor container volume locations
-traefik_tor_location: "{{ traefik_install_location }}/tor"
-traefik_tor_data_location: "{{ traefik_tor_location }}/data"
-traefik_tor_config_location: "{{ traefik_tor_location }}/config"
-
-# Enables the acmedumper, to extract the certificates from traefik
-traefik_acmedumper_enabled: false
-
-# The acmedumper container version
-traefik_acmedumper_version: "2.7.0"
-traefik_acmedumper_image_version: "v{{ traefik_acmedumper_version }}"
-
-# The acmedumper output location
-traefik_acmedumper_location: "{{ traefik_install_location }}/certs"
-
-# Enable or disable selinux handling
-traefik_selinux_enabled: true
-
-# The SELinux levels for tor/traefiks folders/container
-traefik_selinux_level: "{{ omit }}"
-traefik_tor_selinux_level: "{{ omit }}"
-
-# Enable or disable firewalld handling (Allowing HTTP/HTTPS and trusting the docker network if necessary)
-traefik_firewalld_enabled: true
diff --git a/roles/traefik/files/traefik-tor.conf b/roles/traefik/files/traefik-tor.conf
deleted file mode 100644
index 06042bb..0000000
--- a/roles/traefik/files/traefik-tor.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-SocksPort 0
-HiddenServiceDir /data/traefik
-HiddenServicePort 80 proxy:80
-HiddenServicePort 443 proxy:443
-HiddenServiceNonAnonymousMode 1
-HiddenServiceSingleHopMode 1
-SafeLogging 1
diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml
deleted file mode 100644
index ca285e8..0000000
--- a/roles/traefik/handlers/main.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-# Handlers file for the traefik role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Restart tor proxy
- ansible.builtin.command: "docker-compose restart tor"
- args:
- chdir: "{{ traefik_install_location }}"
- register: compose_output
- changed_when: compose_output.rc != 0
- become: true
diff --git a/roles/traefik/meta/main.yml b/roles/traefik/meta/main.yml
deleted file mode 100644
index ad81e06..0000000
--- a/roles/traefik/meta/main.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-galaxy_info:
- author: saibotk
- description: "Installs traefik via docker with optional tor access and acmedumper."
- license: GPL-3.0-only
- min_ansible_version: "2.9"
- standalone: true
-
- platforms:
- - name: EL
- versions:
- - all
- - name: GenericUNIX
- versions:
- - all
- - name: Fedora
- versions:
- - all
- - name: opensuse
- versions:
- - all
- - name: GenericBSD
- versions:
- - all
- - name: FreeBSD
- versions:
- - all
- - name: Ubuntu
- versions:
- - all
- - name: SLES
- versions:
- - all
- - name: GenericLinux
- versions:
- - all
- - name: Debian
- versions:
- - all
-
- galaxy_tags: []
-
-dependencies:
- - role: docker
diff --git a/roles/traefik/tasks/acmedumper.yml b/roles/traefik/tasks/acmedumper.yml
deleted file mode 100644
index 4bcfc3e..0000000
--- a/roles/traefik/tasks/acmedumper.yml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-# Tasks file traefik/acmedumper for the traefik role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Update default SELinux contexts for acme-dumper
- community.general.sefcontext:
- target: '{{ item }}(/.*)?'
- setype: "container_file_t"
- selevel: "{{ traefik_selinux_level | default(omit) }}"
- state: present
- with_items:
- - "{{ traefik_acmedumper_location }}"
- when:
- - traefik_selinux_enabled
- become: true
-
-- name: Create data directory for acme-dumper
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: '0750'
- owner: 'root'
- group: 'root'
- setype: "container_file_t"
- selevel: "{{ traefik_selinux_level | default(omit) }}"
- with_items:
- - "{{ traefik_acmedumper_location }}"
- become: true
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
deleted file mode 100644
index 735db96..0000000
--- a/roles/traefik/tasks/main.yml
+++ /dev/null
@@ -1,224 +0,0 @@
----
-# Tasks file for the traefik role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2020 Alexander Wellbrock
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Update default SELinux contexts
- community.general.sefcontext:
- target: "{{ item }}(/.*)?"
- setype: "container_file_t"
- selevel: "{{ traefik_selinux_level }}"
- state: present
- with_items:
- - "{{ traefik_acme_location }}"
- - "{{ traefik_config_location }}"
- when:
- - traefik_selinux_enabled
- become: true
-
-- name: Create install directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: "0700"
- owner: "root"
- group: "root"
- with_items:
- - "{{ traefik_install_location }}"
- become: true
-
-- name: Create data directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: "0700"
- owner: "root"
- group: "root"
- setype: "container_file_t"
- selevel: "{{ traefik_selinux_level }}"
- with_items:
- - "{{ traefik_acme_location }}"
- - "{{ traefik_config_location }}"
- become: true
-
-- name: Include configs for Tor
- ansible.builtin.include_tasks: tor.yml
- when: traefik_tor_enabled | bool
-
-- name: Include configs for acme-dumper
- ansible.builtin.include_tasks: acmedumper.yml
- when: traefik_acmedumper_enabled | bool
-
-- name: Create proxy network
- community.docker.docker_network:
- name: "{{ proxy_network }}"
- driver_options:
- com.docker.network.bridge.name: "{{ traefik_docker_bridge_name }}"
- become: true
-
-- name: Create ipv6 frontend network
- community.docker.docker_network:
- name: "{{ traefik_ipv6.name }}"
- enable_ipv6: true
- ipam_config:
- - subnet: "{{ traefik_ipv6.subnet }}"
- become: true
- when:
- - traefik_ipv6 is defined
- - traefik_ipv6.enabled
-
-- name: Gather the package facts
- ansible.builtin.package_facts:
- manager: auto
-
-# This step is only needed in docker < 20.10, as docker does this by default now
-- name: Trust our proxy network
- ansible.posix.firewalld:
- zone: trusted
- interface: "{{ traefik_docker_bridge_name }}"
- permanent: true
- immediate: true
- state: enabled
- become: true
- tags:
- - firewall
- when:
- - traefik_firewalld_enabled
- - docker_package in ansible_facts.packages
- - ansible_facts.packages[docker_package][0].version is version('20.10', '<')
-
-- name: Deploy dynamic_conf.yml
- ansible.builtin.template:
- src: dynamic_conf.yml
- dest: "{{ traefik_config_location }}/dynamic_conf.yml"
- owner: "root"
- group: "root"
- mode: "0600"
- setype: "container_file_t"
- selevel: "{{ traefik_selinux_level }}"
- become: true
- when:
- - traefik_dynamic_conf != omit
-
-- name: Deploy docker-compose.yml
- ansible.builtin.template:
- src: docker-compose.yml
- dest: "{{ traefik_install_location }}/docker-compose.yml"
- mode: "0600"
- owner: "root"
- group: "root"
- validate: docker compose -f %s config -q
- tags:
- - docker
- become: true
-
-- name: Compose traefik
- community.docker.docker_compose_v2:
- state: present
- project_src: "{{ traefik_install_location }}"
- pull: always
- remove_orphans: true
- become: true
-
-- name: Read tor hostname
- ansible.builtin.slurp:
- src: "{{ traefik_tor_data_location }}/traefik/hostname"
- register: proxy_hiddenservice # noqa: var-naming[no-role-prefix]
- become: true
- when: traefik_tor_enabled | bool
-
-- name: Allow access to services
- ansible.posix.firewalld:
- service: "{{ item }}"
- permanent: true
- state: enabled
- with_items:
- - http
- - https
- become: true
- when:
- - traefik_firewalld_enabled
- tags:
- - firewall
-
-# NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
-- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
- ansible.builtin.command:
- argv:
- - firewall-cmd
- - --direct
- - --add-rule
- - ipv6
- - filter
- - FORWARD
- - 0
- - -p
- - tcp
- - --destination
- - "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" # noqa: jinja[invalid]
- - --dport
- - "{{ item }}"
- - -j
- - ACCEPT
- register: traefik_firewalld_direct_result
- become: true
- changed_when: '"ALREADY_ENABLED" not in traefik_firewalld_direct_result.stderr'
- notify: restart docker
- with_items:
- - 80
- - 443
- when:
- - traefik_firewalld_enabled
- - traefik_ipv6 is defined
- - traefik_ipv6.enabled
- - traefik_ipv6.ip_addr is defined
- - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled
-
-# NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
-- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
- ansible.builtin.command:
- argv:
- - firewall-cmd
- - --permanent
- - --direct
- - --add-rule
- - ipv6
- - filter
- - FORWARD
- - 0
- - -p
- - tcp
- - --destination
- - "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" # noqa: jinja[invalid]
- - --dport
- - "{{ item }}"
- - -j
- - ACCEPT
- register: traefik_firewalld_direct_permanent_result
- become: true
- changed_when: '"ALREADY_ENABLED" not in traefik_firewalld_direct_permanent_result.stderr'
- with_items:
- - 80
- - 443
- when:
- - traefik_firewalld_enabled
- - traefik_ipv6 is defined
- - traefik_ipv6.enabled
- - traefik_ipv6.ip_addr is defined
- - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled
diff --git a/roles/traefik/tasks/tor.yml b/roles/traefik/tasks/tor.yml
deleted file mode 100644
index 876b5ed..0000000
--- a/roles/traefik/tasks/tor.yml
+++ /dev/null
@@ -1,81 +0,0 @@
----
-# Tasks file traefik/tor for the traefik role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2020 Alexander Wellbrock
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Update default SELinux contexts tor
- community.general.sefcontext:
- target: '{{ item }}(/.*)?'
- setype: "container_file_t"
- selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
- state: present
- with_items:
- - "{{ traefik_tor_data_location }}"
- - "{{ traefik_tor_config_location }}"
- when:
- - traefik_selinux_enabled
- become: true
-
-- name: Create install directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: '0700'
- owner: 'root'
- group: 'root'
- with_items:
- - "{{ traefik_tor_location }}"
- become: true
-
-- name: Create data directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: '0700'
- owner: '994'
- group: '994'
- setype: "container_file_t"
- selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
- with_items:
- - "{{ traefik_tor_data_location }}"
- become: true
-
-- name: Create config directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- setype: "container_file_t"
- selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
- mode: '0750'
- owner: 'root'
- group: 'root'
- with_items:
- - "{{ traefik_tor_config_location }}"
- become: true
-
-- name: Setup tor config
- ansible.builtin.copy:
- src: traefik-tor.conf
- dest: "{{ traefik_tor_config_location }}/traefik.conf"
- setype: "container_file_t"
- selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
- mode: '0644'
- owner: 'root'
- group: 'root'
- notify: Restart tor proxy
- become: true
diff --git a/roles/traefik/templates/docker-compose.yml b/roles/traefik/templates/docker-compose.yml
deleted file mode 100644
index c2dc74e..0000000
--- a/roles/traefik/templates/docker-compose.yml
+++ /dev/null
@@ -1,201 +0,0 @@
-{{ ansible_managed | comment }}
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-version: '2'
-services:
- dockersocket:
- image: quay.io/sheogorath/docker-socket-proxy:{{ traefik_dockersocketproxy_version }}
- mem_limit: 16mb
- memswap_limit: 32mb
- security_opt:
- - "label:disable"
- read_only: true
- tmpfs:
- - /run/:size=32K
- environment:
- - "CONTAINERS=1"
- - "LOG_LEVEL=notice"
- volumes:
- - "/var/run/docker.sock:/var/run/docker.sock:ro"
- networks:
- socket:
- restart: always
-
-{% if traefik_tor_enabled %}
- tor:
- image: quay.io/sheogorath/tor:{{ traefik_tor_version }}
- mem_limit: 64mb
- memswap_limit: 128mb
- read_only: true
- depends_on:
- - proxy
- security_opt:
- - no-new-privileges
-{% if traefik_tor_selinux_level != omit %}
- - label=level:{{ traefik_tor_selinux_level }}
-{% endif %}
-
- tmpfs:
- - /var/lib/tor/.tor:size=10M,uid=994,gid=994,mode=1700
- volumes:
- - "{{ traefik_tor_data_location }}:/data"
- - "{{ traefik_tor_config_location }}:/etc/torrc.d/:ro"
- networks:
- tor_internal:
- tor_external:
- restart: always
-{% endif %}
-
- proxy:
- image: docker.io/library/traefik:{{ traefik_version }}
- cpu_shares: 3072
- mem_limit: 256mb
- memswap_limit: 512mb
- read_only: true
- restart: always
- labels:
- - "traefik.enable=true"
-{% if traefik_https_redirect_all %}
- - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
- - "traefik.http.routers.http_catchall.entrypoints=web"
- - "traefik.http.routers.http_catchall.middlewares=https_redirect"
-{% endif %}
- - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
- - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
- - "traefik.http.middlewares.compress.compress=true"
-{% if traefik_dashboard_auth is defined %}
- - "traefik.http.routers.api.rule=Host(`{{ traefik_dashboard_domain }}`)"
- - "traefik.http.routers.api.service=api@internal"
- - "traefik.http.routers.api.middlewares=traefikauth"
- - "traefik.http.middlewares.traefikauth.basicauth.users={{ traefik_dashboard_auth }}"
-{% endif %}
- depends_on:
- - dockersocket
-{% if traefik_selinux_level != omit %}
- security_opt:
- - label=level:{{ traefik_selinux_level }}
-{% endif %}
-
- ports:
- - "80:80"
- - "443:443"
-{% for entrypoint in traefik_additional_entrypoints %}
- - "{{ entrypoint.port }}:{{ entrypoint.port }}"
-{% endfor %}
-
- volumes:
- - "{{ traefik_acme_location }}:/etc/traefik/acme"
-{% if traefik_dynamic_conf != omit %}
- - "{{ traefik_config_location }}:/etc/traefik/dynamic_conf:ro"
-{% endif %}
-
- command:
- - "--entryPoints.web.address=:80"
- - "--entryPoints.websecure.address=:443"
-{% for entrypoint in traefik_additional_entrypoints %}
- - "--entryPoints.{{ entrypoint.name }}.address=:{{ entrypoint.port }}"
-{% endfor %}
- - "--accesslog={{ traefik_access_log_enabled | bool | lower }}"
-{% if traefik_dynamic_conf != omit %}
- - "--providers.file.directory=/etc/traefik/dynamic_conf"
- - "--providers.file.watch=true"
-{% endif %}
- - "--providers.docker=true"
- - "--providers.docker.endpoint=tcp://dockersocket:2375"
- - "--providers.docker.exposedByDefault=false"
-{% if traefik_https_letsencrypt_enabled %}
- - "--certificatesResolvers.letsencrypt_http.acme.email={{ traefik_letsencrypt_email }}"
- - "--certificatesResolvers.letsencrypt_http.acme.storage=/etc/traefik/acme/acme.json"
- - "--certificatesResolvers.letsencrypt_http.acme.httpChallenge.entrypoint=web"
-{% endif %}
-{% if traefik_debug %}
- - "--log.level=DEBUG"
-{% endif %}
-
- networks:
- {{ proxy_network }}:
-{% if traefik_aliases is defined %}
- aliases:
-{% for alias in traefik_aliases %}
- - "{{ alias }}"
-{% endfor %}
-{% endif %}
- socket:
-{% if traefik_tor_enabled %}
- tor_internal:
-{% endif %}
-{% if traefik_ipv6.enabled %}
- {{ traefik_ipv6.name }}:
-{% if traefik_ipv6.ip_addr != omit %}
- ipv6_address: {{ traefik_ipv6.ip_addr | ansible.utils.ipaddr('address') }}
-{% endif %}
-{% endif %}
-
-{% if traefik_options | length > 0 %}
- environment:
-{% for key, value in traefik_options.items() %}
- - "{{ key }}={{ value }}"
-{% endfor %}
-{% endif %}
-
-{% if traefik_acmedumper_enabled %}
- acme-dumper:
- image: docker.io/ldez/traefik-certs-dumper:{{ traefik_acmedumper_image_version }}
- read_only: true
- mem_limit: 64mb
- memswap_limit: 128mb
- network_mode: none
- security_opt:
- - no-new-privileges
-{% if traefik_selinux_level != omit %}
- - label=level:{{ traefik_selinux_level }}
-{% endif %}
- cap_drop:
- - all
-
- volumes:
- - "{{ traefik_acme_location }}:/etc/traefik/acme:ro"
- - "{{ traefik_acmedumper_location }}:/export"
- command:
- - "file"
- - "--domain-subdir"
- - "--crt-ext=.pem"
- - "--key-ext=.pem"
- - "--crt-name=fullchain"
- - "--key-name=privkey"
- - "--source=/etc/traefik/acme/acme-v2.json"
- - "--dest=/export"
- - "--version=v2"
- - "--watch"
-{% endif %}
-
-networks:
- {{ proxy_network }}:
- external: true
- socket:
- internal: true
-{% if traefik_tor_enabled %}
- tor_internal:
- internal: true
- tor_external:
-{% endif %}
-{% if traefik_ipv6.enabled %}
- {{ traefik_ipv6.name }}:
- external: true
-{% endif %}
diff --git a/roles/traefik/templates/dynamic_conf.yml b/roles/traefik/templates/dynamic_conf.yml
deleted file mode 100644
index 7e69f8d..0000000
--- a/roles/traefik/templates/dynamic_conf.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-{{ ansible_managed | comment }}
-# Dynamic configuration
-
-{{ traefik_dynamic_conf | to_nice_yaml(indent=2) }}