saibotk-de/infrastructure
saibotk-de/infrastructure
1
0
Fork 0
Code Issues Pull requests Releases 42 Activity

remove!(traefik): unused

Browse source
This commit is contained in:
Saibotk 2025-01-20 00:30:13 +01:00
parent 7482707008
commit b631f98365
Signed by: saibotk
GPG key ID: 67585F0065E261D5
10 changed files with 0 additions and 794 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
roles/traefik/README.md
View file

@ -1,33 +0,0 @@
Traefik
=========
This will setup a [Traefik](https://docs.traefik.io/v2.0/) server that acts as a dynamic reverse proxy and uses docker labels to route traffic. It also takes care about enabling/renewing Let's Encrypt certificates if specified.
**Note: If using the IPv6 configuration: When changing the address etc, you will need to manually take care about removing old/unused firewall rules!**
Requirements
------------
You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `docker_package`: Defined by the docker role, this is the package name of docker within your package manager.
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

132
roles/traefik/defaults/main.yml
View file

@ -1,132 +0,0 @@
---
# Default variables for the traefik role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install locations
traefik_install_location: /srv/traefik
traefik_acme_location: "{{ traefik_install_location }}/acme"
traefik_config_location: "{{ traefik_install_location }}/dynamic_conf"
# The traefik/dockersocketproxy version to be used
# renovate: depName=docker.io/library/traefik
traefik_version: v2.11.13
# renovate: depName=quay.io/sheogorath/docker-socket-proxy
traefik_dockersocketproxy_version: "2.3"
# The domain for the traefik debug dashboard (only shown if the dashboard auth variable is defined)
traefik_dashboard_domain: "traefik.example.com"
# A basic auth users string (see https://docs.traefik.io/v2.0/middlewares/basicauth/)
# traefik_dashboard_auth: ''
# The email to use for letencrypt certificate requests
traefik_letsencrypt_email: no-reply@example.com
# The proxy network name and the bridge name (you usually do not touch these)
# ! Note these are used globally, as every container that wants to use traefik,
# ! has to be reachable for traefik and all containers, routed with traefik, are connected to the proxy network.
proxy_network: proxy # noqa var-naming[no-role-prefix]
traefik_docker_bridge_name: docker-proxy
# Traefik IPv6 settings
# Enabling these will lead to traefik being reachable via the specified IPv6 address.
# Without any special handling of IPv6, the containers may still be reached via IPv6 but may use the docker internal IPv4 proxy,
# which results in the containers only seeing clients connecting with the internal network IPv4 gateway address.
traefik_ipv6:
enabled: false
# This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP).
# TL;DR: Should IPv6 traffic be forwarded/allowed to traefik.
firewall_rules_enabled: false
# The subnet that should be used. Usually has to have a size of at least `/80`
# (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster)
subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}"
# The traefik container will use this static address, unless you explicitly use `{{ omit }}`
ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ansible.utils.ipaddr('2') | ansible.utils.ipaddr('address') }}"
# The name of the special ipv6 network which will be created and added to the traefik container
name: traefik_ipv6
# Should a general https redirect middleware be enabled for all hosts on the web endpoint?
traefik_https_redirect_all: true
# Should the letsencrypt certresolver be enabled/defined?
# Useful eg. for local testing/LAN setups
traefik_https_letsencrypt_enabled: true
# Extra configuration (dynamic) via a config file
# This has to be used, because setting default TLS configs etc. cannot be done via labels/commandline parameters
# This will by default set the minimum TLS version to v1.2 and only enable a few secure ciphers
traefik_dynamic_conf:
tls:
options:
default:
minVersion: "VersionTLS12"
sniStrict: true # Can be disabled for local testing, which will lead to traefik serving it's default certificate if none can be found
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
# This config allows to add new entrypoints to traefik which are also automatically exposed / the port is automatically allocated.
# Can be used in cases where traefik needs to be used as a proxy because of the certificates it holds. Eg. gitlab registry on the
# same domain, where we want to use the existing certificate for the registry too.
#
# Example entry:
# - name: gitlabregistry
# port: 5050
traefik_additional_entrypoints: []
# Enables debug log level
traefik_debug: false
# Should traefik log access?
traefik_access_log_enabled: false
# Optional environment variables that should be added (key value pairs)
traefik_options: {}
# Enables the tor container, to allow reaching traefik via an onion address/the tor network
traefik_tor_enabled: false
# The tor container version
traefik_tor_version: 0.4
# The tor container volume locations
traefik_tor_location: "{{ traefik_install_location }}/tor"
traefik_tor_data_location: "{{ traefik_tor_location }}/data"
traefik_tor_config_location: "{{ traefik_tor_location }}/config"
# Enables the acmedumper, to extract the certificates from traefik
traefik_acmedumper_enabled: false
# The acmedumper container version
traefik_acmedumper_version: "2.7.0"
traefik_acmedumper_image_version: "v{{ traefik_acmedumper_version }}"
# The acmedumper output location
traefik_acmedumper_location: "{{ traefik_install_location }}/certs"
# Enable or disable selinux handling
traefik_selinux_enabled: true
# The SELinux levels for tor/traefiks folders/container
traefik_selinux_level: "{{ omit }}"
traefik_tor_selinux_level: "{{ omit }}"
# Enable or disable firewalld handling (Allowing HTTP/HTTPS and trusting the docker network if necessary)
traefik_firewalld_enabled: true

7
roles/traefik/files/traefik-tor.conf
View file

@ -1,7 +0,0 @@
SocksPort 0
HiddenServiceDir /data/traefik
HiddenServicePort 80 proxy:80
HiddenServicePort 443 proxy:443
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
SafeLogging 1

26
roles/traefik/handlers/main.yml
View file

@ -1,26 +0,0 @@
---
# Handlers file for the traefik role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Restart tor proxy
ansible.builtin.command: "docker-compose restart tor"
args:
chdir: "{{ traefik_install_location }}"
register: compose_output
changed_when: compose_output.rc != 0
become: true

43
roles/traefik/meta/main.yml
View file

@ -1,43 +0,0 @@
galaxy_info:
author: saibotk
description: "Installs traefik via docker with optional tor access and acmedumper."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker

43
roles/traefik/tasks/acmedumper.yml
View file

@ -1,43 +0,0 @@
---
# Tasks file traefik/acmedumper for the traefik role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts for acme-dumper
community.general.sefcontext:
target: '{{ item }}(/.*)?'
setype: "container_file_t"
selevel: "{{ traefik_selinux_level | default(omit) }}"
state: present
with_items:
- "{{ traefik_acmedumper_location }}"
when:
- traefik_selinux_enabled
become: true
- name: Create data directory for acme-dumper
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0750'
owner: 'root'
group: 'root'
setype: "container_file_t"
selevel: "{{ traefik_selinux_level | default(omit) }}"
with_items:
- "{{ traefik_acmedumper_location }}"
become: true

224
roles/traefik/tasks/main.yml
View file

@ -1,224 +0,0 @@
---
# Tasks file for the traefik role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Alexander Wellbrock
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
selevel: "{{ traefik_selinux_level }}"
state: present
with_items:
- "{{ traefik_acme_location }}"
- "{{ traefik_config_location }}"
when:
- traefik_selinux_enabled
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ traefik_install_location }}"
become: true
- name: Create data directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
setype: "container_file_t"
selevel: "{{ traefik_selinux_level }}"
with_items:
- "{{ traefik_acme_location }}"
- "{{ traefik_config_location }}"
become: true
- name: Include configs for Tor
ansible.builtin.include_tasks: tor.yml
when: traefik_tor_enabled | bool
- name: Include configs for acme-dumper
ansible.builtin.include_tasks: acmedumper.yml
when: traefik_acmedumper_enabled | bool
- name: Create proxy network
community.docker.docker_network:
name: "{{ proxy_network }}"
driver_options:
com.docker.network.bridge.name: "{{ traefik_docker_bridge_name }}"
become: true
- name: Create ipv6 frontend network
community.docker.docker_network:
name: "{{ traefik_ipv6.name }}"
enable_ipv6: true
ipam_config:
- subnet: "{{ traefik_ipv6.subnet }}"
become: true
when:
- traefik_ipv6 is defined
- traefik_ipv6.enabled
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
# This step is only needed in docker < 20.10, as docker does this by default now
- name: Trust our proxy network
ansible.posix.firewalld:
zone: trusted
interface: "{{ traefik_docker_bridge_name }}"
permanent: true
immediate: true
state: enabled
become: true
tags:
- firewall
when:
- traefik_firewalld_enabled
- docker_package in ansible_facts.packages
- ansible_facts.packages[docker_package][0].version is version('20.10', '<')
- name: Deploy dynamic_conf.yml
ansible.builtin.template:
src: dynamic_conf.yml
dest: "{{ traefik_config_location }}/dynamic_conf.yml"
owner: "root"
group: "root"
mode: "0600"
setype: "container_file_t"
selevel: "{{ traefik_selinux_level }}"
become: true
when:
- traefik_dynamic_conf != omit
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ traefik_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
become: true
- name: Compose traefik
community.docker.docker_compose_v2:
state: present
project_src: "{{ traefik_install_location }}"
pull: always
remove_orphans: true
become: true
- name: Read tor hostname
ansible.builtin.slurp:
src: "{{ traefik_tor_data_location }}/traefik/hostname"
register: proxy_hiddenservice # noqa: var-naming[no-role-prefix]
become: true
when: traefik_tor_enabled | bool
- name: Allow access to services
ansible.posix.firewalld:
service: "{{ item }}"
permanent: true
state: enabled
with_items:
- http
- https
become: true
when:
- traefik_firewalld_enabled
tags:
- firewall
# NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
ansible.builtin.command:
argv:
- firewall-cmd
- --direct
- --add-rule
- ipv6
- filter
- FORWARD
- 0
- -p
- tcp
- --destination
- "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" # noqa: jinja[invalid]
- --dport
- "{{ item }}"
- -j
- ACCEPT
register: traefik_firewalld_direct_result
become: true
changed_when: '"ALREADY_ENABLED" not in traefik_firewalld_direct_result.stderr'
notify: restart docker
with_items:
- 80
- 443
when:
- traefik_firewalld_enabled
- traefik_ipv6 is defined
- traefik_ipv6.enabled
- traefik_ipv6.ip_addr is defined
- traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled
# NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
ansible.builtin.command:
argv:
- firewall-cmd
- --permanent
- --direct
- --add-rule
- ipv6
- filter
- FORWARD
- 0
- -p
- tcp
- --destination
- "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" # noqa: jinja[invalid]
- --dport
- "{{ item }}"
- -j
- ACCEPT
register: traefik_firewalld_direct_permanent_result
become: true
changed_when: '"ALREADY_ENABLED" not in traefik_firewalld_direct_permanent_result.stderr'
with_items:
- 80
- 443
when:
- traefik_firewalld_enabled
- traefik_ipv6 is defined
- traefik_ipv6.enabled
- traefik_ipv6.ip_addr is defined
- traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled

81
roles/traefik/tasks/tor.yml
View file

@ -1,81 +0,0 @@
---
# Tasks file traefik/tor for the traefik role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Alexander Wellbrock
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts tor
community.general.sefcontext:
target: '{{ item }}(/.*)?'
setype: "container_file_t"
selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
state: present
with_items:
- "{{ traefik_tor_data_location }}"
- "{{ traefik_tor_config_location }}"
when:
- traefik_selinux_enabled
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ traefik_tor_location }}"
become: true
- name: Create data directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: '994'
group: '994'
setype: "container_file_t"
selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
with_items:
- "{{ traefik_tor_data_location }}"
become: true
- name: Create config directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
setype: "container_file_t"
selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
mode: '0750'
owner: 'root'
group: 'root'
with_items:
- "{{ traefik_tor_config_location }}"
become: true
- name: Setup tor config
ansible.builtin.copy:
src: traefik-tor.conf
dest: "{{ traefik_tor_config_location }}/traefik.conf"
setype: "container_file_t"
selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
mode: '0644'
owner: 'root'
group: 'root'
notify: Restart tor proxy
become: true

201
roles/traefik/templates/docker-compose.yml
View file

@ -1,201 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
dockersocket:
image: quay.io/sheogorath/docker-socket-proxy:{{ traefik_dockersocketproxy_version }}
mem_limit: 16mb
memswap_limit: 32mb
security_opt:
- "label:disable"
read_only: true
tmpfs:
- /run/:size=32K
environment:
- "CONTAINERS=1"
- "LOG_LEVEL=notice"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
socket:
restart: always
{% if traefik_tor_enabled %}
tor:
image: quay.io/sheogorath/tor:{{ traefik_tor_version }}
mem_limit: 64mb
memswap_limit: 128mb
read_only: true
depends_on:
- proxy
security_opt:
- no-new-privileges
{% if traefik_tor_selinux_level != omit %}
- label=level:{{ traefik_tor_selinux_level }}
{% endif %}
tmpfs:
- /var/lib/tor/.tor:size=10M,uid=994,gid=994,mode=1700
volumes:
- "{{ traefik_tor_data_location }}:/data"
- "{{ traefik_tor_config_location }}:/etc/torrc.d/:ro"
networks:
tor_internal:
tor_external:
restart: always
{% endif %}
proxy:
image: docker.io/library/traefik:{{ traefik_version }}
cpu_shares: 3072
mem_limit: 256mb
memswap_limit: 512mb
read_only: true
restart: always
labels:
- "traefik.enable=true"
{% if traefik_https_redirect_all %}
- "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
- "traefik.http.routers.http_catchall.entrypoints=web"
- "traefik.http.routers.http_catchall.middlewares=https_redirect"
{% endif %}
- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
- "traefik.http.middlewares.compress.compress=true"
{% if traefik_dashboard_auth is defined %}
- "traefik.http.routers.api.rule=Host(`{{ traefik_dashboard_domain }}`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=traefikauth"
- "traefik.http.middlewares.traefikauth.basicauth.users={{ traefik_dashboard_auth }}"
{% endif %}
depends_on:
- dockersocket
{% if traefik_selinux_level != omit %}
security_opt:
- label=level:{{ traefik_selinux_level }}
{% endif %}
ports:
- "80:80"
- "443:443"
{% for entrypoint in traefik_additional_entrypoints %}
- "{{ entrypoint.port }}:{{ entrypoint.port }}"
{% endfor %}
volumes:
- "{{ traefik_acme_location }}:/etc/traefik/acme"
{% if traefik_dynamic_conf != omit %}
- "{{ traefik_config_location }}:/etc/traefik/dynamic_conf:ro"
{% endif %}
command:
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
{% for entrypoint in traefik_additional_entrypoints %}
- "--entryPoints.{{ entrypoint.name }}.address=:{{ entrypoint.port }}"
{% endfor %}
- "--accesslog={{ traefik_access_log_enabled | bool | lower }}"
{% if traefik_dynamic_conf != omit %}
- "--providers.file.directory=/etc/traefik/dynamic_conf"
- "--providers.file.watch=true"
{% endif %}
- "--providers.docker=true"
- "--providers.docker.endpoint=tcp://dockersocket:2375"
- "--providers.docker.exposedByDefault=false"
{% if traefik_https_letsencrypt_enabled %}
- "--certificatesResolvers.letsencrypt_http.acme.email={{ traefik_letsencrypt_email }}"
- "--certificatesResolvers.letsencrypt_http.acme.storage=/etc/traefik/acme/acme.json"
- "--certificatesResolvers.letsencrypt_http.acme.httpChallenge.entrypoint=web"
{% endif %}
{% if traefik_debug %}
- "--log.level=DEBUG"
{% endif %}
networks:
{{ proxy_network }}:
{% if traefik_aliases is defined %}
aliases:
{% for alias in traefik_aliases %}
- "{{ alias }}"
{% endfor %}
{% endif %}
socket:
{% if traefik_tor_enabled %}
tor_internal:
{% endif %}
{% if traefik_ipv6.enabled %}
{{ traefik_ipv6.name }}:
{% if traefik_ipv6.ip_addr != omit %}
ipv6_address: {{ traefik_ipv6.ip_addr | ansible.utils.ipaddr('address') }}
{% endif %}
{% endif %}
{% if traefik_options | length > 0 %}
environment:
{% for key, value in traefik_options.items() %}
- "{{ key }}={{ value }}"
{% endfor %}
{% endif %}
{% if traefik_acmedumper_enabled %}
acme-dumper:
image: docker.io/ldez/traefik-certs-dumper:{{ traefik_acmedumper_image_version }}
read_only: true
mem_limit: 64mb
memswap_limit: 128mb
network_mode: none
security_opt:
- no-new-privileges
{% if traefik_selinux_level != omit %}
- label=level:{{ traefik_selinux_level }}
{% endif %}
cap_drop:
- all
volumes:
- "{{ traefik_acme_location }}:/etc/traefik/acme:ro"
- "{{ traefik_acmedumper_location }}:/export"
command:
- "file"
- "--domain-subdir"
- "--crt-ext=.pem"
- "--key-ext=.pem"
- "--crt-name=fullchain"
- "--key-name=privkey"
- "--source=/etc/traefik/acme/acme-v2.json"
- "--dest=/export"
- "--version=v2"
- "--watch"
{% endif %}
networks:
{{ proxy_network }}:
external: true
socket:
internal: true
{% if traefik_tor_enabled %}
tor_internal:
internal: true
tor_external:
{% endif %}
{% if traefik_ipv6.enabled %}
{{ traefik_ipv6.name }}:
external: true
{% endif %}

4
roles/traefik/templates/dynamic_conf.yml
View file

@ -1,4 +0,0 @@
{{ ansible_managed | comment }}
# Dynamic configuration
{{ traefik_dynamic_conf | to_nice_yaml(indent=2) }}