diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index b9ad25a..004ffbd 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -49,8 +49,8 @@ traefik_docker_bridge_name: docker-proxy traefik_ipv6: enabled: false firewall_rules_enabled: false # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP). TL;DR: Should IPv6 traffic be forwarded/allowed to traefik. - subnet: undef # The subnet that should be used. Usually has to have a size of at least `/80` (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster) - ip_addr: undef # (optional) If defined, the traefik container will use this static address + subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}" # The subnet that should be used. Usually has to have a size of at least `/80` (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster) + ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ipaddr('2') | ipaddr('address') }}" # The traefik container will use this static address, unless you explicitly use `{{ omit }}` name: traefik_ipv6 # The name of the special ipv6 network which will be created and added to the traefik container # Should a general https redirect middleware be enabled for all hosts on the web endpoint? diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index 5fb73f0..0cce874 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -140,10 +140,11 @@ # NOTE: This rule does not care about new / old ip values, so removal must be made by hand! - name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS - command: "firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr }}/128 --dport {{ item }} -j ACCEPT" + command: "firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr | ipaddr('address') }}/128 --dport {{ item }} -j ACCEPT" register: firewalld_direct_result become: true - changed_when: '"ALREADY_ENABLED" not in firewalld_direct_result.stdout' + changed_when: '"ALREADY_ENABLED" not in firewalld_direct_result.stderr' + notify: restart docker with_items: - 80 - 443 @@ -153,3 +154,17 @@ - traefik_ipv6.ip_addr is defined - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled +# NOTE: This rule does not care about new / old ip values, so removal must be made by hand! +- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS + command: "firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr | ipaddr('address') }}/128 --dport {{ item }} -j ACCEPT" + register: firewalld_direct_permanent_result + become: true + changed_when: '"ALREADY_ENABLED" not in firewalld_direct_permanent_result.stderr' + with_items: + - 80 + - 443 + when: + - traefik_ipv6 is defined + - traefik_ipv6.enabled + - traefik_ipv6.ip_addr is defined + - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled diff --git a/roles/traefik/templates/docker-compose.yml b/roles/traefik/templates/docker-compose.yml index 9b7dbc9..325f146 100644 --- a/roles/traefik/templates/docker-compose.yml +++ b/roles/traefik/templates/docker-compose.yml @@ -133,8 +133,8 @@ services: {% endif %} {% if traefik_ipv6.enabled %} {{ traefik_ipv6.name }}: -{% if traefik_ipv6.ip_addr is defined %} - ipv6_address: {{ traefik_ipv6.ip_addr }} +{% if traefik_ipv6.ip_addr != omit %} + ipv6_address: {{ traefik_ipv6.ip_addr | ipaddr('address') }} {% endif %} {% endif %}