traefik: Fix IPv6 support to work properly

With some of the recently introduced changes especially around the
defaults and ipv6 addresses, this patch fixes all remaining issues and
makes sure the docker and firewall configuration fits the expectations.

Original commit: 7819c8fcc8

roles/traefik/defaults/main.yml

@@ -49,8 +49,8 @@ traefik_docker_bridge_name: docker-proxy
 traefik_ipv6:
   enabled: false
   firewall_rules_enabled: false # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP). TL;DR: Should IPv6 traffic be forwarded/allowed to traefik.
-  subnet: undef # The subnet that should be used. Usually has to have a size of at least `/80` (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster)
+  subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}" # The subnet that should be used. Usually has to have a size of at least `/80` (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster)
-  ip_addr: undef # (optional) If defined, the traefik container will use this static address
+  ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ipaddr('2') | ipaddr('address') }}" # The traefik container will use this static address, unless you explicitly use `{{ omit }}`
   name: traefik_ipv6 # The name of the special ipv6 network which will be created and added to the traefik container
 
 # Should a general https redirect middleware be enabled for all hosts on the web endpoint?

roles/traefik/tasks/main.yml

@@ -140,10 +140,11 @@
 
 # NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
 - name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
-  command: "firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr }}/128 --dport {{ item }} -j ACCEPT"
+  command: "firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr | ipaddr('address') }}/128 --dport {{ item }} -j ACCEPT"
   register: firewalld_direct_result
   become: true
-  changed_when: '"ALREADY_ENABLED" not in firewalld_direct_result.stdout'
+  changed_when: '"ALREADY_ENABLED" not in firewalld_direct_result.stderr'
+  notify: restart docker
   with_items:
     - 80
     - 443
@@ -153,3 +154,17 @@
     - traefik_ipv6.ip_addr is defined
     - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled
 
+# NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
+- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
+  command: "firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr | ipaddr('address') }}/128 --dport {{ item }} -j ACCEPT"
+  register: firewalld_direct_permanent_result
+  become: true
+  changed_when: '"ALREADY_ENABLED" not in firewalld_direct_permanent_result.stderr'
+  with_items:
+    - 80
+    - 443
+  when:
+    - traefik_ipv6 is defined
+    - traefik_ipv6.enabled
+    - traefik_ipv6.ip_addr is defined
+    - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled

roles/traefik/templates/docker-compose.yml

@@ -133,8 +133,8 @@ services:
 {% endif %}
 {% if traefik_ipv6.enabled %}
       {{ traefik_ipv6.name }}:
-{% if traefik_ipv6.ip_addr is defined %}
+{% if traefik_ipv6.ip_addr != omit %}
-        ipv6_address: {{ traefik_ipv6.ip_addr }}
+        ipv6_address: {{ traefik_ipv6.ip_addr | ipaddr('address') }}
 {% endif %}
 {% endif %}