--- # Tasks file for the traefik role # Infrastructure # Ansible instructions to deploy the infrastructure # Copyright (C) 2019-2020 Christoph (Sheogorath) Kern # Copyright (C) 2020 Alexander Wellbrock # Copyright (C) 2020 Saibotk # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - name: Update default SELinux contexts sefcontext: target: '{{ item }}(/.*)?' setype: "container_file_t" selevel: "{{ traefik_selinux_level }}" state: present with_items: - "{{ traefik_acme_location }}" - "{{ traefik_config_location }}" become: true - name: Create install directory file: path: "{{ item }}" state: directory mode: '0700' owner: 'root' group: 'root' with_items: - "{{ traefik_install_location }}" become: true - name: Create data directory file: path: "{{ item }}" state: directory mode: '0700' owner: 'root' group: 'root' setype: "container_file_t" selevel: "{{ traefik_selinux_level }}" with_items: - "{{ traefik_acme_location }}" - "{{ traefik_config_location }}" become: true - name: Include configs for Tor include_tasks: tor.yml when: traefik_tor_enabled | bool - name: Include configs for acme-dumper include_tasks: acmedumper.yml when: traefik_acmedumper_enabled | bool - name: Create proxy network docker_network: name: "{{ proxy_network }}" driver_options: com.docker.network.bridge.name: "{{ traefik_docker_bridge_name }}" become: true - name: Create ipv6 frontend network docker_network: name: "{{ traefik_ipv6.name }}" enable_ipv6: yes ipam_config: - subnet: "{{ traefik_ipv6.subnet }}" become: true when: - traefik_ipv6 is defined - traefik_ipv6.enabled - name: Trust our proxy network firewalld: zone: trusted interface: "{{ traefik_docker_bridge_name }}" permanent: true immediate: true state: enabled become: true tags: - firewall - name: Deploy dynamic_conf.yml template: src: dynamic_conf.yml dest: "{{ traefik_config_location }}/dynamic_conf.yml" owner: 'root' group: 'root' mode: '0600' setype: "container_file_t" selevel: "{{ traefik_selinux_level }}" become: true when: - traefik_dynamic_conf != omit - name: Deploy docker-compose.yml template: src: docker-compose.yml dest: "{{ traefik_install_location }}/docker-compose.yml" mode: '0600' owner: 'root' group: 'root' validate: python2 -m compose -f %s config -q tags: - docker become: true - name: Compose traefik docker_compose: state: present project_src: "{{ traefik_install_location }}" pull: yes remove_orphans: yes become: true - name: Read tor hostname slurp: src: "{{ traefik_tor_data_location }}/traefik/hostname" register: proxy_hiddenservice become: true when: traefik_tor_enabled | bool - name: Allow access to services firewalld: service: "{{ item }}" permanent: true state: enabled with_items: - http - https become: true tags: - firewall # NOTE: This rule does not care about new / old ip values, so removal must be made by hand! - name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS command: "firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr | ipaddr('address') }}/128 --dport {{ item }} -j ACCEPT" register: firewalld_direct_result become: true changed_when: '"ALREADY_ENABLED" not in firewalld_direct_result.stderr' notify: restart docker with_items: - 80 - 443 when: - traefik_ipv6 is defined - traefik_ipv6.enabled - traefik_ipv6.ip_addr is defined - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled # NOTE: This rule does not care about new / old ip values, so removal must be made by hand! - name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS command: "firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -p tcp --destination {{ traefik_ipv6.ip_addr | ipaddr('address') }}/128 --dport {{ item }} -j ACCEPT" register: firewalld_direct_permanent_result become: true changed_when: '"ALREADY_ENABLED" not in firewalld_direct_permanent_result.stderr' with_items: - 80 - 443 when: - traefik_ipv6 is defined - traefik_ipv6.enabled - traefik_ipv6.ip_addr is defined - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled