--- # Tasks file for the traefik role # Infrastructure # Ansible instructions to deploy the infrastructure # Copyright (C) 2019-2020 Christoph (Sheogorath) Kern # Copyright (C) 2020 Alexander Wellbrock # Copyright (C) 2020 Saibotk # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - name: Update default SELinux contexts community.general.sefcontext: target: '{{ item }}(/.*)?' setype: "container_file_t" selevel: "{{ traefik_selinux_level }}" state: present with_items: - "{{ traefik_acme_location }}" - "{{ traefik_config_location }}" when: - traefik_selinux_enabled become: true - name: Create install directory ansible.builtin.file: path: "{{ item }}" state: directory mode: '0700' owner: 'root' group: 'root' with_items: - "{{ traefik_install_location }}" become: true - name: Create data directory ansible.builtin.file: path: "{{ item }}" state: directory mode: '0700' owner: 'root' group: 'root' setype: "container_file_t" selevel: "{{ traefik_selinux_level }}" with_items: - "{{ traefik_acme_location }}" - "{{ traefik_config_location }}" become: true - name: Include configs for Tor ansible.builtin.include_tasks: tor.yml when: traefik_tor_enabled | bool - name: Include configs for acme-dumper ansible.builtin.include_tasks: acmedumper.yml when: traefik_acmedumper_enabled | bool - name: Create proxy network community.docker.docker_network: name: "{{ proxy_network }}" driver_options: com.docker.network.bridge.name: "{{ traefik_docker_bridge_name }}" become: true - name: Create ipv6 frontend network community.docker.docker_network: name: "{{ traefik_ipv6.name }}" enable_ipv6: true ipam_config: - subnet: "{{ traefik_ipv6.subnet }}" become: true when: - traefik_ipv6 is defined - traefik_ipv6.enabled - name: Gather the package facts ansible.builtin.package_facts: manager: auto # This step is only needed in docker < 20.10, as docker does this by default now - name: Trust our proxy network ansible.posix.firewalld: zone: trusted interface: "{{ traefik_docker_bridge_name }}" permanent: true immediate: true state: enabled become: true tags: - firewall when: - traefik_firewalld_enabled - docker_package in ansible_facts.packages - ansible_facts.packages[docker_package][0].version is version('20.10', '<') - name: Deploy dynamic_conf.yml ansible.builtin.template: src: dynamic_conf.yml dest: "{{ traefik_config_location }}/dynamic_conf.yml" owner: 'root' group: 'root' mode: '0600' setype: "container_file_t" selevel: "{{ traefik_selinux_level }}" become: true when: - traefik_dynamic_conf != omit - name: Deploy docker-compose.yml ansible.builtin.template: src: docker-compose.yml dest: "{{ traefik_install_location }}/docker-compose.yml" mode: '0600' owner: 'root' group: 'root' validate: docker-compose -f %s config -q tags: - docker become: true - name: Compose traefik community.docker.docker_compose: state: present project_src: "{{ traefik_install_location }}" pull: true remove_orphans: true become: true - name: Read tor hostname ansible.builtin.slurp: src: "{{ traefik_tor_data_location }}/traefik/hostname" register: proxy_hiddenservice become: true when: traefik_tor_enabled | bool - name: Allow access to services ansible.posix.firewalld: service: "{{ item }}" permanent: true state: enabled with_items: - http - https become: true when: - traefik_firewalld_enabled tags: - firewall # NOTE: This rule does not care about new / old ip values, so removal must be made by hand! - name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS ansible.builtin.command: argv: - firewall-cmd - --direct - --add-rule - ipv6 - filter - FORWARD - 0 - -p - tcp - --destination - "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" - --dport - "{{ item }}" - -j - ACCEPT register: firewalld_direct_result become: true changed_when: '"ALREADY_ENABLED" not in firewalld_direct_result.stderr' notify: restart docker with_items: - 80 - 443 when: - traefik_firewalld_enabled - traefik_ipv6 is defined - traefik_ipv6.enabled - traefik_ipv6.ip_addr is defined - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled # NOTE: This rule does not care about new / old ip values, so removal must be made by hand! - name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS ansible.builtin.command: argv: - firewall-cmd - --permanent - --direct - --add-rule - ipv6 - filter - FORWARD - 0 - -p - tcp - --destination - "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" - --dport - "{{ item }}" - -j - ACCEPT register: firewalld_direct_permanent_result become: true changed_when: '"ALREADY_ENABLED" not in firewalld_direct_permanent_result.stderr' with_items: - 80 - 443 when: - traefik_firewalld_enabled - traefik_ipv6 is defined - traefik_ipv6.enabled - traefik_ipv6.ip_addr is defined - traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled