--- # Default variables for the traefik role # Infrastructure # Ansible instructions to deploy the infrastructure # Copyright (C) 2019-2020 Christoph (Sheogorath) Kern # Copyright (C) 2020 Saibotk # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # The install locations traefik_install_location: /srv/traefik traefik_acme_location: "{{ traefik_install_location }}/acme" traefik_config_location: "{{ traefik_install_location }}/dynamic_conf" # The traefik/dockersocketproxy version to be used # renovate: depName=docker.io/library/traefik traefik_version: v2.10.7 # renovate: depName=quay.io/sheogorath/docker-socket-proxy traefik_dockersocketproxy_version: "2.3" # The domain for the traefik debug dashboard (only shown if the dashboard auth variable is defined) traefik_dashboard_domain: "traefik.example.com" # A basic auth users string (see https://docs.traefik.io/v2.0/middlewares/basicauth/) # traefik_dashboard_auth: '' # The email to use for letencrypt certificate requests traefik_letsencrypt_email: no-reply@example.com # The proxy network name and the bridge name (you usually do not touch these) # ! Note these are used globally, as every container that wants to use traefik, # ! has to be reachable for traefik and all containers, routed with traefik, are connected to the proxy network. proxy_network: proxy # noqa var-naming[no-role-prefix] traefik_docker_bridge_name: docker-proxy # Traefik IPv6 settings # Enabling these will lead to traefik being reachable via the specified IPv6 address. # Without any special handling of IPv6, the containers may still be reached via IPv6 but may use the docker internal IPv4 proxy, # which results in the containers only seeing clients connecting with the internal network IPv4 gateway address. traefik_ipv6: enabled: false # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP). # TL;DR: Should IPv6 traffic be forwarded/allowed to traefik. firewall_rules_enabled: false # The subnet that should be used. Usually has to have a size of at least `/80` # (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster) subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}" # The traefik container will use this static address, unless you explicitly use `{{ omit }}` ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ansible.utils.ipaddr('2') | ansible.utils.ipaddr('address') }}" # The name of the special ipv6 network which will be created and added to the traefik container name: traefik_ipv6 # Should a general https redirect middleware be enabled for all hosts on the web endpoint? traefik_https_redirect_all: true # Should the letsencrypt certresolver be enabled/defined? # Useful eg. for local testing/LAN setups traefik_https_letsencrypt_enabled: true # Extra configuration (dynamic) via a config file # This has to be used, because setting default TLS configs etc. cannot be done via labels/commandline parameters # This will by default set the minimum TLS version to v1.2 and only enable a few secure ciphers traefik_dynamic_conf: tls: options: default: minVersion: "VersionTLS12" sniStrict: true # Can be disabled for local testing, which will lead to traefik serving it's default certificate if none can be found cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # This config allows to add new entrypoints to traefik which are also automatically exposed / the port is automatically allocated. # Can be used in cases where traefik needs to be used as a proxy because of the certificates it holds. Eg. gitlab registry on the # same domain, where we want to use the existing certificate for the registry too. # # Example entry: # - name: gitlabregistry # port: 5050 traefik_additional_entrypoints: [] # Enables debug log level traefik_debug: false # Should traefik log access? traefik_access_log_enabled: false # Optional environment variables that should be added (key value pairs) traefik_options: {} # Enables the tor container, to allow reaching traefik via an onion address/the tor network traefik_tor_enabled: false # The tor container version traefik_tor_version: 0.4 # The tor container volume locations traefik_tor_location: "{{ traefik_install_location }}/tor" traefik_tor_data_location: "{{ traefik_tor_location }}/data" traefik_tor_config_location: "{{ traefik_tor_location }}/config" # Enables the acmedumper, to extract the certificates from traefik traefik_acmedumper_enabled: false # The acmedumper container version traefik_acmedumper_version: "2.7.0" traefik_acmedumper_image_version: "v{{ traefik_acmedumper_version }}" # The acmedumper output location traefik_acmedumper_location: "{{ traefik_install_location }}/certs" # Enable or disable selinux handling traefik_selinux_enabled: true # The SELinux levels for tor/traefiks folders/container traefik_selinux_level: "{{ omit }}" traefik_tor_selinux_level: "{{ omit }}" # Enable or disable firewalld handling (Allowing HTTP/HTTPS and trusting the docker network if necessary) traefik_firewalld_enabled: true