224 lines
6.1 KiB
YAML
224 lines
6.1 KiB
YAML
---
|
|
# Tasks file for the traefik role
|
|
|
|
# Infrastructure
|
|
# Ansible instructions to deploy the infrastructure
|
|
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
|
|
# Copyright (C) 2020 Alexander Wellbrock
|
|
# Copyright (C) 2020 Saibotk
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, version 3 of the License.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
- name: Update default SELinux contexts
|
|
community.general.sefcontext:
|
|
target: "{{ item }}(/.*)?"
|
|
setype: "container_file_t"
|
|
selevel: "{{ traefik_selinux_level }}"
|
|
state: present
|
|
with_items:
|
|
- "{{ traefik_acme_location }}"
|
|
- "{{ traefik_config_location }}"
|
|
when:
|
|
- traefik_selinux_enabled
|
|
become: true
|
|
|
|
- name: Create install directory
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: "0700"
|
|
owner: "root"
|
|
group: "root"
|
|
with_items:
|
|
- "{{ traefik_install_location }}"
|
|
become: true
|
|
|
|
- name: Create data directory
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: "0700"
|
|
owner: "root"
|
|
group: "root"
|
|
setype: "container_file_t"
|
|
selevel: "{{ traefik_selinux_level }}"
|
|
with_items:
|
|
- "{{ traefik_acme_location }}"
|
|
- "{{ traefik_config_location }}"
|
|
become: true
|
|
|
|
- name: Include configs for Tor
|
|
ansible.builtin.include_tasks: tor.yml
|
|
when: traefik_tor_enabled | bool
|
|
|
|
- name: Include configs for acme-dumper
|
|
ansible.builtin.include_tasks: acmedumper.yml
|
|
when: traefik_acmedumper_enabled | bool
|
|
|
|
- name: Create proxy network
|
|
community.docker.docker_network:
|
|
name: "{{ proxy_network }}"
|
|
driver_options:
|
|
com.docker.network.bridge.name: "{{ traefik_docker_bridge_name }}"
|
|
become: true
|
|
|
|
- name: Create ipv6 frontend network
|
|
community.docker.docker_network:
|
|
name: "{{ traefik_ipv6.name }}"
|
|
enable_ipv6: true
|
|
ipam_config:
|
|
- subnet: "{{ traefik_ipv6.subnet }}"
|
|
become: true
|
|
when:
|
|
- traefik_ipv6 is defined
|
|
- traefik_ipv6.enabled
|
|
|
|
- name: Gather the package facts
|
|
ansible.builtin.package_facts:
|
|
manager: auto
|
|
|
|
# This step is only needed in docker < 20.10, as docker does this by default now
|
|
- name: Trust our proxy network
|
|
ansible.posix.firewalld:
|
|
zone: trusted
|
|
interface: "{{ traefik_docker_bridge_name }}"
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
become: true
|
|
tags:
|
|
- firewall
|
|
when:
|
|
- traefik_firewalld_enabled
|
|
- docker_package in ansible_facts.packages
|
|
- ansible_facts.packages[docker_package][0].version is version('20.10', '<')
|
|
|
|
- name: Deploy dynamic_conf.yml
|
|
ansible.builtin.template:
|
|
src: dynamic_conf.yml
|
|
dest: "{{ traefik_config_location }}/dynamic_conf.yml"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0600"
|
|
setype: "container_file_t"
|
|
selevel: "{{ traefik_selinux_level }}"
|
|
become: true
|
|
when:
|
|
- traefik_dynamic_conf != omit
|
|
|
|
- name: Deploy docker-compose.yml
|
|
ansible.builtin.template:
|
|
src: docker-compose.yml
|
|
dest: "{{ traefik_install_location }}/docker-compose.yml"
|
|
mode: "0600"
|
|
owner: "root"
|
|
group: "root"
|
|
validate: docker compose -f %s config -q
|
|
tags:
|
|
- docker
|
|
become: true
|
|
|
|
- name: Compose traefik
|
|
community.docker.docker_compose_v2:
|
|
state: present
|
|
project_src: "{{ traefik_install_location }}"
|
|
pull: always
|
|
remove_orphans: true
|
|
become: true
|
|
|
|
- name: Read tor hostname
|
|
ansible.builtin.slurp:
|
|
src: "{{ traefik_tor_data_location }}/traefik/hostname"
|
|
register: proxy_hiddenservice # noqa: var-naming[no-role-prefix]
|
|
become: true
|
|
when: traefik_tor_enabled | bool
|
|
|
|
- name: Allow access to services
|
|
ansible.posix.firewalld:
|
|
service: "{{ item }}"
|
|
permanent: true
|
|
state: enabled
|
|
with_items:
|
|
- http
|
|
- https
|
|
become: true
|
|
when:
|
|
- traefik_firewalld_enabled
|
|
tags:
|
|
- firewall
|
|
|
|
# NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
|
|
- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
|
|
ansible.builtin.command:
|
|
argv:
|
|
- firewall-cmd
|
|
- --direct
|
|
- --add-rule
|
|
- ipv6
|
|
- filter
|
|
- FORWARD
|
|
- 0
|
|
- -p
|
|
- tcp
|
|
- --destination
|
|
- "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" # noqa: jinja[invalid]
|
|
- --dport
|
|
- "{{ item }}"
|
|
- -j
|
|
- ACCEPT
|
|
register: traefik_firewalld_direct_result
|
|
become: true
|
|
changed_when: '"ALREADY_ENABLED" not in traefik_firewalld_direct_result.stderr'
|
|
notify: restart docker
|
|
with_items:
|
|
- 80
|
|
- 443
|
|
when:
|
|
- traefik_firewalld_enabled
|
|
- traefik_ipv6 is defined
|
|
- traefik_ipv6.enabled
|
|
- traefik_ipv6.ip_addr is defined
|
|
- traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled
|
|
|
|
# NOTE: This rule does not care about new / old ip values, so removal must be made by hand!
|
|
- name: Configure firewalld to allow IPv6 traffic for HTTP/HTTPS
|
|
ansible.builtin.command:
|
|
argv:
|
|
- firewall-cmd
|
|
- --permanent
|
|
- --direct
|
|
- --add-rule
|
|
- ipv6
|
|
- filter
|
|
- FORWARD
|
|
- 0
|
|
- -p
|
|
- tcp
|
|
- --destination
|
|
- "{{ traefik_ipv6.ip_addr | default('2001:db8::') | ansible.utils.ipaddr('address') }}/128" # noqa: jinja[invalid]
|
|
- --dport
|
|
- "{{ item }}"
|
|
- -j
|
|
- ACCEPT
|
|
register: traefik_firewalld_direct_permanent_result
|
|
become: true
|
|
changed_when: '"ALREADY_ENABLED" not in traefik_firewalld_direct_permanent_result.stderr'
|
|
with_items:
|
|
- 80
|
|
- 443
|
|
when:
|
|
- traefik_firewalld_enabled
|
|
- traefik_ipv6 is defined
|
|
- traefik_ipv6.enabled
|
|
- traefik_ipv6.ip_addr is defined
|
|
- traefik_ipv6.firewall_rules_enabled is defined and traefik_ipv6.firewall_rules_enabled
|