infrastructure/roles/traefik/defaults/main.yml

---
# Default variables for the traefik role

# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
# Copyright (C) 2020       Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# The install locations
traefik_install_location: /srv/traefik
traefik_acme_location: "{{ traefik_install_location }}/acme"
traefik_config_location: "{{ traefik_install_location }}/dynamic_conf"

# The traefik/dockersocketproxy version to be used
# renovate: depName=docker.io/library/traefik
traefik_version: v2.11.3
# renovate: depName=quay.io/sheogorath/docker-socket-proxy
traefik_dockersocketproxy_version: "2.3"

# The domain for the traefik debug dashboard (only shown if the dashboard auth variable is defined)
traefik_dashboard_domain: "traefik.example.com"

# A basic auth users string (see https://docs.traefik.io/v2.0/middlewares/basicauth/)
# traefik_dashboard_auth: ''

# The email to use for letencrypt certificate requests
traefik_letsencrypt_email: no-reply@example.com

# The proxy network name and the bridge name (you usually do not touch these)
# ! Note these are used globally, as every container that wants to use traefik,
# ! has to be reachable for traefik and all containers, routed with traefik, are connected to the proxy network.
proxy_network: proxy # noqa var-naming[no-role-prefix]
traefik_docker_bridge_name: docker-proxy

# Traefik IPv6 settings
# Enabling these will lead to traefik being reachable via the specified IPv6 address.
# Without any special handling of IPv6, the containers may still be reached via IPv6 but may use the docker internal IPv4 proxy,
# which results in the containers only seeing clients connecting with the internal network IPv4 gateway address.
traefik_ipv6:
  enabled: false
  # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP).
  # TL;DR: Should IPv6 traffic be forwarded/allowed to traefik.
  firewall_rules_enabled: false
  # The subnet that should be used. Usually has to have a size of at least `/80`
  # (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster)
  subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}"
  # The traefik container will use this static address, unless you explicitly use `{{ omit }}`
  ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ansible.utils.ipaddr('2') | ansible.utils.ipaddr('address') }}"
  # The name of the special ipv6 network which will be created and added to the traefik container
  name: traefik_ipv6

# Should a general https redirect middleware be enabled for all hosts on the web endpoint?
traefik_https_redirect_all: true

# Should the letsencrypt certresolver be enabled/defined?
# Useful eg. for local testing/LAN setups
traefik_https_letsencrypt_enabled: true

# Extra configuration (dynamic) via a config file
# This has to be used, because setting default TLS configs etc. cannot be done via labels/commandline parameters
# This will by default set the minimum TLS version to v1.2 and only enable a few secure ciphers
traefik_dynamic_conf:
  tls:
    options:
      default:
        minVersion: "VersionTLS12"
        sniStrict: true # Can be disabled for local testing, which will lead to traefik serving it's default certificate if none can be found
        cipherSuites:
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

# This config allows to add new entrypoints to traefik which are also automatically exposed / the port is automatically allocated.
# Can be used in cases where traefik needs to be used as a proxy because of the certificates it holds. Eg. gitlab registry on the
# same domain, where we want to use the existing certificate for the registry too.
#
# Example entry:
# - name: gitlabregistry
#   port: 5050
traefik_additional_entrypoints: []

# Enables debug log level
traefik_debug: false

# Should traefik log access?
traefik_access_log_enabled: false

# Optional environment variables that should be added (key value pairs)
traefik_options: {}

# Enables the tor container, to allow reaching traefik via an onion address/the tor network
traefik_tor_enabled: false

# The tor container version
traefik_tor_version: 0.4

# The tor container volume locations
traefik_tor_location: "{{ traefik_install_location }}/tor"
traefik_tor_data_location: "{{ traefik_tor_location }}/data"
traefik_tor_config_location: "{{ traefik_tor_location }}/config"

# Enables the acmedumper, to extract the certificates from traefik
traefik_acmedumper_enabled: false

# The acmedumper container version
traefik_acmedumper_version: "2.7.0"
traefik_acmedumper_image_version: "v{{ traefik_acmedumper_version }}"

# The acmedumper output location
traefik_acmedumper_location: "{{ traefik_install_location }}/certs"

# Enable or disable selinux handling
traefik_selinux_enabled: true

# The SELinux levels for tor/traefiks folders/container
traefik_selinux_level: "{{ omit }}"
traefik_tor_selinux_level: "{{ omit }}"

# Enable or disable firewalld handling (Allowing HTTP/HTTPS and trusting the docker network if necessary)
traefik_firewalld_enabled: true