saibotk-de/infrastructure
saibotk-de/infrastructure
1
0
Fork 0
Code Issues Pull requests Releases 42 Activity
infrastructure/roles/traefik/defaults/main.yml
saibotk f8306138b7
traefik: Fix IPv6 support to work properly 
With some of the recently introduced changes especially around the
defaults and ipv6 addresses, this patch fixes all remaining issues and
makes sure the docker and firewall configuration fits the expectations.

Original commit: 7819c8fcc8
2020-08-18 15:35:55 +02:00

109 lines
5 KiB
YAML
Raw Blame History

---
# Default variables for the traefik role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install locations
traefik_install_location: /srv/traefik
traefik_acme_location: "{{ traefik_install_location }}/acme"
traefik_config_location: "{{ traefik_install_location }}/dynamic_conf"
# The traefik/dockersocketproxy version to be used
traefik_version: v2.2.8
traefik_dockersocketproxy_version: "1.9"
# The domain for the traefik debug dashboard (only shown if the dashboard auth variable is defined)
traefik_dashboard_domain: "traefik.example.com"
# A basic auth users string (see https://docs.traefik.io/v2.0/middlewares/basicauth/)
# traefik_dashboard_auth: ''
# The email to use for letencrypt certificate requests
traefik_letsencrypt_email: no-reply@example.com
# The proxy network name and the bridge name (you usually do not touch these)
# ! Note these are used globally, as every container that wants to use traefik,
# ! has to be reachable for traefik and all containers, routed with traefik, are connected to the proxy network.
proxy_network: proxy
traefik_docker_bridge_name: docker-proxy
# Traefik IPv6 settings
# Enabling these will lead to traefik being reachable via the specified IPv6 address.
# Without any special handling of IPv6, the containers may still be reached via IPv6 but may use the docker internal IPv4 proxy,
# which results in the containers only seeing clients connecting with the internal network IPv4 gateway address.
traefik_ipv6:
enabled: false
firewall_rules_enabled: false # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP). TL;DR: Should IPv6 traffic be forwarded/allowed to traefik.
subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}" # The subnet that should be used. Usually has to have a size of at least `/80` (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster)
ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ipaddr('2') | ipaddr('address') }}" # The traefik container will use this static address, unless you explicitly use `{{ omit }}`
name: traefik_ipv6 # The name of the special ipv6 network which will be created and added to the traefik container
# Should a general https redirect middleware be enabled for all hosts on the web endpoint?
traefik_https_redirect_all: true
# Should the letsencrypt certresolver be enabled/defined?
# Useful eg. for local testing/LAN setups
traefik_https_letsencrypt_enabled: true
# Extra configuration (dynamic) via a config file
# This has to be used, because setting default TLS configs etc. cannot be done via labels/commandline parameters
# This will by default set the minimum TLS version to v1.2 and only enable a few secure ciphers
traefik_dynamic_conf:
tls:
options:
default:
minVersion: "VersionTLS12"
sniStrict: true # Can be disabled for local testing, which will lead to traefik serving it's default certificate if none can be found
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
# Enables debug log level
traefik_debug: false
# Should traefik log access?
traefik_access_log_enabled: false
# Optional environment variables that should be added (key value pairs)
traefik_options: {}
# Enables the tor container, to allow reaching traefik via an onion address/the tor network
traefik_tor_enabled: false
# The tor container version
traefik_tor_version: 0.4
# The tor container volume locations
traefik_tor_location: "{{ traefik_install_location }}/tor"
traefik_tor_data_location: "{{ traefik_tor_location }}/data"
traefik_tor_config_location: "{{ traefik_tor_location }}/config"
# Enables the acmedumper, to extract the certificates from traefik
traefik_acmedumper_enabled: false
# The acmedumper container version
traefik_acmedumper_version: "2.7.0"
traefik_acmedumper_image_version: "v{{ traefik_acmedumper_version }}"
# The acmedumper output location
traefik_acmedumper_location: "{{ traefik_install_location }}/certs"
# The SELinux levels for tor/traefiks folders/container
traefik_selinux_level: "{{ omit }}"
traefik_tor_selinux_level: "{{ omit }}"
Reference in a new issue View git blame Copy permalink