Define a certificates resolver

2020-09-03 19:00:27 -04:00 · 2020-09-03 19:00:27 -04:00 · 668414e641
commit 668414e641
parent d87d5ff525
7 changed files with 26 additions and 16 deletions
--- a/dev/host_vars/dockerbox.yml
+++ b/dev/host_vars/dockerbox.yml
@ -10,6 +10,8 @@ traefik_version: latest
 traefik_dashboard: true
 traefik_domain: traefik.vm.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
+#traefik_acme_email: realemail@example.com # Let's Encrypt settings
+#traefik_production: true

 # nextcloud
 nextcloud_version: stable
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -32,6 +32,7 @@
    labels:
      traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
      traefik.http.routers.nextcloud.entrypoints: websecure
+      traefik.http.routers.nextcloud.tls.certresolver: resolver
      traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@ -1,6 +1,7 @@
 traefik_name: traefik
 traefik_dashboard: false
 traefik_root: "/opt/{{ traefik_name }}"
+traefik_production: false
 traefik_ports:
  - "80:80"
  - "443:443"
--- a/roles/traefik/handlers/main.yml
+++ b/roles/traefik/handlers/main.yml
@ -3,3 +3,11 @@
    path: "{{ traefik_root }}/config/dynamic"
    state: touch
  listen: reload_traefik
+
+- name: Restart Traefik container
+  docker_container:
+    name: "{{ traefik_name }}"
+    image: traefik:{{ traefik_version }}
+    state: started
+    restart: yes
+  listen: restart_traefik
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@ -7,12 +7,7 @@
  template:
    src: traefik.yml.j2
    dest: "{{ traefik_root }}/config/traefik.yml"
-
- name: Install dynamic Traefik configuration
-  template:
-    src: tls.yml.j2
-    dest: "{{ traefik_root }}/config/dynamic/tls.yml"
-  notify: reload_traefik
+  notify: restart_traefik

 - name: Create Traefik network
  docker_network:
@ -40,4 +35,3 @@
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "{{ traefik_root }}/config:/etc/traefik"
-      - "{{ traefik_root }}/letsencrypt:/etc/letsencrypt"
--- a/roles/traefik/templates/tls.yml.j2
+++ b/roles/traefik/templates/tls.yml.j2
@ -1,9 +0,0 @@
-tls:
-  certificates:
-    - certFile: /etc/letsencrypt/fullchain.pem
-      keyFile: /etc/letsencrypt/privkey.pem
-  stores:
-    default:
-      defaultCertificate:
-        certFile: /etc/letsencrypt/fullchain.pem
-        keyFile: /etc/letsencrypt/privkey.pem
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@ -20,3 +20,16 @@ entrypoints:
    address: ':443'
    http:
      tls: {}
+
+{% if traefik_acme_email is defined %}
+certificatesResolvers:
+  resolver:
+    acme:
+      email: {{ traefik_acme_email }}
+      storage: /etc/traefik/acme.json
+      {% if not traefik_production -%}
+      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      {% endif -%}
+      httpChallenge:
+        entryPoint: web
+{% endif %}