From 668414e641b2aff730777096361d52f62f9fd28f Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Thu, 3 Sep 2020 19:00:27 -0400 Subject: [PATCH] Define a certificates resolver --- dev/host_vars/dockerbox.yml | 2 ++ roles/nextcloud/tasks/main.yml | 1 + roles/traefik/defaults/main.yml | 1 + roles/traefik/handlers/main.yml | 8 ++++++++ roles/traefik/tasks/main.yml | 8 +------- roles/traefik/templates/tls.yml.j2 | 9 --------- roles/traefik/templates/traefik.yml.j2 | 13 +++++++++++++ 7 files changed, 26 insertions(+), 16 deletions(-) delete mode 100644 roles/traefik/templates/tls.yml.j2 diff --git a/dev/host_vars/dockerbox.yml b/dev/host_vars/dockerbox.yml index 5f5007c..c68e873 100644 --- a/dev/host_vars/dockerbox.yml +++ b/dev/host_vars/dockerbox.yml @@ -10,6 +10,8 @@ traefik_version: latest traefik_dashboard: true traefik_domain: traefik.vm.krislamo.org traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin +#traefik_acme_email: realemail@example.com # Let's Encrypt settings +#traefik_production: true # nextcloud nextcloud_version: stable diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 15d8255..dea40f6 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -32,6 +32,7 @@ labels: traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)" traefik.http.routers.nextcloud.entrypoints: websecure + traefik.http.routers.nextcloud.tls.certresolver: resolver traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav" traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/" traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true" diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index ddb9eec..fd9cda1 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -1,6 +1,7 @@ traefik_name: traefik traefik_dashboard: false traefik_root: "/opt/{{ traefik_name }}" +traefik_production: false traefik_ports: - "80:80" - "443:443" diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml index 043f6a2..6fb908f 100644 --- a/roles/traefik/handlers/main.yml +++ b/roles/traefik/handlers/main.yml @@ -3,3 +3,11 @@ path: "{{ traefik_root }}/config/dynamic" state: touch listen: reload_traefik + +- name: Restart Traefik container + docker_container: + name: "{{ traefik_name }}" + image: traefik:{{ traefik_version }} + state: started + restart: yes + listen: restart_traefik diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index 0a2764c..f4b923d 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -7,12 +7,7 @@ template: src: traefik.yml.j2 dest: "{{ traefik_root }}/config/traefik.yml" - -- name: Install dynamic Traefik configuration - template: - src: tls.yml.j2 - dest: "{{ traefik_root }}/config/dynamic/tls.yml" - notify: reload_traefik + notify: restart_traefik - name: Create Traefik network docker_network: @@ -40,4 +35,3 @@ volumes: - /var/run/docker.sock:/var/run/docker.sock - "{{ traefik_root }}/config:/etc/traefik" - - "{{ traefik_root }}/letsencrypt:/etc/letsencrypt" diff --git a/roles/traefik/templates/tls.yml.j2 b/roles/traefik/templates/tls.yml.j2 deleted file mode 100644 index a90f718..0000000 --- a/roles/traefik/templates/tls.yml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -tls: - certificates: - - certFile: /etc/letsencrypt/fullchain.pem - keyFile: /etc/letsencrypt/privkey.pem - stores: - default: - defaultCertificate: - certFile: /etc/letsencrypt/fullchain.pem - keyFile: /etc/letsencrypt/privkey.pem diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2 index fda66a6..5f48830 100644 --- a/roles/traefik/templates/traefik.yml.j2 +++ b/roles/traefik/templates/traefik.yml.j2 @@ -20,3 +20,16 @@ entrypoints: address: ':443' http: tls: {} + +{% if traefik_acme_email is defined %} +certificatesResolvers: + resolver: + acme: + email: {{ traefik_acme_email }} + storage: /etc/traefik/acme.json + {% if not traefik_production -%} + caServer: https://acme-staging-v02.api.letsencrypt.org/directory + {% endif -%} + httpChallenge: + entryPoint: web +{% endif %}