From 943a1324b9262113aeaec2ebe19041874fea49e9 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Fri, 17 Jul 2020 00:41:21 -0400 Subject: [PATCH] Setup TLS for Traefik --- roles/traefik/defaults/main.yml | 5 ++--- roles/traefik/handlers/main.yml | 10 +++++----- roles/traefik/tasks/main.yml | 25 +++++++++++++++++++------ roles/traefik/templates/tls.yml.j2 | 9 +++++++++ roles/traefik/templates/traefik.yml.j2 | 22 ++++++++++++++++++++++ 5 files changed, 57 insertions(+), 14 deletions(-) create mode 100644 roles/traefik/templates/tls.yml.j2 create mode 100644 roles/traefik/templates/traefik.yml.j2 diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index b183d1d..4915a95 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -1,8 +1,7 @@ traefik_name: traefik traefik_version: latest traefik_dashboard: false -traefik_options: - - "--entrypoints.web.address=:80" - - "--api.dashboard=true" +traefik_root: "/opt/{{ traefik_name }}" traefik_ports: - "80:80" + - "443:443" diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml index 54f8a1f..d1210e9 100644 --- a/roles/traefik/handlers/main.yml +++ b/roles/traefik/handlers/main.yml @@ -1,5 +1,5 @@ -- name: Restart Traefik container - docker_container: - name: "{{ traefik_name }}" - image: traefik:{{ traefik_version }} - restart: true +- name: Reload Traefik container + file: + path: "{{ traefik_root }}/config/dynamic/tls.yml" + state: touch + listen: reload_traefik diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index 7be6b4a..0a2764c 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -1,8 +1,18 @@ -- name: Set default Traefik options - set_fact: - traefik_defaults: - - "--providers.docker" - - "--providers.docker.exposedbydefault=false" +- name: Create Traefik configuration directories + file: + path: "{{ traefik_root }}/config/dynamic" + state: directory + +- name: Install static Traefik configuration + template: + src: traefik.yml.j2 + dest: "{{ traefik_root }}/config/traefik.yml" + +- name: Install dynamic Traefik configuration + template: + src: tls.yml.j2 + dest: "{{ traefik_root }}/config/dynamic/tls.yml" + notify: reload_traefik - name: Create Traefik network docker_network: @@ -12,7 +22,6 @@ docker_container: name: "{{ traefik_name }}" image: traefik:{{ traefik_version }} - command: "{{ traefik_defaults + traefik_options }}" state: started restart_policy: always ports: "{{ traefik_ports }}" @@ -24,7 +33,11 @@ traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}" traefik.http.routers.traefik.middlewares: "auth@docker" traefik.http.routers.traefik.service: "api@internal" + traefik.http.routers.traefik.entrypoints: websecure + traefik.http.routers.traefik.tls: "true" traefik.docker.network: traefik traefik.enable: "{{ traefik_dashboard | string }}" volumes: - /var/run/docker.sock:/var/run/docker.sock + - "{{ traefik_root }}/config:/etc/traefik" + - "{{ traefik_root }}/letsencrypt:/etc/letsencrypt" diff --git a/roles/traefik/templates/tls.yml.j2 b/roles/traefik/templates/tls.yml.j2 new file mode 100644 index 0000000..a90f718 --- /dev/null +++ b/roles/traefik/templates/tls.yml.j2 @@ -0,0 +1,9 @@ +tls: + certificates: + - certFile: /etc/letsencrypt/fullchain.pem + keyFile: /etc/letsencrypt/privkey.pem + stores: + default: + defaultCertificate: + certFile: /etc/letsencrypt/fullchain.pem + keyFile: /etc/letsencrypt/privkey.pem diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2 new file mode 100644 index 0000000..fda66a6 --- /dev/null +++ b/roles/traefik/templates/traefik.yml.j2 @@ -0,0 +1,22 @@ +api: + dashboard: true + +providers: + docker: + exposedbydefault: false + file: + directory: /etc/traefik/dynamic + +entrypoints: + web: + address: ':80' + http: + redirections: + entrypoint: + to: websecure + scheme: https + permanent: true + websecure: + address: ':443' + http: + tls: {}