Setup TLS for Traefik

2020-07-17 00:41:21 -04:00 · 2020-07-17 00:41:21 -04:00 · 943a1324b9
commit 943a1324b9
parent c32d1bd31c
5 changed files with 57 additions and 14 deletions
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@ -1,8 +1,7 @@
 traefik_name: traefik
 traefik_version: latest
 traefik_dashboard: false
-traefik_options:
-  - "--entrypoints.web.address=:80"
-  - "--api.dashboard=true"
+traefik_root: "/opt/{{ traefik_name }}"
 traefik_ports:
  - "80:80"
+  - "443:443"
--- a/roles/traefik/handlers/main.yml
+++ b/roles/traefik/handlers/main.yml
@ -1,5 +1,5 @@
- name: Restart Traefik container
-  docker_container:
-    name: "{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
-    restart: true
+- name: Reload Traefik container
+  file:
+    path: "{{ traefik_root }}/config/dynamic/tls.yml"
+    state: touch
+  listen: reload_traefik
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@ -1,8 +1,18 @@
- name: Set default Traefik options
-  set_fact:
-    traefik_defaults:
-      - "--providers.docker"
-      - "--providers.docker.exposedbydefault=false"
+- name: Create Traefik configuration directories
+  file:
+    path: "{{ traefik_root }}/config/dynamic"
+    state: directory
+
+- name: Install static Traefik configuration
+  template:
+    src: traefik.yml.j2
+    dest: "{{ traefik_root }}/config/traefik.yml"
+
+- name: Install dynamic Traefik configuration
+  template:
+    src: tls.yml.j2
+    dest: "{{ traefik_root }}/config/dynamic/tls.yml"
+  notify: reload_traefik

 - name: Create Traefik network
  docker_network:
@ -12,7 +22,6 @@
  docker_container:
    name: "{{ traefik_name }}"
    image: traefik:{{ traefik_version }}
-    command: "{{ traefik_defaults + traefik_options }}"
    state: started
    restart_policy: always
    ports: "{{ traefik_ports }}"
@ -24,7 +33,11 @@
      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
      traefik.http.routers.traefik.middlewares: "auth@docker"
      traefik.http.routers.traefik.service: "api@internal"
+      traefik.http.routers.traefik.entrypoints: websecure
+      traefik.http.routers.traefik.tls: "true"
      traefik.docker.network: traefik
      traefik.enable: "{{ traefik_dashboard | string }}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
+      - "{{ traefik_root }}/config:/etc/traefik"
+      - "{{ traefik_root }}/letsencrypt:/etc/letsencrypt"
--- a/roles/traefik/templates/tls.yml.j2
+++ b/roles/traefik/templates/tls.yml.j2
@ -0,0 +1,9 @@
+tls:
+  certificates:
+    - certFile: /etc/letsencrypt/fullchain.pem
+      keyFile: /etc/letsencrypt/privkey.pem
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/letsencrypt/fullchain.pem
+        keyFile: /etc/letsencrypt/privkey.pem
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@ -0,0 +1,22 @@
+api:
+  dashboard: true
+
+providers:
+  docker:
+    exposedbydefault: false
+  file:
+    directory: /etc/traefik/dynamic
+
+entrypoints:
+  web:
+    address: ':80'
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  websecure:
+    address: ':443'
+    http:
+      tls: {}