From 9512212b847b30b25d6b663910d12ac552c52365 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Fri, 21 Apr 2023 03:04:53 -0400
Subject: [PATCH] Refactor Traefik deploy: docker-compose + systemd

- Replace docker_container ansible with new setup
- Add option to disable HTTPS for alternate reverse proxy use
---
 dev/dockerbox.yml                             |  1 -
 dev/host_vars/dockerbox.yml                   |  1 +
 roles/traefik/defaults/main.yml               | 18 ++++--
 roles/traefik/handlers/main.yml               | 11 ++--
 roles/traefik/tasks/main.yml                  | 56 ++++++++-----------
 roles/traefik/templates/compose-env.j2        |  8 +++
 roles/traefik/templates/docker-compose.yml.j2 | 25 +++++++++
 roles/traefik/templates/traefik.yml.j2        |  4 +-
 8 files changed, 75 insertions(+), 49 deletions(-)
 create mode 100644 roles/traefik/templates/compose-env.j2
 create mode 100644 roles/traefik/templates/docker-compose.yml.j2

diff --git a/dev/dockerbox.yml b/dev/dockerbox.yml
index 9333a07..811418a 100644
--- a/dev/dockerbox.yml
+++ b/dev/dockerbox.yml
@@ -8,7 +8,6 @@
     - docker
     - traefik
     - nextcloud
-    - gitea
     - jenkins
     - prometheus
     - nginx
diff --git a/dev/host_vars/dockerbox.yml b/dev/host_vars/dockerbox.yml
index 175dfc6..c08c37f 100644
--- a/dev/host_vars/dockerbox.yml
+++ b/dev/host_vars/dockerbox.yml
@@ -13,6 +13,7 @@ traefik_domain: traefik.vm.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
+traefik_http_only: true # if behind reverse-proxy
 
 # nextcloud
 nextcloud_version: stable
diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index 3be86b5..43f09ed 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -1,12 +1,18 @@
+# Container settings
 traefik_name: traefik
-traefik_dashboard: false
-traefik_root: "/opt/{{ traefik_name }}"
+traefik_standalone: true
+traefik_http_only: false
+traefik_debug: false
+traefik_web_entry: "80:80"
+traefik_websecure_entry: "443:443"
 traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
+
+# HTTPS settings
 traefik_production: false
 traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
-traefik_http_redirect: false
-traefik_ports:
-  - "80:80"
-  - "443:443"
+traefik_http_redirect: true
+
+# Host settings
+traefik_root: "{{ docker_compose_root }}/{{ traefik_name }}"
diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml
index eeaca65..79f9ea8 100644
--- a/roles/traefik/handlers/main.yml
+++ b/roles/traefik/handlers/main.yml
@@ -4,11 +4,8 @@
     state: touch
   listen: reload_traefik
 
-- name: Restart Traefik container
-  docker_container:
-    name: "{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
-    state: started
-    container_default_behavior: "no_defaults"
-    restart: yes
+- name: Restart Traefik
+  service:
+    name: "{{ docker_compose_service }}@{{ traefik_name }}"
+    state: restarted
   listen: restart_traefik
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index 20dcb22..c85ac56 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -1,14 +1,8 @@
-- name: Create Traefik configuration directories
+- name: Create Traefik directories
   file:
     path: "{{ traefik_root }}/config/dynamic"
     state: directory
 
-- name: Install static Traefik configuration
-  template:
-    src: traefik.yml.j2
-    dest: "{{ traefik_root }}/config/traefik.yml"
-  notify: restart_traefik
-
 - name: Install dynamic security configuration
   template:
     src: security.yml.j2
@@ -25,32 +19,26 @@
   loop: "{{ traefik_external }}"
   when: traefik_external is defined
 
-- name: Create Traefik network
-  docker_network:
-    name: traefik
+- name: Install Traefik's docker-compose file
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ traefik_root }}/docker-compose.yml"
+  notify: restart_traefik
 
-- name: Start Traefik container
-  docker_container:
-    name: "{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
+- name: Install Traefik's docker-compose variables
+  template:
+    src: compose-env.j2
+    dest: "{{ traefik_root }}/.env"
+  notify: restart_traefik
+
+- name: Install static Traefik configuration
+  template:
+    src: traefik.yml.j2
+    dest: "{{ traefik_root }}/config/traefik.yml"
+  notify: restart_traefik
+
+- name: Start and enable Traefik service
+  service:
+    name: "{{ docker_compose_service }}@{{ traefik_name }}"
     state: started
-    restart_policy: always
-    ports: "{{ traefik_ports }}"
-    container_default_behavior: "no_defaults"
-    networks_cli_compatible: "false"
-    networks:
-      - name: traefik
-    labels:
-      traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
-      #traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
-      #traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
-      #traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      #traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
-      traefik.http.routers.traefik.service: "api@internal"
-      traefik.http.routers.traefik.entrypoints: websecure
-      traefik.http.routers.traefik.tls: "true"
-      traefik.docker.network: traefik
-      traefik.enable: "{{ traefik_dashboard | string }}"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - "{{ traefik_root }}/config:/etc/traefik"
+    enabled: true
diff --git a/roles/traefik/templates/compose-env.j2 b/roles/traefik/templates/compose-env.j2
new file mode 100644
index 0000000..22df1b3
--- /dev/null
+++ b/roles/traefik/templates/compose-env.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+traefik_version={{ traefik_version }}
+traefik_name={{ traefik_name }}
+traefik_domain={{ traefik_domain }}
+traefik_dashboard={{ traefik_dashboard | string | lower }}
+traefik_debug={{ traefik_debug | string | lower }}
+traefik_web_entry={{ traefik_web_entry }}
+traefik_websecure_entry={{ traefik_websecure_entry }}
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..fb7f741
--- /dev/null
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -0,0 +1,25 @@
+version: '3.7'
+
+networks:
+  traefik:
+    name: traefik
+
+services:
+  traefik:
+    image: "traefik:${traefik_version}"
+    container_name: "${traefik_name}"
+    ports:
+      - "${traefik_web_entry:-80:80}"
+{% if traefik_standalone and not traefik_http_only %}
+      - "${traefik_websecure_entry:-443:443}"
+{% endif %}
+    networks:
+      - traefik
+    labels:
+      - "traefik.http.routers.traefik.rule=Host(`{{ traefik_domain }}`)"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.docker.network=traefik"
+      - "traefik.enable=${traefik_dashboard:-false}"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - "{{ traefik_root }}/config:/etc/traefik"
diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2
index 17f726d..b2ac124 100644
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -10,7 +10,7 @@ providers:
 entrypoints:
   web:
     address: ':80'
-{% if traefik_http_redirect is defined and traefik_http_redirect %}
+{% if traefik_http_redirect is defined and traefik_http_redirect and not traefik_http_only %}
     http:
       redirections:
         entrypoint:
@@ -18,10 +18,12 @@ entrypoints:
           scheme: https
           permanent: true
 {% endif %}
+{% if not traefik_http_only is defined or not traefik_http_only %}
   websecure:
     address: ':443'
     http:
       tls: {}
+{% endif %}
 
 {% if traefik_acme_email is defined %}
 certificatesResolvers: