Initial Commit

2024-09-09 22:37:51 +10:00
commit ca1eea8f56
49 changed files with 2271 additions and 0 deletions
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@ -0,0 +1,2 @@
+---
+# defaults file for common
--- a/roles/traefik/meta/main.yml
+++ b/roles/traefik/meta/main.yml
@ -0,0 +1,52 @@
+galaxy_info:
+  author: Matthew McKinnon
+  description: Traefik Proxy
+  company: support@comprofix.com
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@ -0,0 +1,86 @@
+---
+- name: Create directories
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - "{{ data_folder }}/traefik"
+    - "{{ data_folder }}/traefik/data"
+
+- name: Create a network
+  docker_network:
+    name: proxy
+  register: network
+
+- name: Copy Traefik config
+  template:
+    src: templates/traefik.yml.j2
+    dest: "{{ data_folder }}/traefik/data/traefik.yml"
+    mode: '0600'
+
+- name: Check if {{ data_folder }}/traefik/data/acme.json exists
+  ansible.builtin.stat:
+    path: "{{ data_folder }}/traefik/data/acme.json"
+  register: file_status
+
+- name: Creates {{ data_folder }}/traefik/data/acme.json if it doesn't exists
+  ansible.builtin.file:
+    path: "{{ data_folder }}/traefik/data/acme.json"
+    state: touch
+    owner: root
+    group: root
+    mode: '0600'
+  when: not file_status.stat.exists
+
+- name: Check if {{ data_folder }}/traefik/data/traefik.json.log exists
+  ansible.builtin.stat:
+    path: "{{ data_folder }}/traefik/data/traefik.json.log"
+  register: file_status
+
+- name: Creates {{ data_folder }}/traefik/data/traefik.json.log if it doesn't exists
+  ansible.builtin.file:
+    path: "{{ data_folder }}/traefik/data/traefik.json.log"
+    state: touch
+    owner: root
+    group: root
+    mode: '0600'
+  when: not file_status.stat.exists
+
+- name: Create traefik Container
+  docker_container:
+    name: traefik
+    image: traefik:v3.1
+    restart_policy: unless-stopped
+    networks:
+      - name: "proxy"
+    ports:
+      - 80:80
+      - 443:443
+    env:
+      CF_API_EMAIL: "{{ CF_API_EMAIL }}"
+      CF_DNS_API_TOKEN: "{{CF_DNS_API_TOKEN}}"
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - "{{ data_folder }}/traefik/data/traefik.yml:/traefik.yml:ro"
+      - "{{ data_folder }}/traefik/data/acme.json:/acme.json"
+      - "{{ data_folder }}/traefik/data/traefik.json.log:/traefik.json.log"
+      # - ./data/config.yml:/config.yml:ro
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.traefik.entrypoints: "http"
+      traefik.http.routers.traefik.rule: "Host(`{{traefik_host}}`)"
+      traefik.http.middlewares.traefik-auth.basicauth.users: "{{ traefik_api_user }}:{{ traefik_api_password | password_hash('blowfish','1234567890123456789012') }}"
+      traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: "https"
+      traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: "https"
+      traefik.http.routers.traefik.middlewares: "traefik-https-redirect"
+      traefik.http.routers.traefik-secure.entrypoints: "https"
+      traefik.http.routers.traefik-secure.rule: "Host(`{{traefik_host}}`)"
+      traefik.http.routers.traefik-secure.middlewares: "traefik-auth"
+      traefik.http.routers.traefik-secure.tls: "true"
+      traefik.http.routers.traefik-secure.tls.certresolver: "cloudflare"
+      traefik.http.routers.traefik-secure.tls.domains[0].main: "comprofix.com"
+      traefik.http.routers.traefik-secure.tls.domains[0].sans: "*.comprofix.com"
+      traefik.http.routers.traefik-secure.tls.domains[1].main: "comprofix.xyz"
+      traefik.http.routers.traefik-secure.tls.domains[1].sans: "*.comprofix.xyz"
+      traefik.http.routers.traefik-secure.service: "api@internal"
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@ -0,0 +1,42 @@
+api:
+  dashboard: true
+  debug: true
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: ":443"
+
+serversTransport:
+  insecureSkipVerify: true
+
+log:
+  level: DEBUG
+  filePath: /traefik.json.log
+  format: json
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: {{ CF_API_EMAIL }}
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+  
--- a/roles/traefik/vars/main.yml
+++ b/roles/traefik/vars/main.yml
@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+65353236643865303034613264613133353338613962646164333936353761336231643332303164
+3834613038663965376661373336646433353437373132300a353663633034643265653937396238
+66326632323432646239663762626230326338666138653330323566633864623734396639323062
+3735326666306239370a383439646335343965316464386265613437646163636335393139316232
+61396631356263333933626334313438633132663764326539393663636631303538636131303830
+31633037376231326436306463376134633031666431303133383237316530646261383733313132
+62343261303266613764633861393939343937343038383231353137333337383936623338313561
+64633330356639643863336437653137393364653833653934633762333461393035393963313432
+39633563636164363461326231306237343265626533366562626136643561636464663866303434
+64363663396334623738316238316135616162393566613631396163666134663765343230656135
+35646364666531303361623833643136663832363737623161386562393234393533306636363265
+37343438386439303931633434303939393062363138353732373163663761366337326437316537
+6137