Add traefik config

ansible/roles/docker/files/traefik/docker-compose.yml

@@ -0,0 +1,12 @@
+version: "3"
+
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:v2.1.2
+    #command: "--log.level=DEBUG"
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik:/etc/traefik
+    restart: unless-stopped

ansible/roles/docker/files/traefik/file-provider.yml

@@ -0,0 +1,42 @@
+http:
+  middlewares:
+    internal-only:
+      ipWhiteList:
+        sourceRange:
+          - "{{ wireguard.cidr }}"
+          - "192.168.1.0/24"
+    hsts:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    hsts:
+      service: "ping@internal"
+      rule: "PathPrefix(`/`)"
+      entryPoints:
+        - web
+      middlewares:
+        - hsts
+    ping:
+      service: "ping@internal"
+      rule: "Host(`traefik.jakehoward.tech`) && Path(`/ping/`)"
+      middlewares:
+        - hsts
+      tls:
+        certResolver: le
+    dashboard:
+      service: "dashboard@internal"
+      rule: "Host(`traefik.jakehoward.tech`)"
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le
+    api:
+      service: "api@internal"
+      rule: "Host(`traefik.jakehoward.tech`) && PathPrefix(`/api`)"
+      middlewares:
+        - hsts
+        - internal-only
+      tls:
+        certResolver: le

ansible/roles/docker/files/traefik/traefik.yml

@@ -0,0 +1,38 @@
+entryPoints:
+  web:
+    address: ":80"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  web-secure:
+    address: ":443"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+  matrix:
+    address: ":8448"
+    proxyProtocol:
+      trustedIPs:
+        - "{{ wireguard.cidr }}"
+
+ping:
+  manualRouting: true
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+  file:
+    filename: /etc/traefik/file-provider.yml
+
+api:
+  dashboard: true
+
+certificatesResolvers:
+  le:
+    acme:
+      email: "hosting@theorangeone.net"
+      storage: "/etc/traefik/acme.json"
+      httpChallenge:
+        entryPoint: web

ansible/roles/docker/tasks/main.yml

@@ -27,3 +27,6 @@
 
 - name: Install gotify
   include: gotify.yml
+
+- name: Install traefik
+  include: traefik.yml

ansible/roles/docker/tasks/traefik.yml

@@ -0,0 +1,59 @@
+- name: Create traefik directory
+  file:
+    path: '/opt/traefik'
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+  become_user: root
+
+- name: Create traefik config directory
+  file:
+    path: '/opt/traefik/traefik'
+    state: directory
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+  become_user: root
+
+- name: Install traefik compose file
+  template:
+    src: files/traefik/docker-compose.yml
+    dest: "/opt/traefik/docker-compose.yml"
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: /usr/bin/docker-compose -f %s config
+  register: compose_file
+  become: true
+  become_user: root
+
+- name: Install traefik config
+  template:
+    src: files/traefik/traefik.yml
+    dest: "/opt/traefik/traefik/traefik.yml"
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+  register: config_file
+  become: true
+  become_user: root
+
+- name: Install traefik file provider
+  template:
+    src: files/traefik/file-provider.yml
+    dest: "/opt/traefik/traefik/file-provider.yml"
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+  register: file_provider
+  become: true
+  become_user: root
+
+- name: Cycle traefik container
+  docker_compose:
+    project_src: /opt/traefik
+    pull: true
+    remove_orphans: true
+    remove_volumes: true
+    state: "{{ item }}"
+  when: compose_file.changed or config_file.changed or file_provider.changed
+  loop:
+    - absent
+    - present