current state

handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart traefik
+  systemd:
+    name: traefik
+    state: reloaded

tasks/main.yml

@@ -0,0 +1,38 @@
+- name: install
+  package:
+    name: traefik
+    state: latest
+
+- name: fix owner of acme file
+  file:
+    path: "/etc/traefik/acme.json"
+    owner: traefik
+    mode: '0600'
+
+- name: configure
+  notify: restart traefik
+  template:
+    src: config.toml
+    dest: "/etc/traefik/traefik.toml"
+    owner: traefik
+
+- name: create config directory
+  file:
+    path: /etc/traefik/conf.d
+    state: directory
+    owner: traefik
+
+- name: template config files
+  template:
+    src: "{{ item }}"
+    dest: "/etc/traefik/conf.d/{{ item | basename }}"
+    owner: traefik
+  with_fileglob:
+    - ../templates/conf.d/*
+
+- name: service enabled and started
+  become: yes
+  systemd:
+    name: traefik
+    state: started
+    enabled: yes

templates/conf.d/00-defaults.toml

@@ -0,0 +1,4 @@
+[http.middlewares.httpsRedirect.redirectScheme]
+  scheme = "https"
+  permanent = true
+

templates/conf.d/10-api.toml

@@ -0,0 +1,19 @@
+[http.middlewares.apiAuth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+  ]
+
+[http.routers.my-api-redir]
+  rule = "Host(`{{ inventory_hostname }}`)"
+  entryPoints = ["web"]
+  middlewares = ["httpsRedirect"]
+  service = "api@internal"
+
+[http.routers.my-api]
+  rule = "Host(`{{ inventory_hostname }}`)"
+  entryPoints = ["websecure"]
+  middlewares = ["apiAuth"]
+  service = "api@internal"
+
+  [http.routers.my-api.tls]
+    certResolver = "my-resolver"

templates/conf.d/10-metric-prometheus.toml

@@ -0,0 +1,7 @@
+[http.routers.metric-prometheus]
+  rule = "Host(`{{ inventory_hostname }}`) && PathPrefix(`/metrics`)"
+  entryPoints = ["websecure"]
+  service = "prometheus@internal"
+
+  [http.routers.metric-prometheus.tls]
+    certResolver = "my-resolver"

templates/conf.d/50-tcp.toml

@@ -0,0 +1,17 @@
+{% for r in traefik_tcp_proxy %}
+
+#---------------------------------
+# {{ r.name }}: {{ r.rule }}
+#---------------------------------
+
+[tcp.routers.{{r.name}}]
+entryPoints = {{r.entryPoints}}
+rule = "{{r.rule }}" 
+service = "{{r.name}}"
+
+[tcp.services.{{r.name}}.loadBalancer]
+{% for addr in r.addresses %}
+[[tcp.services.{{r.name}}.loadBalancer.servers]]
+address = "{{addr.to}}"
+{% endfor %}
+{% endfor %}

templates/conf.d/70-proxy.toml

@@ -0,0 +1,48 @@
+{% for r in traefik_proxy %}
+
+#---------------------------------
+# {{ r.name }}: {{ r.rule }}
+#---------------------------------
+
+{% if r.path_strip is not undefined %}
+[http.middlewares.{{r.name}}-stripprefix.stripPrefix]
+  prefixes = {{ r.path_strip }}
+{% endif %}
+
+{% if r.tls %}
+[http.routers.{{r.name}}-redir]
+  rule = "{{ r.rule }}"
+  entryPoints = ["web"]
+  middlewares = ["httpsRedirect"]
+  service = "{{r.name}}@file"
+
+[http.routers.{{r.name}}-acme]
+  rule = "({{ r.rule }}) && PathPrefix(`/.well-known/acme-challenge/`)"
+  entryPoints = ["web"]
+  service = "{{r.name}}@file"
+{% endif %}
+
+[http.routers.{{r.name}}]
+  rule = "{{ r.rule }}"
+{% if r.path_strip is not undefined %}
+  middlewares = ["{{r.name}}-stripprefix","httpsRedirect"]
+{% else %}
+  middlewares = ["httpsRedirect"]
+{% endif %}
+{% if r.tls %}
+  entryPoints = ["websecure"]
+{% else %}
+  entryPoints = ["web"]
+{% endif %}
+  service = "{{r.name}}@file"
+{% if r.tls %}
+  [http.routers.{{r.name}}.tls]
+    certResolver = "my-resolver"
+{% endif %}
+
+[http.services.{{ r.name }}.loadBalancer]
+{% for url in r.service_url %}
+    [[http.services.{{ r.name }}.loadBalancer.servers]]
+      url = "{{ url }}"
+{% endfor %}
+{% endfor %}

templates/conf.d/80-onlyoffice.toml

@@ -0,0 +1,51 @@
+[http.middlewares.onlyoffice-headers.headers.customRequestHeaders]
+  X-Forwarded-Proto = "https"
+
+[http.middlewares.onlyoffice-spellchecker-stripprefix.stripPrefix]
+  prefixes = ["/spellchecker"]
+
+{% for r in traefik_onlyoffice %}
+#---------------------------------
+# onlyOffice: {{ r.name }}: {{ r.rule }}
+#---------------------------------
+
+[http.routers.{{ r.name }}-redir]
+  rule = "{{ r.rule }}"
+  entryPoints = ["web"]
+  middlewares = ["httpsRedirect"]
+  service = "{{ r.name }}@file"
+
+[http.routers.{{ r.name }}]
+  rule = "{{ r.rule }}"
+  middlewares = ["onlyoffice-headers","httpsRedirect"]
+  entryPoints = ["websecure"]
+  service = "{{ r.name }}@file"
+  [http.routers.{{ r.name }}.tls]
+    certResolver = "my-resolver"
+
+[http.services.{{ r.name }}.loadBalancer]
+    [http.services.{{ r.name }}.loadBalancer.healthCheck]
+      path = "/healthcheck"
+      interval = "10s"
+      timeout = "3s"
+{% for url in r.service_url %}
+    [[http.services.{{ r.name }}.loadBalancer.servers]]
+      url = "{{ url }}:8000"
+{% endfor %}
+
+# onlyOffice-Spellchecker
+
+[http.routers.{{ r.name }}-spell]
+  rule = "({{ r.rule }}) && PathPrefix(`/spellchecker`)"
+  middlewares = ["onlyoffice-spellchecker-stripprefix","onlyoffice-headers","httpsRedirect"]
+  entryPoints = ["websecure"]
+  service = "{{ r.name }}-spell@file"
+  [http.routers.{{ r.name }}-spell.tls]
+    certResolver = "my-resolver"
+
+[http.services.{{ r.name }}-spell.loadBalancer]
+{% for url in r.service_url %}
+    [[http.services.{{ r.name }}-spell.loadBalancer.servers]]
+      url = "{{ url }}:8080"
+{% endfor %}
+{% endfor %}

templates/config.toml

@@ -0,0 +1,32 @@
+[entryPoints]
+  [entryPoints.ssh]
+    address = ":22"
+
+  [entryPoints.web]
+    address = ":80"
+
+  [entryPoints.websecure]
+    address = ":443"
+
+  [entryPoints.rtmp]
+    address = ":1935"
+
+[providers]
+  [providers.file]
+    directory = "/etc/traefik/conf.d/"
+    watch = true
+
+[serversTransport]
+  insecureSkipVerify = true
+
+[certificatesResolvers.my-resolver.acme]
+  storage = "/etc/traefik/acme.json"
+  [certificatesResolvers.my-resolver.acme.tlsChallenge]
+  # entryPoint = "web"
+
+[api]
+  dashboard = true
+[metrics]
+  [metrics.prometheus]
+    addServicesLabels = true
+    manualRouting = true