Initial commit

.editorconfig

@@ -0,0 +1,19 @@
+# EditorConfig: http://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Defaults for all editor files
+[*]
+insert_final_newline = true
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = true
+
+# Files with a smaller indent
+[*.yml]
+indent_size = 2
+
+# Jinja2 template files
+[*.j2]
+end_of_line = lf

.gitignore

@@ -0,0 +1,20 @@
+local-configure.yml
+.vagrant/
+docs/_build/
+roles/plone.plone_server
+roles/jnv.unattended-upgrades
+roles/tersmitten.fail2ban
+roles/ANXS.hostname
+roles/ANXS.apt
+._*
+bin/
+lib/
+include/
+local/
+tests.out
+*.retry
+*.log
+vbox_host.cfg
+.DS_Store
+*.py[co]
+.idea/

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+roles_path: ./../

defaults/main.yml

@@ -0,0 +1,5 @@
+---
+traefik_version_check: true
+traefik_version: "v2.10.4"
+
+traefik_yaml_acme_email: ""

handlers/main.yml

@@ -0,0 +1,13 @@
+---
+- name: "Restart traefik"
+  ansible.builtin.service:
+    name: traefik
+    state: restarted
+    scope: "user"
+  when: ansible_service_mgr == "systemd"
+
+- name: "Reload systemd"
+  ansible.builtin.systemd:
+    daemon_reload: true
+    scope: "user"
+  when: ansible_service_mgr == "systemd"

meta/main.yml

@@ -0,0 +1,36 @@
+galaxy_info:
+  author: Lennard Brinkhaus
+  description: Install and manage a Traefik
+  company: DragSE
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  min_ansible_version: "2.1"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  license: None
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+
+  galaxy_tags:
+    - traefik
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.

meta/requirements.yml

@@ -0,0 +1,2 @@
+- name: role-podman
+  src: https://git.dragse.it/ansible/role-podman

tasks/main.yml

@@ -0,0 +1,47 @@
+---
+- name: Create podman folder
+  file:
+    path: /root/.config/containers/systemd/
+    state: directory
+    mode: 0775
+    recurse: yes
+
+- name: Create letsencrypt folder
+  file:
+    path: /letsencrypt
+    state: directory
+    mode: 0775
+    recurse: yes
+
+- name: Setup Podman quadlet
+  block:
+  - name: Copy traefik.network
+    ansible.builtin.template:
+      src: traefik.network
+      dest: "/root/.config/containers/systemd/traefik.network"
+
+  - name: Copy traefik.container
+    ansible.builtin.template:
+      src: traefik.quadlet.j2
+      dest: "/root/.config/containers/systemd/traefik.container"
+
+  - name: Copy traefik.yml
+    ansible.builtin.template:
+      src: traefik.yaml.j2
+      dest: "/etc/traefik/traefik.yaml"
+
+  - name: "Reload systemd"
+    ansible.builtin.systemd:
+      daemon_reload: true
+      scope: "user"
+  notify:
+    - Reload systemd
+    - Restart traefik
+
+- name: Start Traefik
+  systemd_service:
+    enabled: true
+    name: traefik
+    state: started
+    scope: "user"
+

templates/traefik.network

@@ -0,0 +1,2 @@
+[Network]
+Label=app=traefik

templates/traefik.quadlet.j2

@@ -0,0 +1,42 @@
+[Unit]
+Description=Traefik Reverse Proxy
+Documentation=https://doc.traefik.io/traefik/providers/docker
+
+[Container]
+ContainerName=traefik
+Image=docker.io/library/traefik:{{ traefik_version }}
+Environment=TZ=Europe/Berlin
+
+#Environment=CLOUDFLARE_DNS_API_TOKEN=<REDACTED>
+
+PublishPort=0.0.0.0:80:80/tcp
+PublishPort=0.0.0.0:443:443/tcp
+PublishPort=0.0.0.0:8080:8080/tcp
+
+#Network=pasta:-T,auto
+Network=traefik.network
+
+Volume=/etc/traefik:/etc/traefik:rw
+Volume=/var/run/podman/podman.sock:/var/run/docker.sock:ro
+
+NoNewPrivileges=true
+DropCapability=All
+AddCapability=net_bind_service
+
+#UserNS=keep-id
+# Required to access the Podman Socket
+#SecurityLabelDisable=true
+PodmanArgs=--userns=keep-id --security-opt label=disable
+
+[Service]
+Restart=on-failure
+# Restart Delay
+RestartSec=30
+# Allowed time for the service to start.
+TimeoutStartSec=90
+# Allowed time for the service to stop.
+TimeoutStopSec=90
+
+[Install]
+WantedBy=default.target
+

templates/traefik.yaml.j2

@@ -0,0 +1,31 @@
+# traefik.yml
+entryPoints:
+    web:
+        address: ":80"
+        http:
+            redirections:
+                entryPoint:
+                    to: websecure
+
+    websecure:
+        address: ":443"
+
+# Docker configuration backend
+providers:
+    docker:
+        endpoint: "unix:///var/run/docker.sock"
+        network: systemd-traefik
+
+
+# API and dashboard configuration
+api:
+    #  insecure: true
+    dashboard: true
+
+certificatesResolvers:
+    resolver:
+        acme:
+            email: {{ traefik_yaml_acme_email }}
+            storage: /letsencrypt/acme.json
+            httpChallenge:
+                entryPoint: web

tests/inventory

@@ -0,0 +1 @@
+192.168.1.142

tests/test.yml

@@ -0,0 +1,7 @@
+---
+- hosts: all
+  remote_user: root
+  roles:
+    - role-traefik
+  vars:
+    traefik_yaml_acme_email: "test@localhost.intern"