diff --git a/README.md b/README.md index 3f19851..e175a2c 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Example playbook: roles: - role: galaxy/com.devture.ansible.role.systemd_docker_base - - role: galaxy/com.devture.ansible.role.traefik + - role: galaxy/traefik - role: another_role ``` @@ -21,10 +21,10 @@ Example playbook: Example playbook configuration (`group_vars/servers` or other): ```yaml -devture_traefik_container_network: "{{ my_container_network }}" +traefik_container_network: "{{ my_container_network }}" -devture_traefik_uid: "{{ my_uid }}" -devture_traefik_gid: "{{ my_gid }}" +traefik_uid: "{{ my_uid }}" +traefik_gid: "{{ my_gid }}" ``` ## Security hardening @@ -53,14 +53,14 @@ devture_container_socket_proxy_api_containers_enabled: true # Base Traefik configuration here (see above). -devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" +traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" -devture_traefik_container_additional_networks: | +traefik_container_additional_networks: | {{ ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else []) }} -devture_traefik_systemd_required_services_list: | +traefik_systemd_required_services_list: | {{ (['docker.service']) + diff --git a/defaults/main.yml b/defaults/main.yml index 0950c19..cf4d1dd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,106 +2,106 @@ # Project source code URL: https://github.com/traefik/traefik -devture_traefik_enabled: true +traefik_enabled: true -devture_traefik_identifier: devture-traefik +traefik_identifier: traefik -devture_traefik_version: v3.1.3 +traefik_version: v3.1.3 -devture_traefik_uid: '' -devture_traefik_gid: '' +traefik_uid: '' +traefik_gid: '' -devture_traefik_base_path: "/{{ devture_traefik_identifier }}" -devture_traefik_config_dir_path: "{{ devture_traefik_base_path }}/config" +traefik_base_path: "/{{ traefik_identifier }}" +traefik_config_dir_path: "{{ traefik_base_path }}/config" -devture_traefik_ssl_dir_enabled: "{{ devture_traefik_config_certificatesResolvers_acme_enabled }}" -devture_traefik_ssl_dir_path: "{{ devture_traefik_base_path }}/ssl" +traefik_ssl_dir_enabled: "{{ traefik_config_certificatesResolvers_acme_enabled }}" +traefik_ssl_dir_path: "{{ traefik_base_path }}/ssl" -# Controls whether devture_traefik_plugins_dir_path is created and mounted -devture_traefik_plugin_support_enabled: false -devture_traefik_plugins_dir_path: "{{ devture_traefik_base_path }}/plugins-storage" +# Controls whether traefik_plugins_dir_path is created and mounted +traefik_plugin_support_enabled: false +traefik_plugins_dir_path: "{{ traefik_base_path }}/plugins-storage" -devture_traefik_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +traefik_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" -devture_traefik_container_image: "{{ devture_traefik_container_image_registry_prefix }}traefik:{{ devture_traefik_container_image_tag }}" -devture_traefik_container_image_tag: "{{ devture_traefik_version }}" -devture_traefik_container_image_registry_prefix: docker.io/ +traefik_container_image: "{{ traefik_container_image_registry_prefix }}traefik:{{ traefik_container_image_tag }}" +traefik_container_image_tag: "{{ traefik_version }}" +traefik_container_image_registry_prefix: docker.io/ -devture_traefik_container_network: traefik +traefik_container_network: traefik # A list of additional container networks that the container would be connected to. # The role does not create these networks, so make sure they already exist. -devture_traefik_container_additional_networks: "{{ (devture_traefik_container_additional_networks_auto + devture_traefik_container_additional_networks_custom) | unique }}" -devture_traefik_container_additional_networks_auto: [] -devture_traefik_container_additional_networks_custom: [] +traefik_container_additional_networks: "{{ (traefik_container_additional_networks_auto + traefik_container_additional_networks_custom) | unique }}" +traefik_container_additional_networks_auto: [] +traefik_container_additional_networks_custom: [] # A list of extra arguments to pass to the container -devture_traefik_container_extra_arguments: "{{ devture_traefik_container_extra_arguments_auto + devture_traefik_container_extra_arguments_custom }}" -devture_traefik_container_extra_arguments_auto: [] -devture_traefik_container_extra_arguments_custom: [] +traefik_container_extra_arguments: "{{ traefik_container_extra_arguments_auto + traefik_container_extra_arguments_custom }}" +traefik_container_extra_arguments_auto: [] +traefik_container_extra_arguments_custom: [] # A list of extra arguments to pass to the Traefik process # Example: ['--api'] -devture_traefik_process_extra_arguments: "{{ devture_traefik_process_extra_arguments_auto + devture_traefik_process_extra_arguments_custom }}" -devture_traefik_process_extra_arguments_auto: [] -devture_traefik_process_extra_arguments_custom: [] +traefik_process_extra_arguments: "{{ traefik_process_extra_arguments_auto + traefik_process_extra_arguments_custom }}" +traefik_process_extra_arguments_auto: [] +traefik_process_extra_arguments_custom: [] # Specifies the primary entrypoint. # We default to the web-secure entrypoint if it's enabled. # When web-secure is enabled, the web (80) entrypoint redirects to web-secure (443) -devture_traefik_entrypoint_primary: "{{ devture_traefik_config_entrypoint_web_secure_name if devture_traefik_config_entrypoint_web_secure_enabled else (devture_traefik_config_entrypoint_web_name if devture_traefik_config_entrypoint_web_enabled else '') }}" +traefik_entrypoint_primary: "{{ traefik_config_entrypoint_web_secure_name if traefik_config_entrypoint_web_secure_enabled else (traefik_config_entrypoint_web_name if traefik_config_entrypoint_web_enabled else '') }}" # Specifies the primary certificate resolver. # If you're disabling ACME or using your own, you can specify it here manually. -devture_traefik_certResolver_primary: "{{ devture_traefik_config_certificatesResolvers_acme_name if devture_traefik_config_certificatesResolvers_acme_enabled else '' }}" +traefik_certResolver_primary: "{{ traefik_config_certificatesResolvers_acme_name if traefik_config_certificatesResolvers_acme_enabled else '' }}" -devture_traefik_config_log_level: INFO +traefik_config_log_level: INFO # Controls whether logs for incoming requests are collected -devture_traefik_config_accessLog_enabled: true +traefik_config_accessLog_enabled: true # Controls whether Prometheus metrics will be exposed on a new metrics entrypoint. -# See devture_traefik_config_entrypoint_metrics_enabled -devture_traefik_config_metrics_prometheus_enabled: false -devture_traefik_config_metrics_prometheus_entrypoint: metrics +# See traefik_config_entrypoint_metrics_enabled +traefik_config_metrics_prometheus_enabled: false +traefik_config_metrics_prometheus_entrypoint: metrics # Controls whether the ACME (https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) certificate resolver is enabled. # By default, if the web-secure entrypoint is enabled, we enable Let's Encrypt. -devture_traefik_config_certificatesResolvers_acme_enabled: "{{ devture_traefik_config_entrypoint_web_secure_enabled }}" -devture_traefik_config_certificatesResolvers_acme_name: default -devture_traefik_config_certificatesResolvers_acme_email: '' -devture_traefik_config_certificatesResolvers_acme_storage: /ssl/acme.json # in-container path -# devture_traefik_config_certificatesResolvers_acme_use_staging controls whether the Let's Encrypt staging environment is used or not. -devture_traefik_config_certificatesResolvers_acme_use_staging: false -# devture_traefik_config_certificatesResolvers_acme_caServer specifies the CA server endpoint to use. -devture_traefik_config_certificatesResolvers_acme_caServer: "{{ 'https://acme-staging-v02.api.letsencrypt.org/directory' if devture_traefik_config_certificatesResolvers_acme_use_staging else 'https://acme-v02.api.letsencrypt.org/directory' }}" -# devture_traefik_config_certificatesResolvers_acme_httpChallenge_enabled controls whether the Let's Encrypt httpChallenge is used or not. -devture_traefik_config_certificatesResolvers_acme_httpChallenge_enabled: "{{ not devture_traefik_config_certificatesResolvers_acme_dnsChallenge_enabled }}" -# devture_traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint controls on which entrypoint the HTTP ACME challenge is enabled. -devture_traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint: "{{ devture_traefik_config_entrypoint_web_name if devture_traefik_config_entrypoint_web_enabled else '' }}" +traefik_config_certificatesResolvers_acme_enabled: "{{ traefik_config_entrypoint_web_secure_enabled }}" +traefik_config_certificatesResolvers_acme_name: default +traefik_config_certificatesResolvers_acme_email: '' +traefik_config_certificatesResolvers_acme_storage: /ssl/acme.json # in-container path +# traefik_config_certificatesResolvers_acme_use_staging controls whether the Let's Encrypt staging environment is used or not. +traefik_config_certificatesResolvers_acme_use_staging: false +# traefik_config_certificatesResolvers_acme_caServer specifies the CA server endpoint to use. +traefik_config_certificatesResolvers_acme_caServer: "{{ 'https://acme-staging-v02.api.letsencrypt.org/directory' if traefik_config_certificatesResolvers_acme_use_staging else 'https://acme-v02.api.letsencrypt.org/directory' }}" +# traefik_config_certificatesResolvers_acme_httpChallenge_enabled controls whether the Let's Encrypt httpChallenge is used or not. +traefik_config_certificatesResolvers_acme_httpChallenge_enabled: "{{ not traefik_config_certificatesResolvers_acme_dnsChallenge_enabled }}" +# traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint controls on which entrypoint the HTTP ACME challenge is enabled. +traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint: "{{ traefik_config_entrypoint_web_name if traefik_config_entrypoint_web_enabled else '' }}" # Controls whether the ACME DNS challenge is enabled. # For more information on supported providers, settings and environment variables, please refer to: # https://doc.traefik.io/traefik/https/acme/#providers # If enabled, Traefik will use DNS challenges to obtain Let's Encrypt certificates. -devture_traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: false +traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: false # Specify the DNS provider to handle DNS challenges. -devture_traefik_config_certificatesResolvers_acme_dnsChallenge_provider: "" +traefik_config_certificatesResolvers_acme_dnsChallenge_provider: "" # The delay in seconds before checking DNS propagation for the ACME DNS challenge. -devture_traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: '' +traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: '' # The list of DNS resolvers to be used for the ACME DNS challenge. -devture_traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers: [] +traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers: [] # Example for dnsChallenge and netcup DNS provider: # -# devture_traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true -# devture_traefik_config_certificatesResolvers_acme_dnsChallenge_provider: netcup -# devture_traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: 900 +# traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true +# traefik_config_certificatesResolvers_acme_dnsChallenge_provider: netcup +# traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: 900 -# devture_traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers: +# traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers: # - "root-dns.netcup.net" # - "second-dns.netcup.net" -# devture_traefik_environment_variables_additional_variables: | +# traefik_environment_variables_additional_variables: | # NETCUP_CUSTOMER_NUMBER=12345 # NETCUP_API_KEY=api_key # NETCUP_API_PASSWORD=password @@ -109,107 +109,107 @@ devture_traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers: [] # Additional environment variables to pass to the container. # # Example: -# devture_traefik_environment_variables_additional_variables: | +# traefik_environment_variables_additional_variables: | # VARIABLE_1=value # VARIABLE_2=value -devture_traefik_environment_variables_additional_variables: '' +traefik_environment_variables_additional_variables: '' # Controls whether the web entrypoint is enabled -devture_traefik_config_entrypoint_web_enabled: true -devture_traefik_config_entrypoint_web_name: web -devture_traefik_config_entrypoint_web_port: 80 -devture_traefik_config_entrypoint_web_port_in_container: 8080 -devture_traefik_config_entrypoint_web_address: ":{{ devture_traefik_config_entrypoint_web_port_in_container }}" +traefik_config_entrypoint_web_enabled: true +traefik_config_entrypoint_web_name: web +traefik_config_entrypoint_web_port: 80 +traefik_config_entrypoint_web_port_in_container: 8080 +traefik_config_entrypoint_web_address: ":{{ traefik_config_entrypoint_web_port_in_container }}" # Controls `forwardedHeaders.trustedIPs`, specifying from which IPs to trust `X-Forwarded-*` headers. # By default, we expect that there's no other reverse-proxy in front of us, so we don't trust anything. -# Also see: `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` -devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: [] +# Also see: `traefik_config_entrypoint_web_forwardedHeaders_insecure` +traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: [] # Controls `forwardedHeaders.insecure` for this entrypoint. -# Also see: `devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` -devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: false +# Also see: `traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` +traefik_config_entrypoint_web_forwardedHeaders_insecure: false # Controls whether the web entrypoint should be redirected to web-secure # If web-secure is enabled, we enable this redirection by default. -devture_traefik_config_entrypoint_web_to_web_secure_redirection_enabled: "{{ devture_traefik_config_entrypoint_web_secure_enabled }}" -devture_traefik_config_entrypoint_web_to_web_secure_redirection_to: ":{{ devture_traefik_config_entrypoint_web_secure_port }}" -devture_traefik_config_entrypoint_web_to_web_secure_redirection_scheme: https +traefik_config_entrypoint_web_to_web_secure_redirection_enabled: "{{ traefik_config_entrypoint_web_secure_enabled }}" +traefik_config_entrypoint_web_to_web_secure_redirection_to: ":{{ traefik_config_entrypoint_web_secure_port }}" +traefik_config_entrypoint_web_to_web_secure_redirection_scheme: https # Controls whether the web-secure entrypoint is enabled -devture_traefik_config_entrypoint_web_secure_enabled: true -devture_traefik_config_entrypoint_web_secure_name: web-secure -devture_traefik_config_entrypoint_web_secure_port: 443 -devture_traefik_config_entrypoint_web_secure_port_in_container: 8443 -devture_traefik_config_entrypoint_web_secure_address: ":{{ devture_traefik_config_entrypoint_web_secure_port_in_container }}" +traefik_config_entrypoint_web_secure_enabled: true +traefik_config_entrypoint_web_secure_name: web-secure +traefik_config_entrypoint_web_secure_port: 443 +traefik_config_entrypoint_web_secure_port_in_container: 8443 +traefik_config_entrypoint_web_secure_address: ":{{ traefik_config_entrypoint_web_secure_port_in_container }}" # Controls `forwardedHeaders.trustedIPs`, specifying from which IPs to trust `X-Forwarded-*` headers. # By default, we expect that there's no other reverse-proxy in front of us, so we don't trust anything. -# Also see: `devture_traefik_config_entrypoint_web_secure_forwardedHeaders_insecure` -devture_traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs: [] +# Also see: `traefik_config_entrypoint_web_secure_forwardedHeaders_insecure` +traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs: [] # Controls `forwardedHeaders.insecure` for this entrypoint. -# Also see: `devture_traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs` -devture_traefik_config_entrypoint_web_secure_forwardedHeaders_insecure: false +# Also see: `traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs` +traefik_config_entrypoint_web_secure_forwardedHeaders_insecure: false -devture_traefik_config_entrypoint_web_secure_http3_enabled: true -devture_traefik_config_entrypoint_web_secure_http3_config_advertisedPort: "{{ devture_traefik_config_entrypoint_web_secure_port }}" -devture_traefik_config_entrypoint_web_secure_http3_config: "{{ devture_traefik_config_entrypoint_web_secure_http3_config_yaml | from_yaml }}" -devture_traefik_config_entrypoint_web_secure_http3_config_yaml: | - advertisedPort: {{ devture_traefik_config_entrypoint_web_secure_http3_config_advertisedPort | int | to_json }} +traefik_config_entrypoint_web_secure_http3_enabled: true +traefik_config_entrypoint_web_secure_http3_config_advertisedPort: "{{ traefik_config_entrypoint_web_secure_port }}" +traefik_config_entrypoint_web_secure_http3_config: "{{ traefik_config_entrypoint_web_secure_http3_config_yaml | from_yaml }}" +traefik_config_entrypoint_web_secure_http3_config_yaml: | + advertisedPort: {{ traefik_config_entrypoint_web_secure_http3_config_advertisedPort | int | to_json }} # Controls whether the metrics entrypoint is enabled -devture_traefik_config_entrypoint_metrics_enabled: "{{ devture_traefik_config_metrics_prometheus_enabled }}" -devture_traefik_config_entrypoint_metrics_name: "{{ devture_traefik_config_metrics_prometheus_entrypoint }}" -devture_traefik_config_entrypoint_metrics_port: 8082 -devture_traefik_config_entrypoint_metrics_port_in_container: 8082 -devture_traefik_config_entrypoint_metrics_address: ":{{ devture_traefik_config_entrypoint_metrics_port_in_container }}" +traefik_config_entrypoint_metrics_enabled: "{{ traefik_config_metrics_prometheus_enabled }}" +traefik_config_entrypoint_metrics_name: "{{ traefik_config_metrics_prometheus_entrypoint }}" +traefik_config_entrypoint_metrics_port: 8082 +traefik_config_entrypoint_metrics_port_in_container: 8082 +traefik_config_entrypoint_metrics_address: ":{{ traefik_config_entrypoint_metrics_port_in_container }}" # Controls `forwardedHeaders.trustedIPs`, specifying from which IPs to trust `X-Forwarded-*` headers. # By default, we expect that there's no other reverse-proxy in front of us, so we don't trust anything. -# Also see: `devture_traefik_config_entrypoint_metrics_forwardedHeaders_insecure` -devture_traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs: [] +# Also see: `traefik_config_entrypoint_metrics_forwardedHeaders_insecure` +traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs: [] # Controls `forwardedHeaders.insecure` for this entrypoint. -# Also see: `devture_traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs` -devture_traefik_config_entrypoint_metrics_forwardedHeaders_insecure: false +# Also see: `traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs` +traefik_config_entrypoint_metrics_forwardedHeaders_insecure: false # Controls the `providers.docker.network` configuration option. -devture_traefik_config_providers_docker_network: "{{ devture_traefik_container_network }}" +traefik_config_providers_docker_network: "{{ traefik_container_network }}" # Controls the `providers.docker.endpoint` configuration option. -devture_traefik_config_providers_docker_endpoint: unix:///var/run/docker.sock +traefik_config_providers_docker_endpoint: unix:///var/run/docker.sock -# devture_traefik_config_api_dashboard controls the api.dashboard configuration setting, +# traefik_config_api_dashboard controls the api.dashboard configuration setting, # which controls whether the dashboard is enabled. -# See: devture_traefik_dashboard_enabled -devture_traefik_config_api_dashboard: "{{ devture_traefik_dashboard_enabled }}" +# See: traefik_dashboard_enabled +traefik_config_api_dashboard: "{{ traefik_dashboard_enabled }}" -# devture_traefik_dashboard_enabled controls whether the Dashboard is enabled. +# traefik_dashboard_enabled controls whether the Dashboard is enabled. # See: https://doc.traefik.io/traefik/operations/dashboard/ -devture_traefik_dashboard_enabled: false +traefik_dashboard_enabled: false # The hostname where the Traefik Dashboard will be exposed on. # The Dashboard will be available at https://HOSTNAME/dashboard/ (note the trailing slash). -devture_traefik_dashboard_hostname: '' +traefik_dashboard_hostname: '' -# devture_traefik_dashboard_rule controls where the Traefik Dashboard will be exposed. -# See: devture_traefik_dashboard_enabled, devture_traefik_dashboard_hostname -devture_traefik_dashboard_rule: "Host(`{{ devture_traefik_dashboard_hostname }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" +# traefik_dashboard_rule controls where the Traefik Dashboard will be exposed. +# See: traefik_dashboard_enabled, traefik_dashboard_hostname +traefik_dashboard_rule: "Host(`{{ traefik_dashboard_hostname }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" # Specifies the entrypoints through which the Traefik Dashboard will be exposed. -devture_traefik_dashboard_entrypoints: "{{ devture_traefik_entrypoint_primary }}" # noqa var-naming +traefik_dashboard_entrypoints: "{{ traefik_entrypoint_primary }}" # noqa var-naming -devture_traefik_dashboard_tls: "{{ devture_traefik_dashboard_entrypoints != 'web' }}" -devture_traefik_dashboard_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # noqa var-naming +traefik_dashboard_tls: "{{ traefik_dashboard_entrypoints != 'web' }}" +traefik_dashboard_tls_certResolver: "{{ traefik_certResolver_primary }}" # noqa var-naming -# devture_traefik_dashboard_basicauth_enabled controls if the dashboard is protected with Basic Auth. +# traefik_dashboard_basicauth_enabled controls if the dashboard is protected with Basic Auth. # When the Dashboard is enabled, we automatically enable Basic Auth. -devture_traefik_dashboard_basicauth_enabled: "{{ devture_traefik_dashboard_enabled }}" -devture_traefik_dashboard_basicauth_user: '' -devture_traefik_dashboard_basicauth_password: '' +traefik_dashboard_basicauth_enabled: "{{ traefik_dashboard_enabled }}" +traefik_dashboard_basicauth_user: '' +traefik_dashboard_basicauth_password: '' # Temporary file name on the host that runs Ansible -devture_traefik_dashboard_basicauth_file_tmp: "/tmp/ansible-htpasswd-devture-traefik" +traefik_dashboard_basicauth_file_tmp: "/tmp/ansible-htpasswd-traefik" # A list of additional entrypoints. # -# Playbooks are meant to inject their defaults into `devture_traefik_additional_entrypoints_auto`. -# To define your own custom entrypoints, use `devture_traefik_additional_entrypoints_custom`. +# Playbooks are meant to inject their defaults into `traefik_additional_entrypoints_auto`. +# To define your own custom entrypoints, use `traefik_additional_entrypoints_custom`. # # Each entrypoint must be defined with the following parameters: # - name: the name of the entrypoint @@ -219,7 +219,7 @@ devture_traefik_dashboard_basicauth_file_tmp: "/tmp/ansible-htpasswd-devture-tra # - config: a mapping with additional configuration options for the entrypoint # # Example: -# devture_traefik_additional_entrypoints: +# traefik_additional_entrypoints: # - name: new-entrypoint # port: 1234 # host_bind_port: 1234 @@ -237,9 +237,9 @@ devture_traefik_dashboard_basicauth_file_tmp: "/tmp/ansible-htpasswd-devture-tra # config: # http3: # advertisedPort: 4321 -devture_traefik_additional_entrypoints: "{{ devture_traefik_additional_entrypoints_auto + devture_traefik_additional_entrypoints_custom }}" -devture_traefik_additional_entrypoints_auto: [] -devture_traefik_additional_entrypoints_custom: [] +traefik_additional_entrypoints: "{{ traefik_additional_entrypoints_auto + traefik_additional_entrypoints_custom }}" +traefik_additional_entrypoints_auto: [] +traefik_additional_entrypoints_custom: [] # A list of additional domains that this role should obtain certificates for. # @@ -254,78 +254,78 @@ devture_traefik_additional_entrypoints_custom: [] # This router does not forward traffic to any service. # The goal is to just obtain the certificate and allow it to be used for other purposes, # after extracting it out of Traefik via traefik-certs-dumper (https://github.com/ldez/traefik-certs-dumper). -# For extracting certificates out using this tool, see this role: https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper -devture_traefik_additional_domains_to_obtain_certificates_for: [] +# For extracting certificates out using this tool, see this role: https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper +traefik_additional_domains_to_obtain_certificates_for: [] # Specifies the entrypoints through which the additional domains will be exposed. -devture_traefik_additional_domains_to_obtain_certificates_for_entryPoints: "{{ devture_traefik_config_entrypoint_web_secure_name if devture_traefik_config_entrypoint_web_secure_enabled else (devture_traefik_config_entrypoint_web_name if devture_traefik_config_entrypoint_web_enabled else '') }}" # noqa var-naming +traefik_additional_domains_to_obtain_certificates_for_entryPoints: "{{ traefik_config_entrypoint_web_secure_name if traefik_config_entrypoint_web_secure_enabled else (traefik_config_entrypoint_web_name if traefik_config_entrypoint_web_enabled else '') }}" # noqa var-naming # Specifies the certitficate resolver to use when obtaining additional certificates. -# See: devture_traefik_additional_domains_to_obtain_certificates_for -devture_traefik_additional_domains_to_obtain_certificates_for_certResolver: "{{ devture_traefik_certResolver_primary }}" +# See: traefik_additional_domains_to_obtain_certificates_for +traefik_additional_domains_to_obtain_certificates_for_certResolver: "{{ traefik_certResolver_primary }}" # Specifies how the container publishes its web port # # Takes an ":" value (e.g. "127.0.0.1:80"), just a port number or an empty string to not expose. -devture_traefik_container_web_host_bind_port: "{{ devture_traefik_config_entrypoint_web_port if devture_traefik_config_entrypoint_web_enabled else '' }}" +traefik_container_web_host_bind_port: "{{ traefik_config_entrypoint_web_port if traefik_config_entrypoint_web_enabled else '' }}" # Specifies how the container publishes its TCP web-secure port # # Takes an ":" value (e.g. "127.0.0.1:443"), just a port number or an empty string to not expose. -devture_traefik_container_web_secure_host_bind_port: "{{ devture_traefik_config_entrypoint_web_secure_port if devture_traefik_config_entrypoint_web_secure_enabled else '' }}" +traefik_container_web_secure_host_bind_port: "{{ traefik_config_entrypoint_web_secure_port if traefik_config_entrypoint_web_secure_enabled else '' }}" # Specifies how the container publishes its UDP web-secure port # # Takes an ":" value (e.g. "127.0.0.1:443"), just a port number or an empty string to not expose. -devture_traefik_container_web_secure_host_bind_port_udp: "{{ devture_traefik_config_entrypoint_web_secure_http3_config_advertisedPort if devture_traefik_config_entrypoint_web_secure_enabled and devture_traefik_config_entrypoint_web_secure_http3_enabled else '' }}" +traefik_container_web_secure_host_bind_port_udp: "{{ traefik_config_entrypoint_web_secure_http3_config_advertisedPort if traefik_config_entrypoint_web_secure_enabled and traefik_config_entrypoint_web_secure_http3_enabled else '' }}" # Specifies how the container publishes its metrics port # # Takes an ":" value (e.g. "127.0.0.1:8082"), just a port number or an empty string to not expose. -devture_traefik_container_metrics_host_bind_port: "{{ devture_traefik_config_entrypoint_metrics_port if devture_traefik_config_entrypoint_metrics_enabled else '' }}" +traefik_container_metrics_host_bind_port: "{{ traefik_config_entrypoint_metrics_port if traefik_config_entrypoint_metrics_enabled else '' }}" # Default Traefik configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # -# For a more advanced customization, you can extend the default (see `devture_traefik_configuration_extension_yaml`) +# For a more advanced customization, you can extend the default (see `traefik_configuration_extension_yaml`) # or completely replace this variable with your own template. -devture_traefik_configuration_yaml: "{{ lookup('template', 'templates/traefik.yml.j2') }}" +traefik_configuration_yaml: "{{ lookup('template', 'templates/traefik.yml.j2') }}" -devture_traefik_configuration_extension_yaml: | +traefik_configuration_extension_yaml: | # Your custom YAML configuration for Traefik goes here. - # This configuration extends the default starting configuration (`devture_traefik_configuration_yaml`). + # This configuration extends the default starting configuration (`traefik_configuration_yaml`). # # You can override individual variables from the default configuration, or introduce new ones. # # If you need something more special, you can take full control by - # completely redefining `devture_traefik_configuration_yaml`. + # completely redefining `traefik_configuration_yaml`. # # Example configuration extension follows: # # api: # dashboard: true -devture_traefik_configuration_extension: "{{ devture_traefik_configuration_extension_yaml | from_yaml if devture_traefik_configuration_extension_yaml | from_yaml is mapping else {} }}" +traefik_configuration_extension: "{{ traefik_configuration_extension_yaml | from_yaml if traefik_configuration_extension_yaml | from_yaml is mapping else {} }}" # Holds the final Traefik configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `devture_traefik_configuration_yaml`. -devture_traefik_configuration: "{{ devture_traefik_configuration_yaml | from_yaml | combine(devture_traefik_configuration_extension, recursive=True) }}" +# You most likely don't need to touch this variable. Instead, see `traefik_configuration_yaml`. +traefik_configuration: "{{ traefik_configuration_yaml | from_yaml | combine(traefik_configuration_extension, recursive=True) }}" # Default Traefik provider configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # -# For a more advanced customization, you can extend the default (see `devture_traefik_provider_configuration_yaml`) +# For a more advanced customization, you can extend the default (see `traefik_provider_configuration_yaml`) # or completely replace this variable with your own template. -devture_traefik_provider_configuration_yaml: "{{ lookup('template', 'templates/provider.yml.j2') }}" +traefik_provider_configuration_yaml: "{{ lookup('template', 'templates/provider.yml.j2') }}" -devture_traefik_provider_configuration_extension_yaml: | +traefik_provider_configuration_extension_yaml: | # Your custom YAML configuration for Traefik provider goes here. - # This configuration extends the default starting configuration (`devture_traefik_provider_configuration_yaml`). + # This configuration extends the default starting configuration (`traefik_provider_configuration_yaml`). # # You can override individual variables from the default configuration, or introduce new ones. # # If you need something more special, you can take full control by - # completely redefining `devture_traefik_provider_configuration_yaml`. + # completely redefining `traefik_provider_configuration_yaml`. # # Example configuration extension follows: # @@ -340,25 +340,25 @@ devture_traefik_provider_configuration_extension_yaml: | # - "*.example.com" # certresolver: default -devture_traefik_provider_configuration_extension: "{{ devture_traefik_provider_configuration_extension_yaml | from_yaml if devture_traefik_provider_configuration_extension_yaml | from_yaml is mapping else {} }}" +traefik_provider_configuration_extension: "{{ traefik_provider_configuration_extension_yaml | from_yaml if traefik_provider_configuration_extension_yaml | from_yaml is mapping else {} }}" # Holds the final Traefik provider configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `devture_traefik_provider_configuration_yaml`. -devture_traefik_provider_configuration: "{{ devture_traefik_provider_configuration_yaml | from_yaml | combine(devture_traefik_provider_configuration_extension, recursive=True) }}" +# You most likely don't need to touch this variable. Instead, see `traefik_provider_configuration_yaml`. +traefik_provider_configuration: "{{ traefik_provider_configuration_yaml | from_yaml | combine(traefik_provider_configuration_extension, recursive=True) }}" -# devture_traefik_environment_variables holds a string with environment variable to pass to Traefik. +# traefik_environment_variables holds a string with environment variable to pass to Traefik. # # Example: -# devture_traefik_environment_variables: | +# traefik_environment_variables: | # TRAEFIK_ACCESSLOG=true # TRAEFIK_API=true -devture_traefik_environment_variables: '' +traefik_environment_variables: '' -# devture_traefik_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# traefik_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # # Example: -# devture_traefik_labels_additional_labels: | +# traefik_labels_additional_labels: | # my.label=1 # another.label="here" -devture_traefik_labels_additional_labels: '' +traefik_labels_additional_labels: '' diff --git a/tasks/install.yml b/tasks/install.yml index d7c45f9..93f5b7f 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -5,63 +5,63 @@ path: "{{ item.path }}" state: directory mode: "0750" - owner: "{{ devture_traefik_uid }}" - group: "{{ devture_traefik_gid }}" + owner: "{{ traefik_uid }}" + group: "{{ traefik_gid }}" when: item.when | bool with_items: - - path: "{{ devture_traefik_base_path }}" + - path: "{{ traefik_base_path }}" when: true - - path: "{{ devture_traefik_config_dir_path }}" + - path: "{{ traefik_config_dir_path }}" when: true - - path: "{{ devture_traefik_ssl_dir_path }}" - when: "{{ devture_traefik_ssl_dir_enabled }}" - - path: "{{ devture_traefik_plugins_dir_path }}" - when: "{{ devture_traefik_plugin_support_enabled }}" + - path: "{{ traefik_ssl_dir_path }}" + when: "{{ traefik_ssl_dir_enabled }}" + - path: "{{ traefik_plugins_dir_path }}" + when: "{{ traefik_plugin_support_enabled }}" -- when: devture_traefik_dashboard_basicauth_enabled | bool +- when: traefik_dashboard_basicauth_enabled | bool block: # We do this locally, so that we won't need passlib to be installed on the server. - name: Generate basic auth file locally community.general.htpasswd: - path: "{{ devture_traefik_dashboard_basicauth_file_tmp }}" - name: "{{ devture_traefik_dashboard_basicauth_user }}" - password: "{{ devture_traefik_dashboard_basicauth_password }}" + path: "{{ traefik_dashboard_basicauth_file_tmp }}" + name: "{{ traefik_dashboard_basicauth_user }}" + password: "{{ traefik_dashboard_basicauth_password }}" mode: 0640 become: false delegate_to: 127.0.0.1 - name: Load basic auth file contents ansible.builtin.slurp: - src: "{{ devture_traefik_dashboard_basicauth_file_tmp }}" + src: "{{ traefik_dashboard_basicauth_file_tmp }}" become: false delegate_to: 127.0.0.1 - register: devture_traefik_dashboard_basicauth_file_contents_raw + register: traefik_dashboard_basicauth_file_contents_raw - name: Load basic auth file contents ansible.builtin.set_fact: - devture_traefik_dashboard_basicauth_file_contents: "{{ devture_traefik_dashboard_basicauth_file_contents_raw['content'] | b64decode }}" + traefik_dashboard_basicauth_file_contents: "{{ traefik_dashboard_basicauth_file_contents_raw['content'] | b64decode }}" - name: Ensure local temporary basic auth file is removed ansible.builtin.file: - path: "{{ devture_traefik_dashboard_basicauth_file_tmp }}" + path: "{{ traefik_dashboard_basicauth_file_tmp }}" state: absent become: false delegate_to: 127.0.0.1 - name: Ensure Traefik environment variables installed ansible.builtin.copy: - content: "{{ devture_traefik_environment_variables }}" - dest: "{{ devture_traefik_config_dir_path }}/env" - owner: "{{ devture_traefik_uid }}" - group: "{{ devture_traefik_gid }}" + content: "{{ traefik_environment_variables }}" + dest: "{{ traefik_config_dir_path }}/env" + owner: "{{ traefik_uid }}" + group: "{{ traefik_gid }}" mode: 0640 - name: Ensure Traefik support files installed ansible.builtin.template: src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ devture_traefik_config_dir_path }}/{{ item }}" - owner: "{{ devture_traefik_uid }}" - group: "{{ devture_traefik_gid }}" + dest: "{{ traefik_config_dir_path }}/{{ item }}" + owner: "{{ traefik_uid }}" + group: "{{ traefik_gid }}" mode: 0640 with_items: - env @@ -69,18 +69,18 @@ - name: Ensure traefik.yml installed ansible.builtin.copy: - content: "{{ devture_traefik_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ devture_traefik_config_dir_path }}/traefik.yml" - owner: "{{ devture_traefik_uid }}" - group: "{{ devture_traefik_gid }}" + content: "{{ traefik_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ traefik_config_dir_path }}/traefik.yml" + owner: "{{ traefik_uid }}" + group: "{{ traefik_gid }}" mode: 0640 - name: Ensure provider.yml installed ansible.builtin.copy: - content: "{{ devture_traefik_provider_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ devture_traefik_config_dir_path }}/provider.yml" - owner: "{{ devture_traefik_uid }}" - group: "{{ devture_traefik_gid }}" + content: "{{ traefik_provider_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ traefik_config_dir_path }}/provider.yml" + owner: "{{ traefik_uid }}" + group: "{{ traefik_gid }}" mode: 0640 # If the Docker API is accessed through a UNIX socket (like we do by default), the container is run as root, @@ -88,25 +88,25 @@ # # When switching to accessing the Docker API via TCP, we run the container with a regular user. # An already existing acme.json (owned by root:root) won't be accessible and needs to be fixed up. -- when: not devture_traefik_config_providers_docker_endpoint_is_unix_socket +- when: not traefik_config_providers_docker_endpoint_is_unix_socket name: Ensure acme.json file ownership is correct block: - name: Check existence of acme.json file ansible.builtin.stat: - path: "{{ devture_traefik_ssl_dir_path }}/acme.json" - register: devture_traefik_ssl_acme_json_stat + path: "{{ traefik_ssl_dir_path }}/acme.json" + register: traefik_ssl_acme_json_stat - - when: devture_traefik_ssl_acme_json_stat.stat.exists | bool + - when: traefik_ssl_acme_json_stat.stat.exists | bool name: Ensure acme.json file ownership set correctly ansible.builtin.file: - path: "{{ devture_traefik_ssl_dir_path }}/acme.json" - owner: "{{ devture_traefik_uid }}" - group: "{{ devture_traefik_gid }}" + path: "{{ traefik_ssl_dir_path }}/acme.json" + owner: "{{ traefik_uid }}" + group: "{{ traefik_gid }}" - name: Ensure Traefik container image is pulled via community.docker.docker_image when: devture_systemd_docker_base_container_image_pull_method == 'ansible-module' community.docker.docker_image: - name: "{{ devture_traefik_container_image }}" + name: "{{ traefik_container_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" # noqa args register: result retries: "{{ devture_playbook_help_container_retries_count }}" @@ -116,28 +116,28 @@ - name: Ensure Traefik container image is pulled via command when: devture_systemd_docker_base_container_image_pull_method == 'command' ansible.builtin.command: - cmd: "{{ devture_systemd_docker_base_host_command_docker }} pull {{ devture_traefik_container_image }}" + cmd: "{{ devture_systemd_docker_base_host_command_docker }} pull {{ traefik_container_image }}" register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed - name: Ensure Traefik container network exists via community.docker.docker_network - when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module' and devture_traefik_container_network != 'host' + when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module' and traefik_container_network != 'host' community.docker.docker_network: - name: "{{ devture_traefik_container_network }}" + name: "{{ traefik_container_network }}" driver: bridge driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" - name: Ensure Traefik container network exists via command - when: devture_systemd_docker_base_container_network_creation_method == 'command' and devture_traefik_container_network != 'host' + when: devture_systemd_docker_base_container_network_creation_method == 'command' and traefik_container_network != 'host' ansible.builtin.command: - cmd: "{{ devture_systemd_docker_base_host_command_docker }} network create {% for k, v in devture_systemd_docker_base_container_networks_driver_options %} --opt {{ k }}={{ v }}{% endfor %} {{ devture_traefik_container_network }}" + cmd: "{{ devture_systemd_docker_base_host_command_docker }} network create {% for k, v in devture_systemd_docker_base_container_networks_driver_options %} --opt {{ k }}={{ v }}{% endfor %} {{ traefik_container_network }}" register: network_creation_result failed_when: network_creation_result.rc != 0 and 'already exists' not in network_creation_result.stderr - name: Ensure Traefik systemd service installed ansible.builtin.template: - src: "{{ role_path }}/templates/devture-traefik.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ devture_traefik_identifier }}.service" + src: "{{ role_path }}/templates/traefik.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ traefik_identifier }}.service" mode: 0644 diff --git a/tasks/main.yml b/tasks/main.yml index 097477b..7860125 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,15 +6,15 @@ - install-all - install-traefik block: - - when: devture_traefik_enabled | bool + - when: traefik_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - when: devture_traefik_enabled | bool + - when: traefik_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: - setup-all - setup-traefik block: - - when: not devture_traefik_enabled | bool + - when: not traefik_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/tasks/uninstall.yml b/tasks/uninstall.yml index bb7832c..cc90f48 100644 --- a/tasks/uninstall.yml +++ b/tasks/uninstall.yml @@ -2,23 +2,23 @@ - name: Check existence of Traefik systemd service ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/{{ devture_traefik_identifier }}.service" - register: devture_traefik_service_stat + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ traefik_identifier }}.service" + register: traefik_service_stat -- when: devture_traefik_service_stat.stat.exists | bool +- when: traefik_service_stat.stat.exists | bool block: - name: Ensure Traefik systemd service is stopped ansible.builtin.systemd: - name: "{{ devture_traefik_identifier }}" + name: "{{ traefik_identifier }}" state: stopped daemon_reload: true - name: Ensure Traefik systemd service doesn't exist ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/{{ devture_traefik_identifier }}.service" + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ traefik_identifier }}.service" state: absent - name: Remove Traefik directory is removed ansible.builtin.file: - path: "{{ devture_traefik_base_path }}" + path: "{{ traefik_base_path }}" state: absent diff --git a/tasks/validate_config.yml b/tasks/validate_config.yml index 7731ad5..36c4f25 100644 --- a/tasks/validate_config.yml +++ b/tasks/validate_config.yml @@ -7,10 +7,10 @@ Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" with_items: - - {'old': 'devture_traefik_ssl_email_address', 'new': 'devture_traefik_config_certificatesResolvers_acme_email'} - - {'old': 'devture_traefik_config_letsencrypt_resolver_caServer', 'new': 'devture_traefik_config_certificatesResolvers_acme_caServer'} - - {'old': 'devture_traefik_config_letsencrypt_use_staging', 'new': 'devture_traefik_config_certificatesResolvers_acme_use_staging'} - - {'old': 'devture_traefik_config_letsencrypt_httpChallenge_entrypoint', 'new': 'devture_traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint'} + - {'old': 'traefik_ssl_email_address', 'new': 'traefik_config_certificatesResolvers_acme_email'} + - {'old': 'traefik_config_letsencrypt_resolver_caServer', 'new': 'traefik_config_certificatesResolvers_acme_caServer'} + - {'old': 'traefik_config_letsencrypt_use_staging', 'new': 'traefik_config_certificatesResolvers_acme_use_staging'} + - {'old': 'traefik_config_letsencrypt_httpChallenge_entrypoint', 'new': 'traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint'} - name: Fail if required Traefik settings not defined ansible.builtin.fail: @@ -18,39 +18,39 @@ You need to define a required configuration setting (`{{ item }}`) for using this role. when: "vars[item] == ''" with_items: - - devture_traefik_uid - - devture_traefik_gid - - devture_traefik_entrypoint_primary + - traefik_uid + - traefik_gid + - traefik_entrypoint_primary - name: Fail if required Traefik ACME settings not defined fail: msg: >- You need to define a required configuration setting (`{{ item }}`) when enabling ACME SSL certificate resolvers. - when: "devture_traefik_config_certificatesResolvers_acme_enabled | bool and vars[item] == ''" + when: "traefik_config_certificatesResolvers_acme_enabled | bool and vars[item] == ''" with_items: - - devture_traefik_config_certificatesResolvers_acme_email - - devture_traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint + - traefik_config_certificatesResolvers_acme_email + - traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint - name: Fail if Traefik docker endpoint syntax invalid fail: msg: >- - devture_traefik_config_providers_docker_endpoint must look like `unix:///var/run/docker.sock` or `tcp://host:2345` - when: "not (devture_traefik_config_providers_docker_endpoint.startswith('unix://') or devture_traefik_config_providers_docker_endpoint.startswith('tcp://'))" + traefik_config_providers_docker_endpoint must look like `unix:///var/run/docker.sock` or `tcp://host:2345` + when: "not (traefik_config_providers_docker_endpoint.startswith('unix://') or traefik_config_providers_docker_endpoint.startswith('tcp://'))" - name: Fail if required Traefik Dashboard settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for enabling the Traefik Dashboard. - when: "devture_traefik_dashboard_enabled | bool and vars[item] == ''" + when: "traefik_dashboard_enabled | bool and vars[item] == ''" with_items: - - devture_traefik_dashboard_hostname - - devture_traefik_dashboard_entrypoints + - traefik_dashboard_hostname + - traefik_dashboard_entrypoints - name: Fail if required Traefik Dashboard Basic Auth settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using Basic Auth. - when: "devture_traefik_dashboard_basicauth_enabled | bool and vars[item] == ''" + when: "traefik_dashboard_basicauth_enabled | bool and vars[item] == ''" with_items: - - devture_traefik_dashboard_basicauth_user - - devture_traefik_dashboard_basicauth_password + - traefik_dashboard_basicauth_user + - traefik_dashboard_basicauth_password diff --git a/templates/devture-traefik.service.j2 b/templates/devture-traefik.service.j2 deleted file mode 100644 index 1430b20..0000000 --- a/templates/devture-traefik.service.j2 +++ /dev/null @@ -1,85 +0,0 @@ -[Unit] -Description=Traefik ({{ devture_traefik_identifier }}) -{% for service in devture_traefik_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ devture_traefik_identifier }} 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ devture_traefik_identifier }} 2>/dev/null || true' - -{# -If a UNIX socket is used, we need to run as root and not drop capabilities, because: -- we won't be able to access the socket (owned by root:docker on most distros) -- we won't be able to access the /config files (unless we add another capability that lets root access other users' files) - -If a non-UNIX-socket endpoint is used, we can drop all capabilities and just run with the uid/gid, because: -- reading through the remote (TCP) endpoint does not require special privileges -- the configuration files are owned by the same uid/gid, so reading them works -#} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name={{ devture_traefik_identifier }} \ - --log-driver=none \ - {% if not devture_traefik_config_providers_docker_endpoint_is_unix_socket %} - --user={{ devture_traefik_uid }}:{{ devture_traefik_gid }} \ - --cap-drop=ALL \ - {% endif %} - --read-only \ - --network={{ devture_traefik_container_network }} \ - {% if devture_traefik_container_web_host_bind_port %} - -p {{ devture_traefik_container_web_host_bind_port }}:{{ devture_traefik_config_entrypoint_web_port_in_container }} \ - {% endif %} - {% if devture_traefik_container_web_secure_host_bind_port %} - -p {{ devture_traefik_container_web_secure_host_bind_port }}:{{ devture_traefik_config_entrypoint_web_secure_port_in_container }} \ - {% endif %} - {% if devture_traefik_container_web_secure_host_bind_port_udp %} - -p {{ devture_traefik_container_web_secure_host_bind_port_udp }}:{{ devture_traefik_config_entrypoint_web_secure_port_in_container }}/udp \ - {% endif %} - {% if devture_traefik_container_metrics_host_bind_port %} - -p {{ devture_traefik_container_metrics_host_bind_port }}:{{ devture_traefik_config_entrypoint_metrics_port_in_container }} \ - {% endif %} - {% for additional_entrypoint in devture_traefik_additional_entrypoints %} - {% if additional_entrypoint.host_bind_port %} - -p {{ additional_entrypoint.host_bind_port }}:{{ additional_entrypoint.port }} \ - {% if additional_entrypoint.host_bind_port_udp | default('') %} - -p {{ additional_entrypoint.host_bind_port_udp }}:{{ additional_entrypoint.port }}/udp \ - {% endif %} - {% endif %} - {% endfor %} - --env-file={{ devture_traefik_config_dir_path }}/env \ - --label-file={{ devture_traefik_config_dir_path }}/labels \ - --mount type=bind,src={{ devture_traefik_config_dir_path }},dst=/config,ro \ - {% if devture_traefik_ssl_dir_enabled %} - --mount type=bind,src={{ devture_traefik_ssl_dir_path }},dst=/ssl \ - {% endif %} - {% if devture_traefik_config_providers_docker_endpoint_is_unix_socket %} - --mount type=bind,src={{ devture_traefik_config_providers_docker_endpoint | replace('unix://', '') }},dst=/var/run/docker.sock,ro \ - {% endif %} - {% if devture_traefik_plugin_support_enabled %} - --mount type=bind,src={{ devture_traefik_plugins_dir_path }},dst=/plugins-storage \ - {% endif %} - {% if devture_traefik_container_extra_arguments | length > 0 %} - {{ devture_traefik_container_extra_arguments | join(" ") }} \ - {% endif %} - {{ devture_traefik_container_image }} \ - --configFile=/config/traefik.yml {{ devture_traefik_process_extra_arguments | join(' ') }} - -{% for network in devture_traefik_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ devture_traefik_identifier }} -{% endfor %} - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ devture_traefik_identifier }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ devture_traefik_identifier }} 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ devture_traefik_identifier }} 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier={{ devture_traefik_identifier }} - -[Install] -WantedBy=multi-user.target diff --git a/templates/env.j2 b/templates/env.j2 index bb87c9b..1c7d90f 100644 --- a/templates/env.j2 +++ b/templates/env.j2 @@ -1 +1 @@ -{{ devture_traefik_environment_variables_additional_variables }} +{{ traefik_environment_variables_additional_variables }} diff --git a/templates/labels.j2 b/templates/labels.j2 index d5f74f5..896c18d 100644 --- a/templates/labels.j2 +++ b/templates/labels.j2 @@ -1 +1 @@ -{{ devture_traefik_labels_additional_labels }} +{{ traefik_labels_additional_labels }} diff --git a/templates/provider.yml.j2 b/templates/provider.yml.j2 index 795a12e..6399e9e 100644 --- a/templates/provider.yml.j2 +++ b/templates/provider.yml.j2 @@ -2,34 +2,34 @@ http: middlewares: - {% if devture_traefik_dashboard_basicauth_enabled %} + {% if traefik_dashboard_basicauth_enabled %} traefik-dashboard-auth: basicauth: - users: {{ devture_traefik_dashboard_basicauth_file_contents | to_json }} + users: {{ traefik_dashboard_basicauth_file_contents | to_json }} {% endif %} routers: - {% for domain in devture_traefik_additional_domains_to_obtain_certificates_for %} + {% for domain in traefik_additional_domains_to_obtain_certificates_for %} {{ domain|replace(".", "-") }}-dummy: rule: Host(`{{ domain }}`) service: noop@internal - entryPoints: {{ devture_traefik_additional_domains_to_obtain_certificates_for_entryPoints | to_json }} + entryPoints: {{ traefik_additional_domains_to_obtain_certificates_for_entryPoints | to_json }} tls: - certResolver: {{ devture_traefik_additional_domains_to_obtain_certificates_for_certResolver | to_json }} + certResolver: {{ traefik_additional_domains_to_obtain_certificates_for_certResolver | to_json }} {% endfor %} - {% if devture_traefik_dashboard_enabled %} + {% if traefik_dashboard_enabled %} traefik-dashboard: - rule: {{ devture_traefik_dashboard_rule | to_json }} + rule: {{ traefik_dashboard_rule | to_json }} service: api@internal - entryPoints: {{ devture_traefik_dashboard_entrypoints | to_json }} - {% if devture_traefik_dashboard_tls %} + entryPoints: {{ traefik_dashboard_entrypoints | to_json }} + {% if traefik_dashboard_tls %} tls: - certResolver: {{ devture_traefik_dashboard_tls_certResolver | to_json }} + certResolver: {{ traefik_dashboard_tls_certResolver | to_json }} {% else %} tls: false {% endif %} - {% if devture_traefik_dashboard_basicauth_enabled %} + {% if traefik_dashboard_basicauth_enabled %} middlewares: traefik-dashboard-auth {% endif %} {% endif %} diff --git a/templates/traefik.service.j2 b/templates/traefik.service.j2 new file mode 100644 index 0000000..a5f9e0d --- /dev/null +++ b/templates/traefik.service.j2 @@ -0,0 +1,85 @@ +[Unit] +Description=Traefik ({{ traefik_identifier }}) +{% for service in traefik_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ traefik_identifier }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ traefik_identifier }} 2>/dev/null || true' + +{# +If a UNIX socket is used, we need to run as root and not drop capabilities, because: +- we won't be able to access the socket (owned by root:docker on most distros) +- we won't be able to access the /config files (unless we add another capability that lets root access other users' files) + +If a non-UNIX-socket endpoint is used, we can drop all capabilities and just run with the uid/gid, because: +- reading through the remote (TCP) endpoint does not require special privileges +- the configuration files are owned by the same uid/gid, so reading them works +#} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ traefik_identifier }} \ + --log-driver=none \ + {% if not traefik_config_providers_docker_endpoint_is_unix_socket %} + --user={{ traefik_uid }}:{{ traefik_gid }} \ + --cap-drop=ALL \ + {% endif %} + --read-only \ + --network={{ traefik_container_network }} \ + {% if traefik_container_web_host_bind_port %} + -p {{ traefik_container_web_host_bind_port }}:{{ traefik_config_entrypoint_web_port_in_container }} \ + {% endif %} + {% if traefik_container_web_secure_host_bind_port %} + -p {{ traefik_container_web_secure_host_bind_port }}:{{ traefik_config_entrypoint_web_secure_port_in_container }} \ + {% endif %} + {% if traefik_container_web_secure_host_bind_port_udp %} + -p {{ traefik_container_web_secure_host_bind_port_udp }}:{{ traefik_config_entrypoint_web_secure_port_in_container }}/udp \ + {% endif %} + {% if traefik_container_metrics_host_bind_port %} + -p {{ traefik_container_metrics_host_bind_port }}:{{ traefik_config_entrypoint_metrics_port_in_container }} \ + {% endif %} + {% for additional_entrypoint in traefik_additional_entrypoints %} + {% if additional_entrypoint.host_bind_port %} + -p {{ additional_entrypoint.host_bind_port }}:{{ additional_entrypoint.port }} \ + {% if additional_entrypoint.host_bind_port_udp | default('') %} + -p {{ additional_entrypoint.host_bind_port_udp }}:{{ additional_entrypoint.port }}/udp \ + {% endif %} + {% endif %} + {% endfor %} + --env-file={{ traefik_config_dir_path }}/env \ + --label-file={{ traefik_config_dir_path }}/labels \ + --mount type=bind,src={{ traefik_config_dir_path }},dst=/config,ro \ + {% if traefik_ssl_dir_enabled %} + --mount type=bind,src={{ traefik_ssl_dir_path }},dst=/ssl \ + {% endif %} + {% if traefik_config_providers_docker_endpoint_is_unix_socket %} + --mount type=bind,src={{ traefik_config_providers_docker_endpoint | replace('unix://', '') }},dst=/var/run/docker.sock,ro \ + {% endif %} + {% if traefik_plugin_support_enabled %} + --mount type=bind,src={{ traefik_plugins_dir_path }},dst=/plugins-storage \ + {% endif %} + {% if traefik_container_extra_arguments | length > 0 %} + {{ traefik_container_extra_arguments | join(" ") }} \ + {% endif %} + {{ traefik_container_image }} \ + --configFile=/config/traefik.yml {{ traefik_process_extra_arguments | join(' ') }} + +{% for network in traefik_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ traefik_identifier }} +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ traefik_identifier }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ traefik_identifier }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ traefik_identifier }} 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier={{ traefik_identifier }} + +[Install] +WantedBy=multi-user.target diff --git a/templates/traefik.yml.j2 b/templates/traefik.yml.j2 index e3f31e4..4296166 100644 --- a/templates/traefik.yml.j2 +++ b/templates/traefik.yml.j2 @@ -3,81 +3,81 @@ # # To extend this: # - tweak the individual variables -# - use `devture_traefik_configuration_extension_yaml` to override statically defined values or introduce new ones +# - use `traefik_configuration_extension_yaml` to override statically defined values or introduce new ones global: checkNewVersion: false sendAnonymousUsage: false log: - level: {{ devture_traefik_config_log_level | to_json }} + level: {{ traefik_config_log_level | to_json }} -{% if devture_traefik_config_accessLog_enabled %} +{% if traefik_config_accessLog_enabled %} accessLog: {} {% endif %} api: - dashboard: {{ devture_traefik_config_api_dashboard | to_json }} + dashboard: {{ traefik_config_api_dashboard | to_json }} entryPoints: -{% if devture_traefik_config_entrypoint_web_enabled %} +{% if traefik_config_entrypoint_web_enabled %} web: - address: {{ devture_traefik_config_entrypoint_web_address | to_json }} + address: {{ traefik_config_entrypoint_web_address | to_json }} - {% if devture_traefik_config_entrypoint_web_forwardedHeaders_enabled %} + {% if traefik_config_entrypoint_web_forwardedHeaders_enabled %} forwardedHeaders: - {% if devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs | length > 0 %} - trustedIPs: {{ devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs | to_json }} + {% if traefik_config_entrypoint_web_forwardedHeaders_trustedIPs | length > 0 %} + trustedIPs: {{ traefik_config_entrypoint_web_forwardedHeaders_trustedIPs | to_json }} {% endif %} - {% if devture_traefik_config_entrypoint_web_forwardedHeaders_insecure %} + {% if traefik_config_entrypoint_web_forwardedHeaders_insecure %} insecure: true {% endif %} {% endif %} - {% if devture_traefik_config_entrypoint_web_to_web_secure_redirection_enabled %} + {% if traefik_config_entrypoint_web_to_web_secure_redirection_enabled %} http: redirections: entryPoint: - to: {{ devture_traefik_config_entrypoint_web_to_web_secure_redirection_to | to_json }} - scheme: {{ devture_traefik_config_entrypoint_web_to_web_secure_redirection_scheme | to_json }} + to: {{ traefik_config_entrypoint_web_to_web_secure_redirection_to | to_json }} + scheme: {{ traefik_config_entrypoint_web_to_web_secure_redirection_scheme | to_json }} {% endif %} {% endif %} -{% if devture_traefik_config_entrypoint_web_secure_enabled %} - {{ devture_traefik_config_entrypoint_web_secure_name }}: - address: {{ devture_traefik_config_entrypoint_web_secure_address | to_json }} +{% if traefik_config_entrypoint_web_secure_enabled %} + {{ traefik_config_entrypoint_web_secure_name }}: + address: {{ traefik_config_entrypoint_web_secure_address | to_json }} - {% if devture_traefik_config_entrypoint_web_secure_http3_enabled %} - http3: {{ devture_traefik_config_entrypoint_web_secure_http3_config | to_json }} + {% if traefik_config_entrypoint_web_secure_http3_enabled %} + http3: {{ traefik_config_entrypoint_web_secure_http3_config | to_json }} {% endif %} - {% if devture_traefik_config_entrypoint_web_secure_forwardedHeaders_enabled %} + {% if traefik_config_entrypoint_web_secure_forwardedHeaders_enabled %} forwardedHeaders: - {% if devture_traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs | length > 0 %} - trustedIPs: {{ devture_traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs | to_json }} + {% if traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs | length > 0 %} + trustedIPs: {{ traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs | to_json }} {% endif %} - {% if devture_traefik_config_entrypoint_web_secure_forwardedHeaders_insecure %} + {% if traefik_config_entrypoint_web_secure_forwardedHeaders_insecure %} insecure: true {% endif %} {% endif %} {% endif %} -{% if devture_traefik_config_entrypoint_metrics_enabled %} - {{ devture_traefik_config_entrypoint_metrics_name }}: - address: {{ devture_traefik_config_entrypoint_metrics_address | to_json }} +{% if traefik_config_entrypoint_metrics_enabled %} + {{ traefik_config_entrypoint_metrics_name }}: + address: {{ traefik_config_entrypoint_metrics_address | to_json }} - {% if devture_traefik_config_entrypoint_metrics_forwardedHeaders_enabled %} + {% if traefik_config_entrypoint_metrics_forwardedHeaders_enabled %} forwardedHeaders: - {% if devture_traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs | length > 0 %} - trustedIPs: {{ devture_traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs | to_json }} + {% if traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs | length > 0 %} + trustedIPs: {{ traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs | to_json }} {% endif %} - {% if devture_traefik_config_entrypoint_metrics_forwardedHeaders_insecure %} + {% if traefik_config_entrypoint_metrics_forwardedHeaders_insecure %} insecure: true {% endif %} {% endif %} {% endif %} -{% for additional_entrypoint in devture_traefik_additional_entrypoints %} +{% for additional_entrypoint in traefik_additional_entrypoints %} {% set additional_entrypoint_config = ({ 'address': ':' + (additional_entrypoint.port | string), }) | combine(additional_entrypoint.config) @@ -88,35 +88,35 @@ entryPoints: certificatesResolvers: -{% if devture_traefik_config_certificatesResolvers_acme_enabled %} - {{ devture_traefik_config_certificatesResolvers_acme_name }}: +{% if traefik_config_certificatesResolvers_acme_enabled %} + {{ traefik_config_certificatesResolvers_acme_name }}: acme: - email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} - storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} - caServer: {{ devture_traefik_config_certificatesResolvers_acme_caServer | to_json }} - {% if devture_traefik_config_certificatesResolvers_acme_httpChallenge_enabled %} + email: {{ traefik_config_certificatesResolvers_acme_email | to_json }} + storage: {{ traefik_config_certificatesResolvers_acme_storage | to_json }} + caServer: {{ traefik_config_certificatesResolvers_acme_caServer | to_json }} + {% if traefik_config_certificatesResolvers_acme_httpChallenge_enabled %} httpChallenge: - entrypoint: {{ devture_traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint | to_json }} - {% elif devture_traefik_config_certificatesResolvers_acme_dnsChallenge_enabled %} + entrypoint: {{ traefik_config_certificatesResolvers_acme_httpChallenge_entrypoint | to_json }} + {% elif traefik_config_certificatesResolvers_acme_dnsChallenge_enabled %} dnsChallenge: - provider: {{ devture_traefik_config_certificatesResolvers_acme_dnsChallenge_provider | to_json }} - {% if devture_traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck %} - delayBeforeCheck: {{ devture_traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck | to_json }} + provider: {{ traefik_config_certificatesResolvers_acme_dnsChallenge_provider | to_json }} + {% if traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck %} + delayBeforeCheck: {{ traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck | to_json }} {% endif %} - resolvers: {{ devture_traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers | to_json }} + resolvers: {{ traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers | to_json }} {% endif %} {% endif %} -{% if devture_traefik_config_metrics_prometheus_enabled %} +{% if traefik_config_metrics_prometheus_enabled %} metrics: prometheus: - entryPoint: {{ devture_traefik_config_metrics_prometheus_entrypoint | to_json }} + entryPoint: {{ traefik_config_metrics_prometheus_entrypoint | to_json }} {% endif %} providers: docker: exposedByDefault: false - network: {{ devture_traefik_config_providers_docker_network | to_json }} - endpoint: {{ devture_traefik_config_providers_docker_endpoint | to_json }} + network: {{ traefik_config_providers_docker_network | to_json }} + endpoint: {{ traefik_config_providers_docker_endpoint | to_json }} file: filename: /config/provider.yml diff --git a/vars/main.yml b/vars/main.yml index ee5f4b1..36bcc35 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,18 +1,18 @@ --- -# devture_traefik_dashboard_basicauth_file_contents contains the htpasswd file contents. +# traefik_dashboard_basicauth_file_contents contains the htpasswd file contents. # This is populated at runtime. -devture_traefik_dashboard_basicauth_file_contents: '' +traefik_dashboard_basicauth_file_contents: '' # Controls whether the forwardedHeaders section appears in the configuration for the web entrypoint -devture_traefik_config_entrypoint_web_forwardedHeaders_enabled: "{{ devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs | length > 0 or devture_traefik_config_entrypoint_web_forwardedHeaders_insecure }}" +traefik_config_entrypoint_web_forwardedHeaders_enabled: "{{ traefik_config_entrypoint_web_forwardedHeaders_trustedIPs | length > 0 or traefik_config_entrypoint_web_forwardedHeaders_insecure }}" # Controls whether the forwardedHeaders section appears in the configuration for the web-secure entrypoint -devture_traefik_config_entrypoint_web_secure_forwardedHeaders_enabled: "{{ devture_traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs | length > 0 or devture_traefik_config_entrypoint_web_secure_forwardedHeaders_insecure }}" +traefik_config_entrypoint_web_secure_forwardedHeaders_enabled: "{{ traefik_config_entrypoint_web_secure_forwardedHeaders_trustedIPs | length > 0 or traefik_config_entrypoint_web_secure_forwardedHeaders_insecure }}" # Controls whether the forwardedHeaders section appears in the configuration for the metrics entrypoint -devture_traefik_config_entrypoint_metrics_forwardedHeaders_enabled: "{{ devture_traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs | length > 0 or devture_traefik_config_entrypoint_metrics_forwardedHeaders_insecure }}" +traefik_config_entrypoint_metrics_forwardedHeaders_enabled: "{{ traefik_config_entrypoint_metrics_forwardedHeaders_trustedIPs | length > 0 or traefik_config_entrypoint_metrics_forwardedHeaders_insecure }}" # Specifies whether the docker endpoint is a UNIX socket or not. # When a socket is used, we need to run the Traefik container with more privileges, so that it can read via the socket. -devture_traefik_config_providers_docker_endpoint_is_unix_socket: "{{ devture_traefik_config_providers_docker_endpoint.startswith('unix://') }}" +traefik_config_providers_docker_endpoint_is_unix_socket: "{{ traefik_config_providers_docker_endpoint.startswith('unix://') }}"