chore: upgrade reverseproxy role for use with vagrant and ssl

2025-11-07 11:52:41 +01:00 · 2025-11-07 11:52:41 +01:00 · 314fce4757
commit 314fce4757
parent dd84ca3184
7 changed files with 213 additions and 57 deletions
--- a/roles/reverseproxy/defaults/main.yml
+++ b/roles/reverseproxy/defaults/main.yml
@ -2,13 +2,68 @@
 ---
 # defaults file for reverseproxy

+# Base directory configuration (inherited from base role or defined here)
+docker_compose_base_dir: /etc/docker/compose
+docker_volume_base_dir: /srv/data
+
 # Service-specific configuration
 service_name: reverseproxy
 docker_compose_dir: "{{ docker_compose_base_dir }}/{{ service_name }}"
 docker_volume_dir: "{{ docker_volume_base_dir }}/{{ service_name }}"

-# Provider configuration
-use_static_services: false  # Use all_services from services.yml for outward-facing proxies
-use_docker_provider: true   # Use Docker provider for service discovery via labels
-use_ssl: false              # Enable SSL termination with Let's Encrypt
-enable_dashboard: true      # Enable Traefik dashboard
+# Deployment mode: 'dmz' or 'backend'
+# - dmz: Public-facing reverse proxy that routes to backend servers using file provider
+# - backend: Application server with docker provider for local container discovery
+reverseproxy_mode: "backend"
+
+# SSL configuration
+use_ssl: true
+ssl_email: "admin@example.com"
+ssl_cert_resolver: "dns"  # Certificate resolver name
+
+# Certificate mode: 'acme' for Let's Encrypt with DNS challenge or 'selfsigned' for self-signed certs
+cert_mode: "selfsigned"  # Use selfsigned for vagrant, acme for production
+
+# ACME DNS Challenge with RFC2136 (TSIG) configuration
+acme_dns_zone: ""  # e.g., "digitalboard._acme.digitalboard.ch."
+acme_dns_nameserver: ""  # e.g., "192.168.1.1:53"
+acme_tsig_algorithm: "hmac-sha256"
+acme_tsig_key: ""  # TSIG key name
+acme_tsig_secret: ""  # TSIG secret
+acme_propagation_timeout: "120"
+acme_polling_interval: "2"
+acme_ttl: "60"
+
+# Self-signed certificate configuration (for vagrant/testing)
+selfsigned_cert_dir: "{{ docker_volume_dir }}/certs"
+selfsigned_cert_days: 365
+selfsigned_common_name: "*.local.test"
+
+# Dashboard
+enable_dashboard: false
+
+# Access log configuration
+enable_access_logs: true
+access_log_format: "common"
+log_level: "INFO"
+
+# Network name
+traefik_network: "proxy"
+
+# Services to expose (defined by application roles via host_vars or group_vars)
+# Each backend server should define this variable with their services
+# reverseproxy_services:
+#   - name: httpbin
+#     domain: httpbin.example.com
+#     port: 8080
+#     protocol: http  # http or https
+#     entrypoints: [websecure]  # optional, defaults based on SSL config
+
+# DMZ mode: Explicit backend server mapping
+# Define which backend servers this DMZ proxy should route to
+# If empty or undefined, routes to all servers in backend_servers group
+backend_servers_to_proxy: []
+# Example:
+# backend_servers_to_proxy:
+#   - backend1
+#   - backend2