From 54be7db71eed5a62dd50d722fa83bf6fbc5ab991 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Thu, 22 Jan 2026 14:01:23 +0100
Subject: [PATCH] feat(traefik): allow exposure of dashboard via domain

---
 roles/traefik/defaults/main.yml               |  1 +
 roles/traefik/tasks/main.yml                  | 16 +++++++++++++++-
 roles/traefik/templates/docker-compose.yml.j2 |  6 ++----
 roles/traefik/templates/traefik.yml.j2        |  4 ++--
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index 489ee60..c896ae2 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -41,6 +41,7 @@ selfsigned_common_name: "*.local.test"
 
 # Dashboard
 enable_dashboard: false
+dashboard_domain: ""  # e.g., "traefik.local.test" - if set, exposes dashboard via hostname instead of port 8080
 
 # Access log configuration
 enable_access_logs: true
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index ab3aed7..d9253eb 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -37,7 +37,6 @@
     path: "{{ docker_volume_dir }}/config"
     state: directory
     mode: '0755'
-  when: traefik_mode == 'dmz'
 
 - name: Create letsencrypt directory
   file:
@@ -66,6 +65,21 @@
   notify: restart traefik
   when: traefik_mode == 'dmz'
 
+- name: Generate dashboard routing configuration
+  template:
+    src: dashboard.yml.j2
+    dest: "{{ docker_volume_dir }}/config/dashboard.yml"
+    mode: '0644'
+  notify: restart traefik
+  when: enable_dashboard | bool and dashboard_domain | length > 0
+
+- name: Remove dashboard routing configuration when not needed
+  file:
+    path: "{{ docker_volume_dir }}/config/dashboard.yml"
+    state: absent
+  notify: restart traefik
+  when: not (enable_dashboard | bool) or dashboard_domain | length == 0
+
 - name: Create docker-compose file for traefik
   template:
     src: docker-compose.yml.j2
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
index 288e693..d40a247 100644
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -16,17 +16,15 @@ services:
     ports:
       - "80:80"
       - "443:443"
-{% if enable_dashboard %}
+{% if enable_dashboard and not dashboard_domain %}
       - "8080:8080"
 {% endif %}
     volumes:
       - {{ docker_volume_dir }}/traefik.yml:/traefik.yml:ro
+      - {{ docker_volume_dir }}/config:/config:ro
 {% if cert_mode == 'acme' %}
       - {{ docker_volume_dir }}/letsencrypt:/letsencrypt
 {% endif %}
-{% if traefik_mode == 'dmz' %}
-      - {{ docker_volume_dir }}/config:/config:ro
-{% endif %}
 {% if traefik_mode == 'backend' %}
       - /var/run/docker.sock:/var/run/docker.sock:ro
 {% endif %}
diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2
index f89d7a3..92efd44 100644
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -4,8 +4,10 @@ log:
 {% if enable_dashboard %}
 api:
   dashboard: true
+{% if not dashboard_domain %}
   insecure: true
 {% endif %}
+{% endif %}
 
 {% if enable_access_logs %}
 accessLog:
@@ -26,11 +28,9 @@ entryPoints:
     address: ":443"
 
 providers:
-{% if traefik_mode == 'dmz' %}
   file:
     directory: /config
     watch: true
-{% endif %}
 {% if traefik_mode == 'backend' %}
   docker:
     endpoint: "unix:///var/run/docker.sock"