--- argument_specs: main: short_description: Deploy Traefik v3 as DMZ or backend reverse proxy via Docker Compose. description: - Renders a Docker Compose stack for Traefik with either the file provider (DMZ mode, routes to external backends) or the docker provider (backend mode, discovers local containers via labels). - Supports ACME DNS-01 issuance (RFC2136 / TSIG) or a self-signed cert bundle for local/Vagrant setups. options: docker_compose_base_dir: type: path default: /etc/docker/compose description: Base directory under which the per-service compose dir is created. docker_volume_base_dir: type: path default: /srv/data description: Base directory under which the per-service volume dir is created. service_name: type: str default: traefik description: Compose project / service name; also used to build the per-service paths. docker_compose_dir: type: path description: Compose project directory; defaults to C({{ docker_compose_base_dir }}/{{ service_name }}). docker_volume_dir: type: path description: Per-service volume directory; defaults to C({{ docker_volume_base_dir }}/{{ service_name }}). traefik_extra_hosts: type: list elements: str default: [] description: - Entries injected as C(extra_hosts) on the traefik container. - Each entry has the Docker syntax C("host:ip"). - Useful when a downstream middleware (e.g. ForwardAuth to authentik on a sibling LAN) must resolve a public FQDN to an internal IP because the DMZ does not hairpin the public address. traefik_mode: type: str choices: [dmz, backend] default: backend description: - C(dmz) configures the file provider so the proxy forwards to backend hosts (typically aggregated from the C(backend_servers) group). - C(backend) configures the docker provider for local container discovery. traefik_use_ssl: type: bool default: true description: Toggle TLS on the websecure entrypoint. traefik_ssl_email: type: str default: admin@example.com description: Contact e-mail used by the ACME resolver. traefik_ssl_cert_resolver: type: str default: dns description: Certificate resolver name referenced in router labels. traefik_cert_mode: type: str choices: [acme, selfsigned] default: selfsigned description: C(acme) for Let's Encrypt via DNS-01, C(selfsigned) for a locally generated bundle. traefik_acme_dns_zone: type: str default: '' description: Delegated zone used for the TSIG-signed updates (e.g. C(_acme.example.com.)). traefik_acme_dns_nameserver: type: str default: '' description: Nameserver lego talks to for the DNS challenge (C(host:port)). traefik_acme_tsig_algorithm: type: str default: hmac-sha256 description: TSIG algorithm. traefik_acme_tsig_key: type: str default: '' description: TSIG key name. traefik_acme_tsig_secret: type: str default: '' description: TSIG secret (base64). traefik_acme_propagation_timeout: type: str default: '120' description: lego DNS propagation timeout in seconds. traefik_acme_polling_interval: type: str default: '2' description: lego DNS propagation polling interval in seconds. traefik_acme_ttl: type: str default: '60' description: TTL applied to the C(_acme-challenge) TXT records. traefik_acme_tcp_only: type: bool default: false description: - Sets C(LEGO_EXPERIMENTAL_DNS_TCP_ONLY=true) on the container so SOA resolution and propagation checks use TCP/53. Use when UDP/53 is blocked or unreliable on the container egress path. traefik_acme_disable_ans_checks: type: bool default: false description: - "Sets C(propagation.disableANSChecks) to true on the ACME resolver in the static config, disabling lego's propagation check against the zone's authoritative nameservers. Use when the SOA-listed NS hostname resolves to an address the proxy host cannot reach; lego still polls via the configured C(resolvers) list." traefik_selfsigned_cert_dir: type: path description: Output directory for the self-signed bundle. traefik_selfsigned_cert_days: type: int default: 365 description: Validity in days for the self-signed bundle. traefik_selfsigned_common_name: type: str default: '*.local.test' description: CN/SAN of the self-signed wildcard cert. traefik_enable_dashboard: type: bool default: false description: Expose the traefik dashboard. traefik_dashboard_domain: type: str default: '' description: - When non-empty, the dashboard is published on this Host rule instead of the insecure port 8080. traefik_enable_access_logs: type: bool default: true traefik_access_log_format: type: str choices: [common, json] default: common traefik_log_level: type: str choices: [DEBUG, INFO, WARN, ERROR, FATAL, PANIC] default: INFO traefik_network: type: str default: proxy description: Docker network connecting traefik to its routable containers. traefik_dmz_exposed_services: type: list elements: dict default: [] description: - In C(dmz) mode, services collected from backend host_vars are published via the file provider. Each entry needs C(name), C(domain), C(port); C(protocol) and C(backend_host) are optional. options: name: type: str required: true domain: type: str required: true port: type: int required: true protocol: type: str choices: [http, https] default: http backend_host: type: str description: Override the auto-selected backend host. traefik_services: type: list elements: dict default: [] description: - Services defined directly on the DMZ proxy (not auto-discovered from a backend host). Each entry must set C(backend_host). options: name: type: str required: true domain: type: str required: true backend_host: type: str required: true port: type: int required: true protocol: type: str choices: [http, https] default: http traefik_backend_servers_to_proxy: type: list elements: str default: [] description: - In C(dmz) mode, explicit list of backend hosts the DMZ proxy should aggregate exposed services from. Empty means all members of the C(backend_servers) inventory group.