digitalboard.core/roles/traefik/defaults/main.yml

#SPDX-License-Identifier: MIT-0
---
# defaults file for traefik

# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data

# Service-specific configuration
service_name: traefik
docker_compose_dir: "{{ docker_compose_base_dir }}/{{ service_name }}"
docker_volume_dir: "{{ docker_volume_base_dir }}/{{ service_name }}"

# Optional /etc/hosts entries injected into the traefik container. Useful
# when downstream middlewares (e.g. ForwardAuth to an authentik instance
# running on a sibling LAN) need a public FQDN to resolve to an internal
# IP because the DMZ doesn't hairpin the public address back inside.
# Example: ["auth.example.com:172.16.19.101"]
traefik_extra_hosts: []

# Deployment mode: 'dmz' or 'backend'
# - dmz: Public-facing reverse proxy that routes to backend servers using file provider
# - backend: Application server with docker provider for local container discovery
traefik_mode: "backend"

# SSL configuration
traefik_use_ssl: true
traefik_ssl_email: "admin@example.com"
traefik_ssl_cert_resolver: "dns"  # Certificate resolver name

# Certificate mode: 'acme' for Let's Encrypt with DNS challenge or 'selfsigned' for self-signed certs
traefik_cert_mode: "selfsigned"  # Use selfsigned for vagrant, acme for production

# ACME DNS Challenge with RFC2136 (TSIG) configuration
traefik_acme_dns_zone: ""  # e.g., "digitalboard._acme.digitalboard.ch."
traefik_acme_dns_nameserver: ""  # e.g., "192.168.1.1:53"
traefik_acme_tsig_algorithm: "hmac-sha256"
traefik_acme_tsig_key: ""  # TSIG key name
traefik_acme_tsig_secret: ""  # TSIG secret
traefik_acme_propagation_timeout: "120"
traefik_acme_polling_interval: "2"
traefik_acme_ttl: "60"
# Force lego's DNS lookups (SOA resolution, propagation checks) onto
# TCP instead of UDP. Useful when container egress can reach the
# nameserver on TCP/53 but UDP/53 is blocked or unreliable. Sets the
# upstream env var LEGO_EXPERIMENTAL_DNS_TCP_ONLY=true on the
# traefik container.
traefik_acme_tcp_only: false
# Disable lego's propagation check against the zone's authoritative
# nameservers. Use when the SOA-listed NS hostname resolves to an
# address that isn't reachable from this traefik host (e.g. a DMZ
# box that can only see the internal NS IP, not the public one).
# lego still polls via the configured `resolvers:` list.
traefik_acme_disable_ans_checks: false

# Self-signed certificate configuration (for vagrant/testing)
traefik_selfsigned_cert_dir: "{{ docker_volume_dir }}/certs"
traefik_selfsigned_cert_days: 365
traefik_selfsigned_common_name: "*.local.test"

# Dashboard
traefik_enable_dashboard: false
traefik_dashboard_domain: ""  # e.g., "traefik.local.test" - if set, exposes dashboard via hostname instead of port 8080

# Access log configuration
traefik_enable_access_logs: true
traefik_access_log_format: "common"
traefik_log_level: "INFO"

# Network name
traefik_network: "proxy"

# Services to expose through DMZ (defined on backend servers via host_vars)
# The DMZ proxy aggregates these from all backend_servers and auto-populates backend_host
# traefik_dmz_exposed_services:
#   - name: httpbin
#     domain: httpbin.example.com
#     port: 8080
#     protocol: http  # http or https

# Services to expose directly on the proxy (for hosts not managed by Ansible)
# Define on the DMZ host itself - requires explicit backend_host
# traefik_services:
#   - name: external-api
#     domain: api.example.com
#     backend_host: 10.0.0.50  # required for direct definitions
#     port: 8080
#     protocol: http

# DMZ mode: Explicit backend server mapping
# Define which backend servers this DMZ proxy should route to
# If empty or undefined, routes to all servers in backend_servers group
traefik_backend_servers_to_proxy: []
# Example:
# traefik_backend_servers_to_proxy:
#   - backend1
#   - backend2