3236ca332f
Replace ansible-galaxy init placeholders across the collection and correct documentation that drifted from the code, after a multi-agent review of every role README against its defaults, tasks and templates. Collection level: - README: role table for all 16 roles, requirements and role-ordering - galaxy.yml: declare community.docker and community.general deps, real description/tags/urls; normalize license to MIT-0 - meta/runtime.yml: requires_ansible '>=2.15.0' - plugins/README: document the homarr_layout filter and garage_credentials lookup instead of scaffold boilerplate Per-role meta/main.yml and README for the placeholder roles (389ds, authentik, authentik_outpost_ldap, base, collabora, drawio, garage, homarr, httpbin, keycloak, nextcloud, opencloud, traefik). Correctness fixes found during review: - keycloak: wrong domain default, drop invented keycloak_cert_resolver, document the provisioning feature - garage: root_domain is .s3.<first-entry>, not the bare domain - opnform: jwt/front_api secrets use `openssl rand -hex 32`; align the validation fail_msg in tasks/main.yml accordingly - send: S3 example references garage_s3_domains[0] (was singular) - opencloud: document required opencloud_wopi_domain License normalized to MIT-0 across galaxy.yml, role meta and READMEs to match the SPDX headers.
216 lines
7.4 KiB
YAML
216 lines
7.4 KiB
YAML
---
|
|
argument_specs:
|
|
main:
|
|
short_description: Deploy Traefik v3 as DMZ or backend reverse proxy via Docker Compose.
|
|
description:
|
|
- Renders a Docker Compose stack for Traefik with either the file provider
|
|
(DMZ mode, routes to external backends) or the docker provider (backend
|
|
mode, discovers local containers via labels).
|
|
- Supports ACME DNS-01 issuance (RFC2136 / TSIG) or a self-signed cert
|
|
bundle for local/Vagrant setups.
|
|
options:
|
|
docker_compose_base_dir:
|
|
type: path
|
|
default: /etc/docker/compose
|
|
description: Base directory under which the per-service compose dir is created.
|
|
docker_volume_base_dir:
|
|
type: path
|
|
default: /srv/data
|
|
description: Base directory under which the per-service volume dir is created.
|
|
service_name:
|
|
type: str
|
|
default: traefik
|
|
description: Compose project / service name; also used to build the per-service paths.
|
|
docker_compose_dir:
|
|
type: path
|
|
description: Compose project directory; defaults to C({{ docker_compose_base_dir }}/{{ service_name }}).
|
|
docker_volume_dir:
|
|
type: path
|
|
description: Per-service volume directory; defaults to C({{ docker_volume_base_dir }}/{{ service_name }}).
|
|
|
|
traefik_extra_hosts:
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
description:
|
|
- Entries injected as C(extra_hosts) on the traefik container.
|
|
- Each entry has the Docker syntax C("host:ip").
|
|
- Useful when a downstream middleware (e.g. ForwardAuth to authentik
|
|
on a sibling LAN) must resolve a public FQDN to an internal IP
|
|
because the DMZ does not hairpin the public address.
|
|
|
|
traefik_mode:
|
|
type: str
|
|
choices: [dmz, backend]
|
|
default: backend
|
|
description:
|
|
- C(dmz) configures the file provider so the proxy forwards to
|
|
backend hosts (typically aggregated from the C(backend_servers) group).
|
|
- C(backend) configures the docker provider for local container discovery.
|
|
|
|
traefik_use_ssl:
|
|
type: bool
|
|
default: true
|
|
description: Toggle TLS on the websecure entrypoint.
|
|
traefik_ssl_email:
|
|
type: str
|
|
default: admin@example.com
|
|
description: Contact e-mail used by the ACME resolver.
|
|
traefik_ssl_cert_resolver:
|
|
type: str
|
|
default: dns
|
|
description: Certificate resolver name referenced in router labels.
|
|
traefik_cert_mode:
|
|
type: str
|
|
choices: [acme, selfsigned]
|
|
default: selfsigned
|
|
description: C(acme) for Let's Encrypt via DNS-01, C(selfsigned) for a locally generated bundle.
|
|
|
|
traefik_acme_dns_zone:
|
|
type: str
|
|
default: ''
|
|
description: Delegated zone used for the TSIG-signed updates (e.g. C(_acme.example.com.)).
|
|
traefik_acme_dns_nameserver:
|
|
type: str
|
|
default: ''
|
|
description: Nameserver lego talks to for the DNS challenge (C(host:port)).
|
|
traefik_acme_tsig_algorithm:
|
|
type: str
|
|
default: hmac-sha256
|
|
description: TSIG algorithm.
|
|
traefik_acme_tsig_key:
|
|
type: str
|
|
default: ''
|
|
description: TSIG key name.
|
|
traefik_acme_tsig_secret:
|
|
type: str
|
|
default: ''
|
|
description: TSIG secret (base64).
|
|
traefik_acme_propagation_timeout:
|
|
type: str
|
|
default: '120'
|
|
description: lego DNS propagation timeout in seconds.
|
|
traefik_acme_polling_interval:
|
|
type: str
|
|
default: '2'
|
|
description: lego DNS propagation polling interval in seconds.
|
|
traefik_acme_ttl:
|
|
type: str
|
|
default: '60'
|
|
description: TTL applied to the C(_acme-challenge) TXT records.
|
|
traefik_acme_tcp_only:
|
|
type: bool
|
|
default: false
|
|
description:
|
|
- Sets C(LEGO_EXPERIMENTAL_DNS_TCP_ONLY=true) on the container so SOA
|
|
resolution and propagation checks use TCP/53. Use when UDP/53 is
|
|
blocked or unreliable on the container egress path.
|
|
traefik_acme_disable_ans_checks:
|
|
type: bool
|
|
default: false
|
|
description:
|
|
- "Sets C(propagation.disableANSChecks) to true on the ACME resolver
|
|
in the static config, disabling lego's propagation check against
|
|
the zone's authoritative nameservers. Use when the SOA-listed NS
|
|
hostname resolves to an address the proxy host cannot reach; lego
|
|
still polls via the configured C(resolvers) list."
|
|
|
|
traefik_selfsigned_cert_dir:
|
|
type: path
|
|
description: Output directory for the self-signed bundle.
|
|
traefik_selfsigned_cert_days:
|
|
type: int
|
|
default: 365
|
|
description: Validity in days for the self-signed bundle.
|
|
traefik_selfsigned_common_name:
|
|
type: str
|
|
default: '*.local.test'
|
|
description: CN/SAN of the self-signed wildcard cert.
|
|
|
|
traefik_enable_dashboard:
|
|
type: bool
|
|
default: false
|
|
description: Expose the traefik dashboard.
|
|
traefik_dashboard_domain:
|
|
type: str
|
|
default: ''
|
|
description:
|
|
- When non-empty, the dashboard is published on this Host rule instead
|
|
of the insecure port 8080.
|
|
|
|
traefik_enable_access_logs:
|
|
type: bool
|
|
default: true
|
|
traefik_access_log_format:
|
|
type: str
|
|
choices: [common, json]
|
|
default: common
|
|
traefik_log_level:
|
|
type: str
|
|
choices: [DEBUG, INFO, WARN, ERROR, FATAL, PANIC]
|
|
default: INFO
|
|
|
|
traefik_network:
|
|
type: str
|
|
default: proxy
|
|
description: Docker network connecting traefik to its routable containers.
|
|
|
|
traefik_dmz_exposed_services:
|
|
type: list
|
|
elements: dict
|
|
default: []
|
|
description:
|
|
- In C(dmz) mode, services collected from backend host_vars are
|
|
published via the file provider. Each entry needs C(name),
|
|
C(domain), C(port); C(protocol) and C(backend_host) are optional.
|
|
options:
|
|
name:
|
|
type: str
|
|
required: true
|
|
domain:
|
|
type: str
|
|
required: true
|
|
port:
|
|
type: int
|
|
required: true
|
|
protocol:
|
|
type: str
|
|
choices: [http, https]
|
|
default: http
|
|
backend_host:
|
|
type: str
|
|
description: Override the auto-selected backend host.
|
|
|
|
traefik_services:
|
|
type: list
|
|
elements: dict
|
|
default: []
|
|
description:
|
|
- Services defined directly on the DMZ proxy (not auto-discovered
|
|
from a backend host). Each entry must set C(backend_host).
|
|
options:
|
|
name:
|
|
type: str
|
|
required: true
|
|
domain:
|
|
type: str
|
|
required: true
|
|
backend_host:
|
|
type: str
|
|
required: true
|
|
port:
|
|
type: int
|
|
required: true
|
|
protocol:
|
|
type: str
|
|
choices: [http, https]
|
|
default: http
|
|
|
|
traefik_backend_servers_to_proxy:
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
description:
|
|
- In C(dmz) mode, explicit list of backend hosts the DMZ proxy
|
|
should aggregate exposed services from. Empty means all members
|
|
of the C(backend_servers) inventory group.
|