14c81657d7
Each of the five roles touched in this branch now ships: * meta/argument_specs.yml: typed schema for every variable in defaults/main.yml plus the optional inputs surfaced via this branch (traefik_extra_hosts, authentik_host_rewrite_domains, authentik_proxy_apps.mode / .allowed_groups, drawio_extra_domains, drawio_authentik_forward_auth*, garage_webui_authentik_forward_auth*). All five specs load cleanly through ansible-core's ArgumentSpecValidator. * README.md: replaces the ansible-galaxy boilerplate (where it was still in place) with a focused write-up — service vars, required secrets, ForwardAuth/idempotency notes, dependencies, and a working example playbook. authentik and garage READMEs are rewritten to cover the new knobs while preserving their existing content. |
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates | ||
| tests | ||
| vars | ||
| README.md | ||
Traefik
Ansible role to deploy Traefik v3 as a reverse proxy via Docker Compose, either as a public-facing DMZ proxy (file provider) or as a backend application proxy (docker provider).
Requirements
- Docker and Docker Compose installed on the target host
- Ansible collection:
community.docker - For ACME DNS-01: an RFC2136-capable nameserver with a delegated zone
for
_acme-challengerecords and a TSIG key
Role variables
Full list with types and defaults: meta/argument_specs.yml. The most
common overrides:
Deployment mode
traefik_mode:dmz(file provider, routes to external backends) orbackend(docker provider, discovers local containers). Defaultbackend.traefik_backend_servers_to_proxy: indmzmode, restrict which inventory hosts the DMZ aggregates services from. Empty = all members ofbackend_servers.
Networking
traefik_network: docker network connecting traefik to its containers (defaultproxy).traefik_extra_hosts: list ofhost:ipentries injected as the container'sextra_hosts. Use when a downstream middleware (e.g. ForwardAuth to authentik on a sibling LAN) must resolve a public FQDN to an internal IP because the DMZ does not hairpin the public address back inside.
Certificates
traefik_cert_mode:acme(Let's Encrypt via DNS-01) orselfsigned(local wildcard). Defaultselfsigned.traefik_acme_dns_zone,traefik_acme_dns_nameserver,traefik_acme_tsig_key,traefik_acme_tsig_secret: RFC2136 / TSIG configuration for the ACME DNS-01 challenge.traefik_acme_tcp_only: force lego's DNS lookups onto TCP/53 when the container cannot reach the nameserver over UDP.traefik_acme_disable_ans_checks: skip the authoritative-NS propagation check when the SOA-listed NS resolves to an unreachable IP.
Dashboard
traefik_enable_dashboard: expose the traefik dashboard.traefik_dashboard_domain: when set, publish the dashboard on this Host rule instead of the insecure port.
Dependencies
- Traefik network (
traefik_network, defaultproxy) must be created by thebaserole or by hand before this role runs. - In
dmzmode, the proxied backend services advertise themselves via thetraefik_serviceshost_var on each backend host.
Example playbook
Backend mode (one app server per host, docker provider):
- hosts: app_servers
roles:
- role: digitalboard.core.traefik
vars:
traefik_mode: backend
traefik_cert_mode: acme
traefik_ssl_email: ops@example.com
traefik_acme_dns_zone: "_acme.example.com."
traefik_acme_dns_nameserver: "10.0.0.53:53"
traefik_acme_tsig_key: "acme-key"
traefik_acme_tsig_secret: "{{ vault_traefik_tsig_secret }}"
DMZ mode (aggregates services from backend_servers):
- hosts: dmz_servers
roles:
- role: digitalboard.core.traefik
vars:
traefik_mode: dmz
traefik_cert_mode: acme
traefik_backend_servers_to_proxy:
- app01
- app02
traefik_extra_hosts:
- "auth.example.com:172.16.19.101"
License
MIT-0