Simon Bärlocher 14c81657d7

docs(roles): add argument_specs and README for traefik, authentik, drawio, garage, nextcloud

Each of the five roles touched in this branch now ships:

* meta/argument_specs.yml: typed schema for every variable in
  defaults/main.yml plus the optional inputs surfaced via this
  branch (traefik_extra_hosts, authentik_host_rewrite_domains,
  authentik_proxy_apps.mode / .allowed_groups, drawio_extra_domains,
  drawio_authentik_forward_auth*, garage_webui_authentik_forward_auth*).
  All five specs load cleanly through ansible-core's
  ArgumentSpecValidator.

* README.md: replaces the ansible-galaxy boilerplate (where it was
  still in place) with a focused write-up — service vars, required
  secrets, ForwardAuth/idempotency notes, dependencies, and a working
  example playbook. authentik and garage READMEs are rewritten to cover
  the new knobs while preserving their existing content.

2026-05-26 14:16:47 +02:00

3.1 KiB

Raw Blame History

Traefik

Ansible role to deploy Traefik v3 as a reverse proxy via Docker Compose, either as a public-facing DMZ proxy (file provider) or as a backend application proxy (docker provider).

Requirements

Docker and Docker Compose installed on the target host
Ansible collection: community.docker
For ACME DNS-01: an RFC2136-capable nameserver with a delegated zone for _acme-challenge records and a TSIG key

Role variables

Full list with types and defaults: meta/argument_specs.yml. The most common overrides:

Deployment mode

traefik_mode: dmz (file provider, routes to external backends) or backend (docker provider, discovers local containers). Default backend.
traefik_backend_servers_to_proxy: in dmz mode, restrict which inventory hosts the DMZ aggregates services from. Empty = all members of backend_servers.

Networking

traefik_network: docker network connecting traefik to its containers (default proxy).
traefik_extra_hosts: list of host:ip entries injected as the container's extra_hosts. Use when a downstream middleware (e.g. ForwardAuth to authentik on a sibling LAN) must resolve a public FQDN to an internal IP because the DMZ does not hairpin the public address back inside.

Certificates

traefik_cert_mode: acme (Let's Encrypt via DNS-01) or selfsigned (local wildcard). Default selfsigned.
traefik_acme_dns_zone, traefik_acme_dns_nameserver, traefik_acme_tsig_key, traefik_acme_tsig_secret: RFC2136 / TSIG configuration for the ACME DNS-01 challenge.
traefik_acme_tcp_only: force lego's DNS lookups onto TCP/53 when the container cannot reach the nameserver over UDP.
traefik_acme_disable_ans_checks: skip the authoritative-NS propagation check when the SOA-listed NS resolves to an unreachable IP.

Dashboard

traefik_enable_dashboard: expose the traefik dashboard.
traefik_dashboard_domain: when set, publish the dashboard on this Host rule instead of the insecure port.

Dependencies

Traefik network (traefik_network, default proxy) must be created by the base role or by hand before this role runs.
In dmz mode, the proxied backend services advertise themselves via the traefik_services host_var on each backend host.

Example playbook

Backend mode (one app server per host, docker provider):

- hosts: app_servers
  roles:
    - role: digitalboard.core.traefik
      vars:
        traefik_mode: backend
        traefik_cert_mode: acme
        traefik_ssl_email: ops@example.com
        traefik_acme_dns_zone: "_acme.example.com."
        traefik_acme_dns_nameserver: "10.0.0.53:53"
        traefik_acme_tsig_key: "acme-key"
        traefik_acme_tsig_secret: "{{ vault_traefik_tsig_secret }}"

DMZ mode (aggregates services from backend_servers):

- hosts: dmz_servers
  roles:
    - role: digitalboard.core.traefik
      vars:
        traefik_mode: dmz
        traefik_cert_mode: acme
        traefik_backend_servers_to_proxy:
          - app01
          - app02
        traefik_extra_hosts:
          - "auth.example.com:172.16.19.101"

License

MIT-0

3.1 KiB Raw Blame History