commit 3fcebb77a67babeef413efdb6e8bb32969f505bc Author: Olivier Navas Date: Tue Nov 12 12:05:12 2024 +0100 Commit initial diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..eb0dc2c --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,12 @@ +# **Change Log** 📜📝 + +Les changements notables apportés au projet sont notés ici. + +Document au format basé sur [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +Le projet suit les préconisations de [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +--- +## [**v0.1.0**] - 2024-11-12 + +* Première version - séparation des roles host et traefik diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..37c6c6a --- /dev/null +++ b/LICENSE @@ -0,0 +1,18 @@ +Copyright (c) Libretic + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +The Software is provided "as is", without warranty of any kind, express or +implied, including but not limited to the warranties of merchantability, fitness +for a particular purpose and noninfringement. In no event shall the authors or +copyright holders be liable for any claim, damages or other liability, whether +in an action of contract, tort or otherwise, arising from, out of or in +connection with the Software or the use or other dealings in the Software. diff --git a/README.md b/README.md new file mode 100644 index 0000000..dcff93a --- /dev/null +++ b/README.md @@ -0,0 +1,72 @@ +Role : docker_traefik +===================== + +Configure un conteneur traefik sur un serveur préparé avec docker_host prêt à servir de reverse proxy local pour les applications web. + + +Prérequis et dépendances +------------------------ + +- Rôle : docker_host + + +Variables +--------- + +Le rôle nécessite que soit fourni le paramètre suivant : + +```yaml +# Chaine user + mdp chiffré pour l'accès à l'interface de traefik sur le port 8443 +docker_traefik_admin: "admin:$$apr1$$HWiac5ae$$fBaMfNze1G96R2d5ntiID/" +``` + +Les autres variables utilisables sont précisées ci-dessous (cf. defaults/main.yml) : + +```yaml +# Liste des reverse proxy de confiance pour traefik, pour la récupération des entêtes http +docker_traefik_trusted_ips: [] +# Chemin d'installation +docker_traefik_install_dir: /opt/traefik/ +# Interface d'écoute pour les flux entrants +docker_traefik_listen_ip: "0.0.0.0" +# Interface d'écoute pour l'administration de traefik +docker_traefik_admin_listen_ip: "{{ docker_traefik_listen_ip }}" +# Port d'écoute pour les flux http +docker_traefik_web_port: 80 +# Port d'écoute pour les flux https +docker_traefik_websecure_port: 443 +# Port d'écoute pour l'interface d'administration' +docker_traefik_admin_port: 8443 +``` + +Par exemple : +```yaml +docker_host_traefik_admin: "admin:$$apr1$$HWiac5ae$$fBaMfNze1G96R2d5ntiID/" +docker_host_traefik_trusted_ips: [ 10.1.2.3 ] +``` + +A noter : la valeur de docker_host_traefik_admin pour un compte d'accès "admin" avec mot de passe "4dm1n" s'obtient par : +```sh +echo $(htpasswd -nb admin 4dm1n) | sed -e s/\\$/\\$\\$/g +``` + +Exemple de Playbook +------------------- + +Le rôle peut s'utiliser sans paramètre particulier sur un serveur préparé avec docker_host. + +```yaml +- hosts: servers + vars: + docker_host_traefik_admin: "admin:$$apr1$$HWiac5ae$$fBaMfNze1G96R2d5ntiID/" + + roles: + - docker_host + - docker_traefik +``` + + +License +------- + +MIT diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..6d9914d --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,8 @@ +docker_traefik_trusted_ips: [] +docker_traefik_listen_ip: "0.0.0.0" +docker_traefik_install_dir: /opt/traefik/ +docker_traefik_admin_listen_ip: "{{ docker_traefik_listen_ip }}" + +docker_traefik_web_port: 80 +docker_traefik_websecure_port: 443 +docker_traefik_admin_port: 8443 diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b0cad1e --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Docker-compose-up # noqa: no-changed-when + ansible.builtin.command: docker compose up -d + args: + chdir: /opt/{{ docker_traefik_install_dir }}/ diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..0a8effb --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,6 @@ +galaxy_info: + author: Olivier Navas + description: Prepare traefik sur un serveur avec docker_host + license: MIT + min_ansible_version: 2.9 + galaxy_tags: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..7c2fae0 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Traefik network + community.docker.docker_network: + name: traefik + +- name: Traefik dir + ansible.builtin.file: + path: "{{ docker_traefik_install_dir }}" + state: directory + mode: u=rwx,g=rx,o= + +- name: Traefik compose + ansible.builtin.template: + src: traefik-docker-compose.yml.j2 + dest: "{{ docker_traefik_install_dir }}/docker-compose.yml" + mode: u=rw,g=r,o=r + notify: Docker-compose-up diff --git a/templates/traefik-docker-compose.yml.j2 b/templates/traefik-docker-compose.yml.j2 new file mode 100644 index 0000000..ae60e86 --- /dev/null +++ b/templates/traefik-docker-compose.yml.j2 @@ -0,0 +1,44 @@ +# {{ ansible_managed }} + +networks: + traefik: + external: true + +services: + traefik: + image: traefik:v3 + restart: always + command: + - "--log.level=INFO" + - "--accesslog=true" + - "--accesslog.fields.names.StartUTC=drop" + - "--api=true" + - "--api.dashboard=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--entrypoints.web.address=:{{ docker_traefik_web_port }}" + - "--entryPoints.web.forwardedHeaders.trustedIPs={{ docker_traefik_trusted_ips }}" + - "--entrypoints.websecure.address=:{{ docker_traefik_websecure_port }}" + - "--entryPoints.websecure.forwardedHeaders.trustedIPs={{ docker_traefik_trusted_ips }}" + - "--entrypoints.api.address=:{{ docker_traefik_admin_port }}" + labels: + - "traefik.enable=true" + - "traefik.docker.network=traefik" + - "traefik.port={{ docker_traefik_admin_port }}" + - "traefik.http.routers.api.entrypoints=api" + - "traefik.http.routers.api.rule=(PathPrefix(`/api`) || PathPrefix(`/dashboard`))" + - "traefik.http.routers.api.service=api@internal" + - "traefik.http.routers.api.middlewares=auth" + - "traefik.http.routers.api.tls" + - "traefik.http.middlewares.auth.basicauth.users={{ docker_traefik_admin }}" + ports: + - "{{ docker_traefik_listen_ip }}:{{ docker_traefik_web_port }}:{{ docker_traefik_web_port }}" + - "{{ docker_traefik_listen_ip }}:{{ docker_traefik_websecure_port }}:{{ docker_traefik_websecure_port }}" + - "{{ docker_traefik_admin_listen_ip }}:{{ docker_traefik_admin_port }}:{{ docker_traefik_admin_port }}" + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - TZ=Europe/Paris + networks: + - traefik + userns_mode: "host"