Awesome
Traefik reverse-proxy Ansible role
⚠️ WARNING: this role is now maintained in mother-of-all-self-hosting/ansible-role-traefik.
This is an Ansible role which installs Traefik to run as a Docker container wrapped in a systemd service.
This role implicitly depends on the com.devture.ansible.role.systemd_docker_base
role.
Usage
Example playbook:
- hosts: servers
roles:
- role: galaxy/com.devture.ansible.role.systemd_docker_base
- role: galaxy/com.devture.ansible.role.traefik
- role: another_role
Example playbook configuration (group_vars/servers
or other):
devture_traefik_container_network: "{{ my_container_network }}"
devture_traefik_uid: "{{ my_uid }}"
devture_traefik_gid: "{{ my_gid }}"
Security hardening
To avoid the Traefik container from mounting and using the Docker UNIX socket (/var/run/docker.sock
) directly, you can also make it talk to the Docker API via TCP using Tecnativa/docker-socket-proxy. The Traefik container can then run with reduced privileges (non-root
user, dropped capabilities, etc).
To get this socket proxy installed, you can use the com.devture.ansible.role.container_socket_proxy
role.
Here's some example configuration (e.g. group_vars/servers
) which optionally wires them together:
#
# Container Socket Proxy role configuration
#
devture_container_socket_proxy_enabled: true
devture_container_socket_proxy_uid: "{{ my_uid }}"
devture_container_socket_proxy_gid: "{{ my_gid }}"
# Traefik requires read access to the containers APIs to do its job
devture_container_socket_proxy_api_containers_enabled: true
#
# Traefik role configuration
#
# Base Traefik configuration here (see above).
devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"
devture_traefik_container_additional_networks: |
{{
([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else [])
}}
devture_traefik_systemd_required_services_list: |
{{
(['docker.service'])
+
([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else [])
}}