refactor(traefik): ensure consistent variable naming

netr0m · Oct 17, 2023 · 8b30d9e · 8b30d9e
1 parent 9f011a9
commit 8b30d9e
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 42 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -45,6 +45,8 @@ svc_packages_pip:
 ### Services ###
 # Default restart policy
 svc_restart_policy: 'always'
+# Whether to force pull container images
+svc_force_pull: false
 # Default logging options - see https://docs.docker.com/config/containers/logging/configure/
 svc_log_driver: local
 svc_log_options:
@@ -75,34 +77,31 @@ svc_traefik_debug: false
 svc_traefik_insecure: false
 # Whether to expose Docker containers by default
 svc_traefik_exposed_by_default: false
-# Whether to automatically retrieve TLS certificates. Requires 'svc_traefik_dns_challenge_provider' and 'svc_traefik_env_vars_acme'.
+# Whether to automatically retrieve TLS certificates. Requires 'svc_traefik_dns_challenge_provider' and 'svc_traefik_acme_settings'.
 svc_traefik_automatic_https: true
 
-# When svc_traefik_automatic_https is true
+# Challenge provider to use for automatic TLS certificate acquisition. See https://doc.traefik.io/traefik/https/acme/#providers
 svc_traefik_dns_challenge_provider: 'cloudflare'
 # Whether to use the staging servers (recommended for testing)
 svc_traefik_letsencrypt_staging: false
 # Environment variables for Traefik to automatically acquire TLS certificates
-svc_traefik_env_vars_acme:
-  TRAEFIK_CERTIFICATESRESOLVERS_cloudflare_ACME_EMAIL: ''
-  CF_API_EMAIL: "{{ lookup('env', 'CF_API_EMAIL') | default('[email protected]') }}"
+svc_traefik_acme_settings:
+  TRAEFIK_CERTIFICATESRESOLVERS_cloudflare_ACME_EMAIL: "{{ lookup('env', 'CF_API_EMAIL') | default('undefined') }}"
+  CF_API_EMAIL: "{{ lookup('env', 'CF_API_EMAIL') | default('undefined') }}"
   CF_API_KEY: "{{ lookup('env', 'CF_API_KEY') | default('undefined') }}"
-# Environment variables for the Traefik container
-svc_traefik_env_vars:
-  PUID: "{{ svc_user_uid }}"
-  PGID: "{{ svc_group_gid }}"
-  TZ: "{{ svc_tz | default('Etc/UTC') }}"
 
-# Traefik container settings
-svc_traefik_container:
-  hostname: traefik
-  image: traefik:latest
-  restart_policy: always
-  env_vars: "{{ svc_traefik_env_vars | combine(svc_traefik_env_vars_acme) }}"
-  ports:
-    http: 80
-    https: 443
-  memory: 1g
+# traefik container hostname
+svc_traefik_container_hostname: traefik
+# traefik version
+svc_traefik_version: latest
+# traefik container image
+svc_traefik_container_image: "traefik:{{ svc_traefik_version }}"
+# traefik container memory
+svc_traefik_container_memory: 1g
+# traefik container ports
+svc_traefik_container_ports:
+  http: 80
+  https: 443
 
 # Used as the 'average' parameter for the rate limiting middleware
 svc_traefik_middleware_rate_limit_average: 50
@@ -116,7 +115,6 @@ svc_traefik_extra_hosts: []
   #   protocol: https
   #   ip_addr: 10.10.10.10
   #   port: 8080
-
 # Extra middlewares for Traefik. See templates/etc/traefik/config/http.yml
 svc_traefik_middlewares: {}
   # example-mwr:
@@ -126,6 +124,7 @@ svc_traefik_middlewares: {}
   #       X-Forwarded-Proto: 'https'
 
 # Extra certificates for Traefik. See templates/etc/traefik/traefik.yml
+# First entry in the list will be used as the default, if any
 svc_traefik_certificates: []
   # - crt: /etc/traefik/tls/domain.tld.crt
   #   key: /etc/traefik/tls/domain.tld.key

diff --git a/tasks/deploy_traefik.yml b/tasks/deploy_traefik.yml
@@ -62,27 +62,28 @@
 
 - name: Deploy traefik service
   community.docker.docker_container:
-    image: "{{ svc_traefik_container.image }}"
-    name: "{{ svc_traefik_container.hostname }}"
-    hostname: "{{ svc_traefik_container.hostname }}"
-    restart_policy: "{{ svc_traefik_container.restart_policy | default(svc_restart_policy) }}"
+    image: "{{ svc_traefik_container_image }}"
+    pull: "{{ svc_force_pull or svc_traefik_version == 'latest' }}"
+    name: "{{ svc_traefik_container_hostname }}"
+    hostname: "{{ svc_traefik_container_hostname }}"
+    restart_policy: "{{ svc_traefik_restart_policy | default(svc_restart_policy) }}"
     volumes:
       - "{{ svc_traefik_directories.cfg.path }}/traefik.yml:/etc/traefik/traefik.yml:ro"
       - "{{ svc_traefik_directories.cfg.path }}/config:/etc/traefik/config:ro"
       - "{{ svc_traefik_directories.cfg.path }}/letsencrypt/acme.json:/etc/traefik/letsencrypt/acme.json:rw"
       - "{{ svc_traefik_directories.log.path }}:/var/log/traefik:rw"
       - /var/run/docker.sock:/var/run/docker.sock
     ports:
-      - "{{ svc_traefik_container.ports.http | default('80') }}:80"
-      - "{{ svc_traefik_container.ports.https | default('443') }}:443"
-    env: "{{ svc_traefik_container.env_vars }}"
-    memory: "{{ svc_traefik_container.memory | default('1g') }}"
+      - "{{ svc_traefik_container_ports.http | default('80') }}:80"
+      - "{{ svc_traefik_container_ports.https | default('443') }}:443"
+    env: "{{ svc_traefik_env_vars | combine(svc_traefik_acme_settings) }}"
+    memory: "{{ svc_traefik_container_memory | default('1g') }}"
     log_driver: "{{ svc_log_driver }}"
     log_options: "{{ svc_log_options }}"
     recreate: true
     labels:
       traefik.enable: 'true'
-      traefik.http.routers.traefik-dash-rtr.rule: "Host(\"{{ svc_traefik_container.hostname }}.{{ svc_domain }}\")"
+      traefik.http.routers.traefik-dash-rtr.rule: "Host(\"{{ svc_traefik_container_hostname }}.{{ svc_domain }}\")"
       traefik.http.routers.traefik-dash-rtr.entrypoints: webSecure
       traefik.http.routers.traefik-dash-rtr.service: api@internal
     networks:
@@ -92,9 +93,10 @@
 - name: Deploy traefik whoami service (debug)
   community.docker.docker_container:
     image: traefik/whoami
+    pull: "{{ svc_force_pull or svc_traefik_version == 'latest' }}"
     name: whoami
     hostname: whoami
-    restart_policy: "{{ svc_traefik_container.restart_policy | default(svc_restart_policy) }}"
+    restart_policy: "{{ svc_traefik_restart_policy | default(svc_restart_policy) }}"
     labels:
       traefik.enable: 'true'
       traefik.http.routers.whoami-rtr.rule: "Host(\"whoami.{{ svc_domain }}\")"

diff --git a/templates/etc/traefik/traefik.yml.j2 b/templates/etc/traefik/traefik.yml.j2
@@ -24,6 +24,7 @@ entryPoints:
           to: webSecure
           scheme: https
           permanent: true
+
   webSecure:
     address: :443
     forwardedHeaders:
@@ -41,16 +42,10 @@ entryPoints:
             sans:
               - "*.{{ svc_domain }}"
 {% endif %}
-  dns:
-    address: :53
-  dnsUdp:
-    address: :53/udp
-  dnsTls:
-    address: :853
-  dlna:
-    address: :1900/udp
-  ssdp:
-    address: :7359/udp
+{% for entrypoint in svc_traefik_extra_entrypoints %} 
+  {{ entrypoint.name }}:
+    address: :{{ entrypoint.port }}
+{% endfor %}
 
 providers:
   docker:
@@ -69,7 +64,7 @@ certificatesResolvers:
   {{ svc_traefik_dns_challenge_provider }}:
     acme:
 {% if svc_traefik_letsencrypt_staging | bool %}
-      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      caServer: {{ svc_traefik_letsencrypt_staging_server }}
 {% endif %}
       storage: /etc/traefik/letsencrypt/acme.json
       dnsChallenge:

diff --git a/vars/main.yml b/vars/main.yml
@@ -1,6 +1,10 @@
 ---
 svc_docker_network_name: "svc_net"
 
+# Staging CA server for letsencrypt
+svc_traefik_letsencrypt_staging_server: https://acme-staging-v02.api.letsencrypt.org/directory
+
+# Default middlewares for traefik
 svc_traefik_middlewares_default:
   lan-mwr:
     ipWhiteList:
@@ -18,4 +22,10 @@ svc_traefik_middlewares_default:
     redirectScheme:
       scheme: https
       permanent: true
+
+# Environment variables for the Traefik container
+svc_traefik_env_vars:
+  PUID: "{{ svc_user_uid }}"
+  PGID: "{{ svc_group_gid }}"
+  TZ: "{{ svc_tz | default('Etc/UTC') }}"
 ...