Ansible role to install and configure Traefik reverse proxy.
Building and improving this Ansible role have been sponsored by my current and previous employers like Cloudpunks GmbH and Proact Deutschland GmbH.
- Requirements
- Default Variables
- traefik_accesslog_buffer
- traefik_accesslog_format
- traefik_additional_entrypoints
- traefik_additional_middlewares
- traefik_additional_ports
- traefik_api_dashboard
- traefik_api_debug
- traefik_api_enabled
- traefik_api_insecure
- traefik_cert_resolvers
- traefik_check_new_version
- traefik_dashboard_cert_resolver
- traefik_dashboard_host_rule
- traefik_dashboard_http_entrypoint
- traefik_dashboard_https_entrypoint
- traefik_dashboard_middlewares
- traefik_dashboard_users
- traefik_docker_bind_port_ip
- traefik_docker_default_rule
- traefik_docker_exposed_by_default
- traefik_docker_network_name
- traefik_environment_variables
- traefik_force_restart
- traefik_forwarding_dial_timeout
- traefik_forwarding_idle_timeout
- traefik_forwarding_response_timeout
- traefik_hostresolver_cname_flattening
- traefik_hostresolver_resolv_config
- traefik_hostresolver_resolv_depth
- traefik_image
- traefik_insecure_skip_verify
- traefik_log_format
- traefik_log_level
- traefik_max_idle_conns
- traefik_ping_entrypoint
- traefik_prometheus_buckets
- traefik_prometheus_enabled
- traefik_prometheus_entrypoint
- traefik_prometheus_entrypoint_labels
- traefik_prometheus_service_labels
- traefik_provider_throttle_duration
- traefik_proxy_dashboard
- traefik_proxy_metrics
- traefik_pull_image
- traefik_root_certificates
- traefik_send_anonymous_usage
- traefik_standard_entrypoints
- traefik_standard_middlewares
- traefik_standard_ports
- traefik_tls_additional_certificates
- traefik_tls_cipher_suites
- traefik_tls_default_certificate
- traefik_tls_min_version
- traefik_tls_standard_certificates
- traefik_tracing_128bit_spans
- traefik_tracing_collector_endpoint
- traefik_tracing_collector_password
- traefik_tracing_collector_user
- traefik_tracing_enabled
- traefik_tracing_header_name
- traefik_tracing_local_agent
- traefik_tracing_name_limit
- traefik_tracing_propagation_format
- traefik_tracing_sampling_param
- traefik_tracing_sampling_server
- traefik_tracing_sampling_type
- traefik_tracing_service_name
- traefik_version
- Discovered Tags
- Dependencies
- License
- Author
- Minimum Ansible version:
2.10
Access log buffering size
traefik_accesslog_buffer: 0
Access log format
traefik_accesslog_format: common
Additional available entrypoints
traefik_additional_entrypoints: []
Additional available middlewares
traefik_additional_middlewares: []
Additional available ports
traefik_additional_ports: []
Enable dashboard API
traefik_api_dashboard: true
Enable debug mode within API
traefik_api_debug: false
Enable API endpoints
traefik_api_enabled: true
Enable insecure access for API
traefik_api_insecure: false
List of certificate resolvers
traefik_cert_resolvers: []
traefik_cert_resolvers:
- name: default-dns
email: [email protected]
dns_challenge:
provider: cloudflare
- name: default-http
email: [email protected]
http_challenge:
entrypoint: http
- name: default-tls
email: [email protected]
tls_challenge: True
Check for a new version online
traefik_check_new_version: false
Cert resolver for the dashboard
traefik_dashboard_cert_resolver:
Host rule for the dashboard
traefik_dashboard_host_rule: '{{ ansible_fqdn }}'
Insecure entrypoint for the dashboard
traefik_dashboard_http_entrypoint: http
Secure entrypoint for the dashboard
traefik_dashboard_https_entrypoint: https
Middlewares used for the dashboard
traefik_dashboard_middlewares:
- traefik@file
Users used for the dashboard
traefik_dashboard_users: []
Use bind port ip for docker provider
traefik_docker_bind_port_ip: false
Default rule for docker provider
traefik_docker_default_rule: !unsafe 'Host(`{{ normalize .Name }}`)'
Expose service by default for docker provider
traefik_docker_exposed_by_default: false
Docker network used by docker provider
traefik_docker_network_name:
traefik_docker_network_name: traefik
List of available environment variables
traefik_environment_variables: []
traefik_environment_variables:
- key: CF_API_EMAIL
value: [email protected]
- key: CF_API_KEY
value: as0oiGu2Chier3aepaeceeG7oiY2aezawe5te
Force a restart of the service
traefik_force_restart: false
Server transport forwarding dial timeout
traefik_forwarding_dial_timeout: 30
Server transport forwarding idle connection timeout
traefik_forwarding_idle_timeout: 90
Server transport forwarding response timeout
traefik_forwarding_response_timeout: 0
Enable cname flattening for resolver
traefik_hostresolver_cname_flattening: false
Path to host resolv config
traefik_hostresolver_resolv_config: /etc/resolv.conf
Max resolv depth for the host resolver
traefik_hostresolver_resolv_depth: 5
Docker image to use
traefik_image: library/traefik:{{ traefik_version }}
Server transport insecure skip verify
traefik_insecure_skip_verify: true
General log format
traefik_log_format: common
General log level
traefik_log_level: ERROR
Server transport max idle connections per host
traefik_max_idle_conns: 100
Entrypoint used for ping
traefik_ping_entrypoint:
List of buckets for prometheus metrics
traefik_prometheus_buckets:
- 0.1
- 0.3
- 1.2
- 5.0
Enable prometheus exporter
traefik_prometheus_enabled: true
Entrypoint used for prometheus metrics
traefik_prometheus_entrypoint: metrics
Add entrypoint labels for prometheus metrics
traefik_prometheus_entrypoint_labels: true
Add service labels for prometheus metrics
traefik_prometheus_service_labels: true
Provider throttle duration
traefik_provider_throttle_duration: 0
Enable builtin rules for dashboard
traefik_proxy_dashboard: true
Enable builtin rules for metrics
traefik_proxy_metrics: true
Pull image as part of the tasks
traefik_pull_image: true
List of available root certificates
traefik_root_certificates: []
traefik_root_certificates:
- /path/to/root1.crt
- /path/to/root2.crt
- /path/to/root3.crt
Send anonymous usage information to authors
traefik_send_anonymous_usage: true
General available entrypoints
traefik_standard_entrypoints:
- name: metrics
address: :8082
- name: traefik
address: :8080
- name: http
address: :80
- name: https
address: :443
General available middlewares
traefik_standard_middlewares:
- name: traefik
kind: basicAuth
attrs:
users: '{{ traefik_dashboard_users }}'
realm: Traefik
- name: https
kind: redirectScheme
attrs:
scheme: https
permanent: true
- name: secure
kind: headers
attrs:
forceSTSHeader: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 315360000
sslRedirect: true
customFrameOptionsValue: SAMEORIGIN
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: strict-origin-when-cross-origin
General available ports
traefik_standard_ports:
- 80:80
- 443:443
Additional available certificates
traefik_tls_additional_certificates: []
traefik_tls_additional_certificates:
- crt: /etc/ssl/certs/wildcard.example.com.crt
key: /etc/ssl/private/wildcard.example.com.key
- crt: /etc/ssl/certs/wildcard.foo.com.crt
key: /etc/ssl/private/wildcard.foo.com.key
- crt: /etc/ssl/certs/wildcard.bar.com.crt
key: /etc/ssl/private/wildcard.bar.com.key
Cipher suites to enable for TLS
traefik_tls_cipher_suites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Default certificate used for any request without a matching router
traefik_tls_default_certificate:
traefik_tls_default_certificate:
crt: /etc/ssl/certs/wildcard.example.com.crt
key: /etc/ssl/private/wildcard.example.com.key
generated:
resolver: default
domain:
main: example.com
sans:
- dummy.example.com
Minimal version used for TLS
traefik_tls_min_version: VersionTLS12
General available certificates
traefik_tls_standard_certificates: []
traefik_tls_standard_certificates:
- crt: /etc/ssl/certs/wildcard.example.com.crt
key: /etc/ssl/private/wildcard.example.com.key
- crt: /etc/ssl/certs/wildcard.foo.com.crt
key: /etc/ssl/private/wildcard.foo.com.key
- crt: /etc/ssl/certs/wildcard.bar.com.crt
key: /etc/ssl/private/wildcard.bar.com.key
Jaeger tracing gen 128bit spans
traefik_tracing_128bit_spans: false
Jaeger tracing collector endpoint
traefik_tracing_collector_endpoint:
Jaeger tracing collector password
traefik_tracing_collector_password:
Jaeger tracing collector user
traefik_tracing_collector_user:
Enable distributed tracing
traefik_tracing_enabled: false
Jaeger tracing context header name
traefik_tracing_header_name: uber-trace-id
Jaeger tracing local agent host and port
traefik_tracing_local_agent:
Tracing span name limit
traefik_tracing_name_limit: 0
Jaeger tracing propagation format
traefik_tracing_propagation_format: jaeger
Jaeger tracing sampling rate
traefik_tracing_sampling_param: 1.0
Jaeger tracing sampling server url
traefik_tracing_sampling_server:
Jaeger tracing sampling type
traefik_tracing_sampling_type: const
Tracing service name to send
traefik_tracing_service_name: traefik
Version of the Docker image
traefik_version: v3.3.2
traefik
Apache-2.0