From d5b1d991aedd0ab0b31448489e534b161babcd1d Mon Sep 17 00:00:00 2001
From: Simonas Kareiva <simonas@5grupe.lt>
Date: Wed, 6 May 2026 13:32:39 +0300
Subject: [PATCH 1/2] Socket activation - preserve src ip

---
 roles/infra/tasks/traefik.yml | 122 +++++++++++++++++++++++++---------
 1 file changed, 90 insertions(+), 32 deletions(-)

diff --git a/roles/infra/tasks/traefik.yml b/roles/infra/tasks/traefik.yml
index ce41119..6bfecaa 100644
--- a/roles/infra/tasks/traefik.yml
+++ b/roles/infra/tasks/traefik.yml
@@ -2,6 +2,18 @@
 ---
 # tasks file for traefik
 
+- name: Create systemd user directory
+  ansible.builtin.file:
+    path: ~/.config/systemd/user
+    state: directory
+    mode: "0755"
+
+- name: Create podman quadlet directory
+  ansible.builtin.file:
+    path: ~/.config/containers/systemd
+    state: directory
+    mode: "0755"
+
 - name: Create acme file
   ansible.builtin.file:
     path: "~/{{ infra_acme.storage }}"
@@ -15,40 +27,86 @@
     enabled: true
     scope: user
 
-- name: Create main traefik container
-  containers.podman.podman_container:
-    name: traefik
-    image: docker.io/library/traefik:latest
-    ports:
-      - "80:80"
-      - "443:443"
-      - "8080:8080"
-    network:
-      - podman
-    security_opt:
-      - "label=type:container_runtime_t"
-    volumes:
-      - "/run/user/1000/podman/podman.sock:/var/run/docker.sock:z"
-      - "/home/apps/acme.json:/acme.json:z"
-    command: >-
-      --api.dashboard=true
-      --api.insecure=true
-      --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }}
-      --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }}
-      --certificatesresolvers.lets-encrypt.acme.tlschallenge=true
-      --entrypoints.http.address=:80
-      --entrypoints.http.http.redirections.entryPoint.to=https
-      --entrypoints.http.http.redirections.entryPoint.scheme=https
-      --entrypoints.https.address=:443
-      --providers.docker=true
-    generate_systemd:
-      new: true
-      restart_policy: "always"
-      path: "~/.config/systemd/user/"
-
-- name: Activate traefik container service
+- name: Stop legacy generated traefik service
   ansible.builtin.systemd_service:
     name: container-traefik.service
+    state: stopped
+    enabled: false
+    scope: user
+  failed_when: false
+
+- name: Remove legacy generated traefik service
+  ansible.builtin.file:
+    path: ~/.config/systemd/user/container-traefik.service
+    state: absent
+
+- name: Install traefik http socket
+  ansible.builtin.copy:
+    dest: ~/.config/systemd/user/http.socket
+    mode: "0644"
+    content: |
+      [Socket]
+      ListenStream=80
+      FileDescriptorName=http
+      Service=traefik.service
+
+      [Install]
+      WantedBy=sockets.target
+
+- name: Install traefik https socket
+  ansible.builtin.copy:
+    dest: ~/.config/systemd/user/https.socket
+    mode: "0644"
+    content: |
+      [Socket]
+      ListenStream=443
+      FileDescriptorName=https
+      Service=traefik.service
+
+      [Install]
+      WantedBy=sockets.target
+
+- name: Install traefik quadlet
+  ansible.builtin.copy:
+    dest: ~/.config/containers/systemd/traefik.container
+    mode: "0644"
+    content: |
+      [Unit]
+      After=podman.socket http.socket https.socket
+      Requires=podman.socket http.socket https.socket
+
+      [Service]
+      Sockets=http.socket https.socket
+      Restart=always
+
+      [Container]
+      ContainerName=traefik
+      Image=docker.io/library/traefik:latest
+      Exec=--api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https --providers.docker=true
+      Network=podman
+      Notify=true
+      PublishPort=8080:8080
+      SecurityLabelDisable=true
+      Volume=%t/podman/podman.sock:/var/run/docker.sock
+      Volume=%h/{{ infra_acme.storage }}:/{{ infra_acme.storage }}:Z
+
+- name: Reload systemd user units
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    scope: user
+
+- name: Activate traefik sockets
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
     state: started
     enabled: true
     scope: user
+  loop:
+    - http.socket
+    - https.socket
+
+- name: Activate traefik service
+  ansible.builtin.systemd_service:
+    name: traefik.service
+    state: started
+    scope: user

From 228d9ea8a8a75066e4e6a667e561c2649bcbbc0b Mon Sep 17 00:00:00 2001
From: Simonas Kareiva <simonas@5grupe.lt>
Date: Wed, 6 May 2026 13:36:30 +0300
Subject: [PATCH 2/2] Move unit content to files/templates

---
 roles/infra/files/http.socket              |  7 ++++
 roles/infra/files/https.socket             |  7 ++++
 roles/infra/tasks/traefik.yml              | 40 +++-------------------
 roles/infra/templates/traefik.container.j2 | 18 ++++++++++
 4 files changed, 36 insertions(+), 36 deletions(-)
 create mode 100644 roles/infra/files/http.socket
 create mode 100644 roles/infra/files/https.socket
 create mode 100644 roles/infra/templates/traefik.container.j2

diff --git a/roles/infra/files/http.socket b/roles/infra/files/http.socket
new file mode 100644
index 0000000..0759995
--- /dev/null
+++ b/roles/infra/files/http.socket
@@ -0,0 +1,7 @@
+[Socket]
+ListenStream=80
+FileDescriptorName=http
+Service=traefik.service
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/infra/files/https.socket b/roles/infra/files/https.socket
new file mode 100644
index 0000000..032c137
--- /dev/null
+++ b/roles/infra/files/https.socket
@@ -0,0 +1,7 @@
+[Socket]
+ListenStream=443
+FileDescriptorName=https
+Service=traefik.service
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/infra/tasks/traefik.yml b/roles/infra/tasks/traefik.yml
index 6bfecaa..1ba091b 100644
--- a/roles/infra/tasks/traefik.yml
+++ b/roles/infra/tasks/traefik.yml
@@ -42,53 +42,21 @@
 
 - name: Install traefik http socket
   ansible.builtin.copy:
+    src: http.socket
     dest: ~/.config/systemd/user/http.socket
     mode: "0644"
-    content: |
-      [Socket]
-      ListenStream=80
-      FileDescriptorName=http
-      Service=traefik.service
-
-      [Install]
-      WantedBy=sockets.target
 
 - name: Install traefik https socket
   ansible.builtin.copy:
+    src: https.socket
     dest: ~/.config/systemd/user/https.socket
     mode: "0644"
-    content: |
-      [Socket]
-      ListenStream=443
-      FileDescriptorName=https
-      Service=traefik.service
-
-      [Install]
-      WantedBy=sockets.target
 
 - name: Install traefik quadlet
-  ansible.builtin.copy:
+  ansible.builtin.template:
+    src: traefik.container.j2
     dest: ~/.config/containers/systemd/traefik.container
     mode: "0644"
-    content: |
-      [Unit]
-      After=podman.socket http.socket https.socket
-      Requires=podman.socket http.socket https.socket
-
-      [Service]
-      Sockets=http.socket https.socket
-      Restart=always
-
-      [Container]
-      ContainerName=traefik
-      Image=docker.io/library/traefik:latest
-      Exec=--api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https --providers.docker=true
-      Network=podman
-      Notify=true
-      PublishPort=8080:8080
-      SecurityLabelDisable=true
-      Volume=%t/podman/podman.sock:/var/run/docker.sock
-      Volume=%h/{{ infra_acme.storage }}:/{{ infra_acme.storage }}:Z
 
 - name: Reload systemd user units
   ansible.builtin.systemd_service:
diff --git a/roles/infra/templates/traefik.container.j2 b/roles/infra/templates/traefik.container.j2
new file mode 100644
index 0000000..80bcc24
--- /dev/null
+++ b/roles/infra/templates/traefik.container.j2
@@ -0,0 +1,18 @@
+[Unit]
+After=podman.socket http.socket https.socket
+Requires=podman.socket http.socket https.socket
+
+[Service]
+Sockets=http.socket https.socket
+Restart=always
+
+[Container]
+ContainerName=traefik
+Image=docker.io/library/traefik:latest
+Exec=--api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https --providers.docker=true
+Network=podman
+Notify=true
+PublishPort=8080:8080
+SecurityLabelDisable=true
+Volume=%t/podman/podman.sock:/var/run/docker.sock
+Volume=%h/{{ infra_acme.storage }}:/{{ infra_acme.storage }}:Z