diff --git a/roles/infra/tasks/traefik.yml b/roles/infra/tasks/traefik.yml index ce41119..6bfecaa 100644 --- a/roles/infra/tasks/traefik.yml +++ b/roles/infra/tasks/traefik.yml @@ -2,6 +2,18 @@ --- # tasks file for traefik +- name: Create systemd user directory + ansible.builtin.file: + path: ~/.config/systemd/user + state: directory + mode: "0755" + +- name: Create podman quadlet directory + ansible.builtin.file: + path: ~/.config/containers/systemd + state: directory + mode: "0755" + - name: Create acme file ansible.builtin.file: path: "~/{{ infra_acme.storage }}" @@ -15,40 +27,86 @@ enabled: true scope: user -- name: Create main traefik container - containers.podman.podman_container: - name: traefik - image: docker.io/library/traefik:latest - ports: - - "80:80" - - "443:443" - - "8080:8080" - network: - - podman - security_opt: - - "label=type:container_runtime_t" - volumes: - - "/run/user/1000/podman/podman.sock:/var/run/docker.sock:z" - - "/home/apps/acme.json:/acme.json:z" - command: >- - --api.dashboard=true - --api.insecure=true - --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} - --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} - --certificatesresolvers.lets-encrypt.acme.tlschallenge=true - --entrypoints.http.address=:80 - --entrypoints.http.http.redirections.entryPoint.to=https - --entrypoints.http.http.redirections.entryPoint.scheme=https - --entrypoints.https.address=:443 - --providers.docker=true - generate_systemd: - new: true - restart_policy: "always" - path: "~/.config/systemd/user/" - -- name: Activate traefik container service +- name: Stop legacy generated traefik service ansible.builtin.systemd_service: name: container-traefik.service + state: stopped + enabled: false + scope: user + failed_when: false + +- name: Remove legacy generated traefik service + ansible.builtin.file: + path: ~/.config/systemd/user/container-traefik.service + state: absent + +- name: Install traefik http socket + ansible.builtin.copy: + dest: ~/.config/systemd/user/http.socket + mode: "0644" + content: | + [Socket] + ListenStream=80 + FileDescriptorName=http + Service=traefik.service + + [Install] + WantedBy=sockets.target + +- name: Install traefik https socket + ansible.builtin.copy: + dest: ~/.config/systemd/user/https.socket + mode: "0644" + content: | + [Socket] + ListenStream=443 + FileDescriptorName=https + Service=traefik.service + + [Install] + WantedBy=sockets.target + +- name: Install traefik quadlet + ansible.builtin.copy: + dest: ~/.config/containers/systemd/traefik.container + mode: "0644" + content: | + [Unit] + After=podman.socket http.socket https.socket + Requires=podman.socket http.socket https.socket + + [Service] + Sockets=http.socket https.socket + Restart=always + + [Container] + ContainerName=traefik + Image=docker.io/library/traefik:latest + Exec=--api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https --providers.docker=true + Network=podman + Notify=true + PublishPort=8080:8080 + SecurityLabelDisable=true + Volume=%t/podman/podman.sock:/var/run/docker.sock + Volume=%h/{{ infra_acme.storage }}:/{{ infra_acme.storage }}:Z + +- name: Reload systemd user units + ansible.builtin.systemd_service: + daemon_reload: true + scope: user + +- name: Activate traefik sockets + ansible.builtin.systemd_service: + name: "{{ item }}" state: started enabled: true scope: user + loop: + - http.socket + - https.socket + +- name: Activate traefik service + ansible.builtin.systemd_service: + name: traefik.service + state: started + scope: user