--- # Fix Traefik ACME JSON Permissions # Prüft und korrigiert Berechtigungen für acme.json Datei - name: Fix Traefik ACME JSON Permissions hosts: production gather_facts: yes become: no tasks: - name: Check if Traefik stack directory exists ansible.builtin.stat: path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}" register: traefik_stack_exists - name: Fail if Traefik stack directory does not exist ansible.builtin.fail: msg: "Traefik stack directory not found at {{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}" when: not traefik_stack_exists.stat.exists - name: Check if acme.json exists ansible.builtin.stat: path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json" register: acme_json_exists - name: Create acme.json if it doesn't exist ansible.builtin.file: path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json" state: file mode: '0600' owner: "{{ ansible_user | default('deploy') }}" group: "{{ ansible_user | default('deploy') }}" when: not acme_json_exists.stat.exists - name: Get current acme.json permissions ansible.builtin.stat: path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json" register: acme_json_stat - name: Display current acme.json permissions ansible.builtin.debug: msg: | ================================================================================ Aktuelle acme.json Berechtigungen: ================================================================================ Path: {{ acme_json_stat.stat.path }} Owner: {{ acme_json_stat.stat.pw_name }} (UID: {{ acme_json_stat.stat.uid }}) Group: {{ acme_json_stat.stat.gr_name }} (GID: {{ acme_json_stat.stat.gid }}) Mode: {{ acme_json_stat.stat.mode | string | regex_replace('^0o?', '') }} Size: {{ acme_json_stat.stat.size }} bytes ================================================================================ - name: Fix acme.json permissions (chmod 600) ansible.builtin.file: path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json" mode: '0600' owner: "{{ ansible_user | default('deploy') }}" group: "{{ ansible_user | default('deploy') }}" register: acme_json_permissions_fixed - name: Verify acme.json permissions after fix ansible.builtin.stat: path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json" register: acme_json_stat_after - name: Display fixed acme.json permissions ansible.builtin.debug: msg: | ================================================================================ Korrigierte acme.json Berechtigungen: ================================================================================ Path: {{ acme_json_stat_after.stat.path }} Owner: {{ acme_json_stat_after.stat.pw_name }} (UID: {{ acme_json_stat_after.stat.uid }}) Group: {{ acme_json_stat_after.stat.gr_name }} (GID: {{ acme_json_stat_after.stat.gid }}) Mode: {{ acme_json_stat_after.stat.mode | string | regex_replace('^0o?', '') }} Size: {{ acme_json_stat_after.stat.size }} bytes ================================================================================ ✅ acme.json hat jetzt chmod 600 (nur Owner kann lesen/schreiben) ================================================================================ - name: Check Traefik container can write to acme.json ansible.builtin.shell: | cd {{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }} docker compose exec -T traefik sh -c "test -w /acme.json && echo 'WRITABLE' || echo 'NOT_WRITABLE'" 2>&1 || echo "CONTAINER_CHECK_FAILED" register: acme_json_writable_check changed_when: false failed_when: false - name: Display acme.json writable check ansible.builtin.debug: msg: | ================================================================================ Traefik Container Schreibzugriff auf acme.json: ================================================================================ {% if 'WRITABLE' in acme_json_writable_check.stdout %} ✅ Traefik Container kann auf acme.json schreiben {% elif 'NOT_WRITABLE' in acme_json_writable_check.stdout %} ⚠️ Traefik Container kann NICHT auf acme.json schreiben {% else %} ⚠️ Konnte Container-Zugriff nicht prüfen: {{ acme_json_writable_check.stdout }} {% endif %} ================================================================================ - name: Check Docker volume mount for acme.json ansible.builtin.shell: | docker inspect traefik --format '{{ '{{' }}json .Mounts{{ '}}' }}' 2>/dev/null | jq '.[] | select(.Destination=="/acme.json")' || echo "Could not check volume mount" register: acme_json_mount changed_when: false failed_when: false - name: Display acme.json volume mount ansible.builtin.debug: msg: | ================================================================================ Docker Volume Mount für acme.json: ================================================================================ {{ acme_json_mount.stdout }} ================================================================================ - name: Summary ansible.builtin.debug: msg: | ================================================================================ ZUSAMMENFASSUNG - acme.json Berechtigungen: ================================================================================ ✅ acme.json Berechtigungen auf chmod 600 gesetzt ✅ Owner/Group auf {{ ansible_user | default('deploy') }} gesetzt Wichtig: - acme.json muss beschreibbar sein für Traefik Container - Port 80/443 müssen vom Host auf Traefik zeigen - Traefik muss stabil laufen (keine häufigen Restarts) Nächste Schritte: - Stelle sicher, dass Traefik stabil läuft - Warte 5-10 Minuten auf ACME-Challenge-Abschluss - Prüfe Traefik-Logs auf ACME-Fehler ================================================================================