--- - name: Fix Traefik Configuration hosts: production gather_facts: no become: no tasks: - name: Backup current traefik.yml shell: | cd ~/deployment/stacks/traefik cp traefik.yml traefik.yml.backup.$(date +%Y%m%d_%H%M%S) args: executable: /bin/bash - name: Create correct traefik.yml copy: content: | # Static Configuration for Traefik # Global Configuration global: checkNewVersion: true sendAnonymousUsage: false # API and Dashboard # Note: insecure: false means API is only accessible via HTTPS (through Traefik itself) # No port 8080 needed - dashboard accessible via HTTPS at traefik.michaelschiemer.de api: dashboard: true insecure: false # Dashboard accessible via HTTPS router (no separate HTTP listener needed) # Entry Points entryPoints: web: address: ":80" # No global redirect - ACME challenges need HTTP access # Redirects are handled per-router via middleware websecure: address: ":443" http: tls: certResolver: letsencrypt domains: - main: michaelschiemer.de sans: - "*.michaelschiemer.de" # Certificate Resolvers certificatesResolvers: letsencrypt: acme: email: kontakt@michaelschiemer.de storage: /acme.json caServer: https://acme-v02.api.letsencrypt.org/directory # Use HTTP-01 challenge (requires port 80 accessible) httpChallenge: entryPoint: web # Uncomment for DNS challenge (requires DNS provider) # dnsChallenge: # provider: cloudflare # delayBeforeCheck: 30 # Providers providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false # Network mode is 'host', so we don't specify a network here # Traefik can reach containers directly via their IPs in host network mode watch: true file: directory: /dynamic watch: true # Forwarded Headers Configuration # This ensures Traefik correctly identifies the real client IP # Important for VPN access where requests come from WireGuard interface forwardedHeaders: trustedIPs: - "10.8.0.0/24" # WireGuard VPN network - "127.0.0.1/32" # Localhost - "172.17.0.0/16" # Docker bridge network - "172.18.0.0/16" # Docker user-defined networks insecure: false # Logging log: level: INFO filePath: /logs/traefik.log format: json # Access Logs accessLog: filePath: /logs/access.log format: json bufferingSize: 100 filters: statusCodes: - "400-499" - "500-599" # Metrics metrics: prometheus: addEntryPointsLabels: true addRoutersLabels: true addServicesLabels: true # Ping ping: entryPoint: web dest: ~/deployment/stacks/traefik/traefik.yml mode: '0644' - name: Validate YAML syntax command: python3 -c "import yaml; yaml.safe_load(open('traefik.yml')); print('YAML valid')" args: chdir: ~/deployment/stacks/traefik changed_when: false - name: Restart Traefik command: docker compose up -d traefik args: chdir: ~/deployment/stacks/traefik register: traefik_restart - name: Wait for Traefik to start pause: seconds: 5 - name: Check Traefik status command: docker compose ps traefik args: chdir: ~/deployment/stacks/traefik register: traefik_status - name: Display Traefik status debug: msg: "{{ traefik_status.stdout_lines }}"