Michael Schiemer
edcf509a4f
- Add PHP ini management classes (Access, IniDirective, IniKey, PhpIni) - Update deployment configurations (Wireguard, Traefik, Monitoring) - Add DNS stack and Ansible role - Add deployment debugging playbooks - Update framework components (FilePath, RedisConnectionPool) - Update .gitignore and documentation
143 lines
4.3 KiB
YAML
143 lines
4.3 KiB
YAML
---
|
|
- name: Fix Traefik Configuration
|
|
hosts: production
|
|
gather_facts: no
|
|
become: no
|
|
|
|
tasks:
|
|
- name: Backup current traefik.yml
|
|
shell: |
|
|
cd ~/deployment/stacks/traefik
|
|
cp traefik.yml traefik.yml.backup.$(date +%Y%m%d_%H%M%S)
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Create correct traefik.yml
|
|
copy:
|
|
content: |
|
|
# Static Configuration for Traefik
|
|
|
|
# Global Configuration
|
|
global:
|
|
checkNewVersion: true
|
|
sendAnonymousUsage: false
|
|
|
|
# API and Dashboard
|
|
# Note: insecure: false means API is only accessible via HTTPS (through Traefik itself)
|
|
# No port 8080 needed - dashboard accessible via HTTPS at traefik.michaelschiemer.de
|
|
api:
|
|
dashboard: true
|
|
insecure: false
|
|
# Dashboard accessible via HTTPS router (no separate HTTP listener needed)
|
|
|
|
# Entry Points
|
|
entryPoints:
|
|
web:
|
|
address: ":80"
|
|
# No global redirect - ACME challenges need HTTP access
|
|
# Redirects are handled per-router via middleware
|
|
|
|
websecure:
|
|
address: ":443"
|
|
http:
|
|
tls:
|
|
certResolver: letsencrypt
|
|
domains:
|
|
- main: michaelschiemer.de
|
|
sans:
|
|
- "*.michaelschiemer.de"
|
|
|
|
# Certificate Resolvers
|
|
certificatesResolvers:
|
|
letsencrypt:
|
|
acme:
|
|
email: kontakt@michaelschiemer.de
|
|
storage: /acme.json
|
|
caServer: https://acme-v02.api.letsencrypt.org/directory
|
|
# Use HTTP-01 challenge (requires port 80 accessible)
|
|
httpChallenge:
|
|
entryPoint: web
|
|
# Uncomment for DNS challenge (requires DNS provider)
|
|
# dnsChallenge:
|
|
# provider: cloudflare
|
|
# delayBeforeCheck: 30
|
|
|
|
# Providers
|
|
providers:
|
|
docker:
|
|
endpoint: "unix:///var/run/docker.sock"
|
|
exposedByDefault: false
|
|
# Network mode is 'host', so we don't specify a network here
|
|
# Traefik can reach containers directly via their IPs in host network mode
|
|
watch: true
|
|
|
|
file:
|
|
directory: /dynamic
|
|
watch: true
|
|
|
|
# Forwarded Headers Configuration
|
|
# This ensures Traefik correctly identifies the real client IP
|
|
# Important for VPN access where requests come from WireGuard interface
|
|
forwardedHeaders:
|
|
trustedIPs:
|
|
- "10.8.0.0/24" # WireGuard VPN network
|
|
- "127.0.0.1/32" # Localhost
|
|
- "172.17.0.0/16" # Docker bridge network
|
|
- "172.18.0.0/16" # Docker user-defined networks
|
|
insecure: false
|
|
|
|
# Logging
|
|
log:
|
|
level: INFO
|
|
filePath: /logs/traefik.log
|
|
format: json
|
|
|
|
# Access Logs
|
|
accessLog:
|
|
filePath: /logs/access.log
|
|
format: json
|
|
bufferingSize: 100
|
|
filters:
|
|
statusCodes:
|
|
- "400-499"
|
|
- "500-599"
|
|
|
|
# Metrics
|
|
metrics:
|
|
prometheus:
|
|
addEntryPointsLabels: true
|
|
addRoutersLabels: true
|
|
addServicesLabels: true
|
|
|
|
# Ping
|
|
ping:
|
|
entryPoint: web
|
|
dest: ~/deployment/stacks/traefik/traefik.yml
|
|
mode: '0644'
|
|
|
|
- name: Validate YAML syntax
|
|
command: python3 -c "import yaml; yaml.safe_load(open('traefik.yml')); print('YAML valid')"
|
|
args:
|
|
chdir: ~/deployment/stacks/traefik
|
|
changed_when: false
|
|
|
|
- name: Restart Traefik
|
|
command: docker compose up -d traefik
|
|
args:
|
|
chdir: ~/deployment/stacks/traefik
|
|
register: traefik_restart
|
|
|
|
- name: Wait for Traefik to start
|
|
pause:
|
|
seconds: 5
|
|
|
|
- name: Check Traefik status
|
|
command: docker compose ps traefik
|
|
args:
|
|
chdir: ~/deployment/stacks/traefik
|
|
register: traefik_status
|
|
|
|
- name: Display Traefik status
|
|
debug:
|
|
msg: "{{ traefik_status.stdout_lines }}"
|