From 12e9c7cc704c6ac782c246080f58d6f2556caaf7 Mon Sep 17 00:00:00 2001
From: Trygve Laugstøl <trygvis@inamo.no>
Date: Mon, 30 Jun 2025 19:07:11 +0200
Subject: kv24 traefik server

---
 ansible/host_vars/kjell-ct-102/traefik-server.yml  |   0
 ansible/host_vars/kjell-ct-102/users.yml           |   5 +
 ansible/plays/kjell-ct-102.yml                     |  49 ++++++++
 ansible/plays/templates/traefik-proxy.toml.j2      | 126 +++++++++++++++++++++
 ansible/roles/traefik-server/handlers/main.yml     |   5 +
 ansible/roles/traefik-server/tasks/main.yml        |  56 +++++++++
 .../traefik-server/templates/traefik.service.j2    |  52 +++++++++
 7 files changed, 293 insertions(+)
 create mode 100644 ansible/host_vars/kjell-ct-102/traefik-server.yml
 create mode 100644 ansible/host_vars/kjell-ct-102/users.yml
 create mode 100644 ansible/plays/kjell-ct-102.yml
 create mode 100644 ansible/plays/templates/traefik-proxy.toml.j2
 create mode 100644 ansible/roles/traefik-server/handlers/main.yml
 create mode 100644 ansible/roles/traefik-server/tasks/main.yml
 create mode 100644 ansible/roles/traefik-server/templates/traefik.service.j2

diff --git a/ansible/host_vars/kjell-ct-102/traefik-server.yml b/ansible/host_vars/kjell-ct-102/traefik-server.yml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/host_vars/kjell-ct-102/users.yml b/ansible/host_vars/kjell-ct-102/users.yml
new file mode 100644
index 0000000..d0d4852
--- /dev/null
+++ b/ansible/host_vars/kjell-ct-102/users.yml
@@ -0,0 +1,5 @@
+lusers:
+  - trygvis
+
+superusers:
+  - trygvis
diff --git a/ansible/plays/kjell-ct-102.yml b/ansible/plays/kjell-ct-102.yml
new file mode 100644
index 0000000..87b9459
--- /dev/null
+++ b/ansible/plays/kjell-ct-102.yml
@@ -0,0 +1,49 @@
+- hosts:
+    - kjell-ct-102
+  vars:
+    traefik_version: 3.4.1
+    traefik_checksum: md5:f299230ea9f247a672b187a79f2e76e6719ccbee
+    traefik_template: traefik-proxy.toml.j2
+  tasks:
+    - become: yes
+      apt:
+        name:
+          - etckeeper
+          - sudo
+      tags: packages,never
+  
+    - import_role:
+        name: timezone
+      tags: timezone,never
+  
+    - name: Load values from sops.yml
+      community.sops.load_vars:
+        name: env
+        file: ../../sops.yml
+      tags: traefik-server,never
+
+    - import_role:
+        name: traefik-server
+      vars:
+        traefik_environment:
+          LINODE_TOKEN: "{{ env.linode_token }}"
+      tags: traefik-server,never
+
+    - name: /etc/systemd/services/traefik.service
+      become: true
+      template:
+        src: "{{ traefik_template }}"
+        dest: /etc/traefik/traefik.toml
+        owner: root
+        group: root
+        mode: 0644
+      register: template
+
+    - name: systemctl restart traefik
+      become: true
+      systemd:
+        daemon_reload: true
+        unit: traefik
+        enabled: true
+        state: restarted
+      when: template.changed
diff --git a/ansible/plays/templates/traefik-proxy.toml.j2 b/ansible/plays/templates/traefik-proxy.toml.j2
new file mode 100644
index 0000000..d538664
--- /dev/null
+++ b/ansible/plays/templates/traefik-proxy.toml.j2
@@ -0,0 +1,126 @@
+[global]
+  checkNewVersion = true
+  sendAnonymousUsage = false
+
+################################################################
+# Entrypoints configuration
+################################################################
+
+[entryPoints]
+#  [entryPoints.web]
+#    address = ":80"
+
+  [entryPoints.websecure]
+    address = ":443"
+
+    [entryPoints.websecure.http.tls]
+      certResolver = "linode"
+
+[log]
+
+  # Log level
+  #
+  # Optional
+  # Default: "ERROR"
+  #
+  level = "DEBUG"
+
+  # Sets the filepath for the traefik log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  # filePath = "log/traefik.log"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+  # format = "json"
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+# [accessLog]
+
+  # Sets the file path for the access log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  # filePath = "/path/to/log/log.txt"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+  # format = "json"
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+[api]
+
+  # Enable the API in insecure mode
+  #
+  # Optional
+  # Default: false
+  #
+  # insecure = true
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  # dashboard = false
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+[ping]
+
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  # entryPoint = "traefik"
+
+
+[certificatesResolvers.linode.acme]
+  email = "root@trygvis.io"
+  storage = "acme.json"
+  [certificatesResolvers.linode.acme.dnsChallenge]
+    provider = "linode"
+    delayBeforeCheck = 1
+
+[http]
+[http.routers]
+  [http.routers.junk]
+  rule = "Host(`junk.dn42.trygvis.io`)"
+  service = "netbox"
+
+  [http.routers.junk.tls]
+    certResolver = "linode"
+
+  [http.services]
+    # Define how to reach an existing service on our infrastructure
+    [http.services.netbox.loadBalancer]
+      [[http.services.netbox.loadBalancer.servers]]
+        url = "http://[fdb1:4242:3538:2005:be24:11ff:febb:5c7f]:8080"
diff --git a/ansible/roles/traefik-server/handlers/main.yml b/ansible/roles/traefik-server/handlers/main.yml
new file mode 100644
index 0000000..6e34db4
--- /dev/null
+++ b/ansible/roles/traefik-server/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: systemctl restart traefik
+  systemd:
+    daemon_reload: true
+    unit: traefik
+    state: restarted
diff --git a/ansible/roles/traefik-server/tasks/main.yml b/ansible/roles/traefik-server/tasks/main.yml
new file mode 100644
index 0000000..98d45e5
--- /dev/null
+++ b/ansible/roles/traefik-server/tasks/main.yml
@@ -0,0 +1,56 @@
+- name: Download traefik
+  become: true
+  ansible.builtin.get_url:
+    url: https://github.com/traefik/traefik/releases/download/v{{ traefik_version }}/traefik_v{{ traefik_version }}_linux_amd64.tar.gz
+    dest: /tmp/traefik-{{ traefik_version }}.tar.gz
+    checksum: "{{ traefik_download|default('') }}"
+  register: download
+
+- name: Download checksum
+  debug:
+    msg: download.checksum_src={{ download.checksum_src }}
+  when: download.status_code == 200
+
+- name: mkdir /tmp/traefik-x.y.z
+  become: true
+  file:
+    path: /tmp/traefik-{{ traefik_version }}
+    state: directory
+
+- name: Extract traefik
+  become: true
+  unarchive:
+    remote_src: true
+    src: /tmp/traefik-{{ traefik_version }}.tar.gz
+    dest: /tmp/traefik-{{ traefik_version }}
+
+- name: Install traefik
+  become: true
+  copy:
+    remote_src: true
+    src: /tmp/traefik-{{ traefik_version }}/traefik
+    dest: /usr/local/bin/traefik
+    owner: root
+    group: root
+    mode: 0750
+
+- name: /etc/systemd/services/traefik.service
+  become: true
+  template:
+    src: traefik.service.j2
+    dest: /etc/systemd/system/traefik.service
+    owner: root
+    group: root
+    mode: 0644
+
+- name: mkdir /etc/traefik
+  become: true
+  file:
+    path: /etc/traefik
+    state: directory
+
+- name: mkdir /etc/traefik/acme
+  become: true
+  file:
+    path: /etc/traefik/acme
+    state: directory
diff --git a/ansible/roles/traefik-server/templates/traefik.service.j2 b/ansible/roles/traefik-server/templates/traefik.service.j2
new file mode 100644
index 0000000..14bc403
--- /dev/null
+++ b/ansible/roles/traefik-server/templates/traefik.service.j2
@@ -0,0 +1,52 @@
+[Unit]
+Description=traefik proxy
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+AssertFileIsExecutable=/usr/local/bin/traefik
+AssertPathExists=/etc/traefik/traefik.toml
+
+[Service]
+Restart=on-abnormal
+
+#User=traefik
+#Group=traefik
+
+; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
+ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+
+; Use private /tmp and /var/tmp, which are discarded after traefik stops.
+PrivateTmp=true
+
+; Use a minimal /dev (May bring additional security if switched to 'true')
+PrivateDevices=true
+
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+
+; ... except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+#ReadWriteDirectories=/etc/traefik/acme
+
+; The following additional security directives only work with systemd v229 or later.
+; They further restrict privileges that can be gained by traefik. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+{% set env=traefik_environment.items()|default({}) %}
+{% if env %}
+
+{% for k, v in env %}
+Environment="{{ k }}={{ v }}"
+{% endfor %}
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target
-- 
cgit v1.2.3