iac_stack/ansible/roles/deploy_container_traefik_with_letsencrypt/README.md

# Role: deploy_container_traefik

## Purpose
This role deploys and configures a Traefik reverse proxy using Docker Compose.  
It supports TLS, host-specific certificates, and renders all configuration files using Jinja2 templates.  
The configuration includes a fallback router/service to ensure safe defaults.

## Variables

### Default Variables (`defaults/main.yml`)
```yaml

container_traefik_create_network: true
container_traefik_subnet: 192.168.222.0/24
container_traefik_gateway: 192.168.222.1

container_traefik_url: "traefik.example.com"
container_traefik_version: "latest"

# Create with: echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
container_traefik_basicuser: "admin"
container_traefik_basicpassword: "changeme"

container_traefik_http_port: 80
container_traefik_https_port: 443

# Dummy router/service to avoid template errors if nothing is defined
container_traefik_routers:
  dummy:
    entryPoints: ["https"]
    rule: "Host(`dummy.local`)"
    service: dummy
    tls: true

container_traefik_services:
  dummy:
    loadBalancer:
      servers:
        - url: "https://127.0.0.1:443"
      passHostHeader: true
```

### Static Variables (`vars/main.yml`)
```yaml
container_traefik_base_dir: /opt/docker/traefik
```

### Role Usage

```yaml
- name: Deploy Traefik container
  hosts: traefik
  roles:
    - role: container_traefik
      vars:
        container_traefik_url: "traefik.example.com"
        container_traefik_basicuser: "admin"
        container_traefik_basicpassword: "$2y$05$<bcrypt_hash>"
```

## Requirements

* Linux system (tested on Debian)
* Docker Engine
* Docker Compose v2 plugin (`docker compose` CLI)
* Ansible 2.11 or higher
* `community.docker` collection

Install the required collection:

```bash
ansible-galaxy collection install community.docker
```

Or via `requirements.yml`:

```yaml
collections:
  - name: community.docker
    version: ">=3.4.0"
```

## Host-Specific Certificates

Location: `host_files/<inventory_hostname>/certs/`

Required files:

* `wildcard.crt`
* `wildcard.key`

## Handlers

* `Stop traefik container`
* `Start traefik container`

## Rendered Templates

| Template File             | Description                        |
| ------------------------- | ---------------------------------- |
| `docker-compose.yml.j2`   | Docker Compose definition          |
| `.env.j2`                 | Environment variable file          |
| `traefik.yml.j2`          | Main Traefik config (static)       |
| `tls.yml.j2`              | TLS certificate reference          |
| `routers_services.yml.j2` | Static routers and services config |

## Authors

* Kevin Heyer
  📧 [kevin.heyer@wira-gmbh.de](mailto:kevin.heyer@wira-gmbh.de)

```
add new container 2025-08-13 17:43:37 +02:00			`# Role: deploy_container_traefik`

			`## Purpose`
			`This role deploys and configures a Traefik reverse proxy using Docker Compose.`
			`It supports TLS, host-specific certificates, and renders all configuration files using Jinja2 templates.`
			`The configuration includes a fallback router/service to ensure safe defaults.`

			`## Variables`

			### Default Variables (`defaults/main.yml`)
			```yaml

			`container_traefik_create_network: true`
			`container_traefik_subnet: 192.168.222.0/24`
			`container_traefik_gateway: 192.168.222.1`

			`container_traefik_url: "traefik.example.com"`
			`container_traefik_version: "latest"`

			`# Create with: echo $(htpasswd -nB user) \| sed -e s/\\$/\\$\\$/g`
			`container_traefik_basicuser: "admin"`
			`container_traefik_basicpassword: "changeme"`

			`container_traefik_http_port: 80`
			`container_traefik_https_port: 443`

			`# Dummy router/service to avoid template errors if nothing is defined`
			`container_traefik_routers:`
			`dummy:`
			`entryPoints: ["https"]`
			rule: "Host(`dummy.local`)"
			`service: dummy`
			`tls: true`

			`container_traefik_services:`
			`dummy:`
			`loadBalancer:`
			`servers:`
			`- url: "https://127.0.0.1:443"`
			`passHostHeader: true`
			```

			### Static Variables (`vars/main.yml`)
			```yaml
			`container_traefik_base_dir: /opt/docker/traefik`
			```

			`### Role Usage`

			```yaml
			`- name: Deploy Traefik container`
			`hosts: traefik`
			`roles:`
			`- role: container_traefik`
			`vars:`
			`container_traefik_url: "traefik.example.com"`
			`container_traefik_basicuser: "admin"`
			`container_traefik_basicpassword: "$2y$05$<bcrypt_hash>"`
			```

			`## Requirements`

			`* Linux system (tested on Debian)`
			`* Docker Engine`
			* Docker Compose v2 plugin (`docker compose` CLI)
			`* Ansible 2.11 or higher`
			* `community.docker` collection

			`Install the required collection:`

			```bash
			`ansible-galaxy collection install community.docker`
			```

			Or via `requirements.yml`:

			```yaml
			`collections:`
			`- name: community.docker`
			`version: ">=3.4.0"`
			```

			`## Host-Specific Certificates`

			Location: `host_files/<inventory_hostname>/certs/`

			`Required files:`

			* `wildcard.crt`
			* `wildcard.key`

			`## Handlers`

			* `Stop traefik container`
			* `Start traefik container`

			`## Rendered Templates`

			`\| Template File \| Description \|`
			`\| ------------------------- \| ---------------------------------- \|`
			\| `docker-compose.yml.j2` \| Docker Compose definition \|
			\| `.env.j2` \| Environment variable file \|
			\| `traefik.yml.j2` \| Main Traefik config (static) \|
			\| `tls.yml.j2` \| TLS certificate reference \|
			\| `routers_services.yml.j2` \| Static routers and services config \|

			`## Authors`

			`* Kevin Heyer`
			`📧 [kevin.heyer@wira-gmbh.de](mailto:kevin.heyer@wira-gmbh.de)`

			```