Compare revisions

    path: "/etc/ssl/certs"

    path: "/etc/ssl/certs"

    state: directory

    state: directory

    mode: "0644"

    mode: "0644"

  when: domain is defined

  when: certificates is defined

- name: Create ssl private keys directory

- name: Create ssl private keys directory

  ansible.builtin.file:

  ansible.builtin.file:

    path: "/etc/ssl/private"

    path: "/etc/ssl/private"

    state: directory

    state: directory

    mode: "0600"

    mode: "0600"

  when: domain is defined

  when: certificates is defined

- name: Generate private key

- name: Generate private key

  community.crypto.openssl_privatekey:

  community.crypto.openssl_privatekey:

    path: "/etc/ssl/private/{{ domain }}.key"

    path: "/etc/ssl/private/{{ item.domain }}.key"

    size: 2048

    size: 2048

  when: domain is defined

  loop: "{{ certificates }}"

  when: certificates is defined

- name: Generate certificate signing request

- name: Generate certificates signing request

  community.crypto.openssl_csr:

  community.crypto.openssl_csr:

    path: "/etc/ssl/certs/{{ domain }}.csr"

    path: "/etc/ssl/certs/{{ item.domain }}.csr"

    privatekey_path: "/etc/ssl/private/{{ domain }}.key"

    privatekey_path: "/etc/ssl/private/{{ item.domain }}.key"

    common_name: "{{ domain }}"

    common_name: "{{ item.domain }}"

    country_name: FR

    country_name: FR

    state_or_province_name: ESSONNE

    state_or_province_name: ESSONNE

    locality_name: SAINT AUBIN

    locality_name: SAINT AUBIN

    organization_name: SYNCHROTRON-SOLEIL

    organization_name: SYNCHROTRON-SOLEIL

    organizational_unit_name: ISAC

    organizational_unit_name: ISAC

    subject_alt_name: "{{ certificate_aliases | map('regex_replace', '^(.*)$', 'DNS:\\1') | list }}"

    subject_alt_name: "{{ item.certificate_aliases | map('regex_replace', '^(.*)$', 'DNS:\\1') | list if item.certificate_aliases is defined else omit }}"

  when: domain is defined

  loop: "{{ certificates }}"

  when: certificates is defined

- name: Generate self-signed certificate

- name: Generate self-signed certificate

  community.crypto.x509_certificate:

  community.crypto.x509_certificate:

    path: "/etc/ssl/certs/{{ domain }}.crt"

    path: "/etc/ssl/certs/{{ item.domain }}.crt"

    privatekey_path: "/etc/ssl/private/{{ domain }}.key"

    privatekey_path: "/etc/ssl/private/{{ item.domain }}.key"

    csr_path: "/etc/ssl/certs/{{ domain }}.csr"

    csr_path: "/etc/ssl/certs/{{ item.domain }}.csr"

    provider: selfsigned

    provider: selfsigned

  when: domain is defined and selfsigned is defined and selfsigned

  loop: "{{ certificates }}"

  when: certificates is defined and item.selfsigned is defined and item.selfsigned

- name: Copy certificate

- name: Copy certificates

  ansible.builtin.copy:

  ansible.builtin.copy:

    src: "{{ certificate_file }}"

    src: "{{ item.certificate_file }}"

    dest: "/etc/ssl/certs/{{ domain }}.crt"

    dest: "/etc/ssl/certs/{{ item.domain }}.crt"

    mode: "0644"

    mode: "0644"

  when: domain is defined and (selfsigned is not defined or not selfsigned)

  loop: "{{ certificates }}"

  when: certificates is defined and (item.selfsigned is not defined or not item.selfsigned)

      - traefik.docker.network=proxy

      - traefik.docker.network=proxy

      - traefik.http.routers.portainer.entrypoints=websecure

      - traefik.http.routers.portainer.entrypoints=websecure

      - traefik.http.routers.portainer.tls=true

      - traefik.http.routers.portainer.tls=true

      - traefik.http.routers.portainer.rule=Host(`{{ domain }}`) && PathPrefix(`/portainer`)

      - traefik.http.routers.portainer.rule=Host(`{{ portainer_domain }}`) && PathPrefix(`/portainer`)

      # See https://community.containo.us/t/middleware-to-add-the-if-needed/1895/13

      # See https://community.containo.us/t/middleware-to-add-the-if-needed/1895/13

      - traefik.http.middlewares.strip-prefix.chain.middlewares=strip-prefix-1,strip-prefix-2

      - traefik.http.middlewares.strip-prefix.chain.middlewares=strip-prefix-1,strip-prefix-2

      - traefik.http.middlewares.strip-prefix-1.redirectregex.regex=^(https?://[^/]+/[a-z0-9_]+)$$

      - traefik.http.middlewares.strip-prefix-1.redirectregex.regex=^(https?://[^/]+/[a-z0-9_]+)$$

    stsSeconds: 63072000

    stsSeconds: 63072000

tls:

tls:

  certificates:

  certificates:

    - certFile: /ssl/{{ domain }}.crt

{% for cert in certificates %}

      keyFile: /ssl/{{ domain }}.key

    - certFile: /ssl/{{ cert.domain }}.crt

      keyFile: /ssl/{{ cert.domain }}.key

{% endfor %}

  options:

  options:

    default:

    default:

      minVersion: VersionTLS12

      minVersion: VersionTLS12

    volumes:

    volumes:

      - "/etc/localtime:/etc/localtime:ro"

      - "/etc/localtime:/etc/localtime:ro"

      - "{{ traefik_path }}/config/conf.yml:/config/conf.yml:ro"

      - "{{ traefik_path }}/config/conf.yml:/config/conf.yml:ro"

      - "/etc/ssl/private/{{ domain }}.key:/ssl/{{ domain }}.key:ro"

{% for cert in certificates %}

      - "/etc/ssl/certs/{{ domain }}.crt:/ssl/{{ domain }}.crt:ro"

      - "/etc/ssl/private/{{ cert.domain }}.key:/ssl/{{ cert.domain }}.key:ro"

      - "/etc/ssl/certs/{{ cert.domain }}.crt:/ssl/{{ cert.domain }}.crt:ro"

{% endfor %}

      - "/var/run/docker.sock:/var/run/docker.sock:ro"

      - "/var/run/docker.sock:/var/run/docker.sock:ro"

      - "{{ traefik_path }}/log:/var/log/traefik"

      - "{{ traefik_path }}/log:/var/log/traefik"

    labels:

    labels:

      - traefik.docker.network=proxy

      - traefik.docker.network=proxy

      - traefik.http.routers.traefik.entrypoints=websecure

      - traefik.http.routers.traefik.entrypoints=websecure

      - traefik.http.routers.traefik.tls=true

      - traefik.http.routers.traefik.tls=true

      - traefik.http.routers.traefik.rule=Host(`{{ domain }}`) && PathPrefix(`/traefik`)

      - traefik.http.routers.traefik.rule=Host(`{{ traefik_domain }}`) && PathPrefix(`/traefik`)

      - traefik.http.routers.traefik.service=api@internal

      - traefik.http.routers.traefik.service=api@internal

      - traefik.http.services.traefik.loadbalancer.server.port=8080

      - traefik.http.services.traefik.loadbalancer.server.port=8080