mash-playbook/docs/services/traefik.md
2024-10-06 20:52:40 +00:00

99 lines
4.6 KiB
Markdown

# Traefik
[Traefik](https://doc.traefik.io/traefik/) is a container-aware reverse-proxy server.
Many of the services installed by this playbook need to be exposed to the web (HTTP/HTTPS). This is handled by Traefik, which is installed by default if you have used the [example `vars.yml` file](../../examples/vars.yml).
Enabling the Traefik service will automatically wire all other services to use it.
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# traefik #
# #
########################################################################
mash_playbook_reverse_proxy_type: playbook-managed-traefik
# The email address that Traefik will pass to Let's Encrypt when obtaining SSL certificates
traefik_config_certificatesResolvers_acme_email: your-email@example.com
# Or, if you'd like to install Traefik yourself:
#
# mash_playbook_reverse_proxy_type: other-traefik-container
# mash_playbook_reverse_proxyable_services_additional_network: traefik
########################################################################
# #
# /traefik #
# #
########################################################################
```
Enabling the Traefik service, as shown above, automatically installs a [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) service/container (powered by the [com.devture.ansible.role.container_socket_proxy](https://github.com/devture/com.devture.ansible.role.container_socket_proxy) Ansible role) to improve security by not mounting a Docker socket into the Traefik container.
This [Ansible role we use for Traefik](https://github.com/mother-of-all-self-hosting/ansible-role-traefik) supports various configuration options. Feel free to consult [its `default/main.yml` variables file](https://github.com/mother-of-all-self-hosting/ansible-role-traefik/blob/main/defaults/main.yml).
Below, you can find some guidance about common tweaks you may wish to do.
## Using another Traefik instance (not installing Traefik)
Sometimes you may already have a Traefik instance running on the server and you may wish to not have the playbook install Traefik.
To tell the playbook that you're running a Traefik instance and you'd still like all services installed by the playbook to be connected to that Traefik instance, you need the following configuration:
```yml
# Tell the playbook you're using Traefik installed in another way.
# It won't bother installing Traefik.
mash_playbook_reverse_proxy_type: other-traefik-container
# Tell the playbook to attach services which require reverse-proxying to an additional network by default (e.g. traefik)
# This needs to match your Traefik network.
mash_playbook_reverse_proxyable_services_additional_network: traefik
```
## Increase logging verbosity
```yaml
traefik_config_log_level: DEBUG
```
## Disable access logs
This will disable access logging.
```yaml
traefik_config_accessLog_enabled: false
```
## Enable Traefik Dashboard
This will enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://traefik.mash.example.com/dashboard/` (note the trailing `/`).
```yaml
traefik_dashboard_enabled: true
traefik_dashboard_hostname: traefik.mash.example.com
traefik_dashboard_basicauth_enabled: true
traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
```
**WARNING**: enabling the dashboard on a hostname you use for something else (like `mash.example.com` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems.
## Additional configuration
Use the `traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.
```yaml
# This is a contrived example.
# You can enable and secure the Dashboard using dedicated variables. See above.
traefik_configuration_extension_yaml: |
api:
dashboard: true
```