benschubert.infrastructure.ingress role – Setup a reverse proxy using podman to expose services using Traefik

Note

This role is part of the benschubert.infrastructure collection (version 0.0.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install benschubert.infrastructure.

To use it in a playbook, specify: benschubert.infrastructure.ingress.

Entry point finalize – Expose the Traefik dashboard on the instance deployed via the main entry-point and enables metrics monitoring

Synopsis

• The service as created will be protected by Authentik and requires authentication

• It thus needs to run only once the Authentik service has been brought up.

Parameters

Parameter	Comments
auth_authentik_hostname string / required	The hostname at which the Authentik service is reachable
auth_authentik_token string / required	The token to use to connect to Authentik
ingress_custom_ca_cert string	The path on disk to a custom certificate to validate the TLS certificates when ansible makes requests if they are not available in the root certificate authorities
ingress_https_port integer	The port under which Traefik is exposed to the outside world. This is used to be able to show the icon of Traefik on Default: 443
ingress_monitor_agent_alloy_image string	The container image path and tag to use for Alloy Default: "See I(monitoring_agent_alloy_image) from the Monitoring role"
ingress_monitor_agent_config_path string / required	The path on disk where to store the monitoring’s agent configuration file-system
ingress_monitor_agent_data_path string / required	The path on disk where to store the monitoring’s agent data
ingress_monitor_agent_user_group string	A group name to which to add the user that is created for monitoring Traefik. This is useful if you want to restrict apps per user, so you can have those bots publish their metrics correctly.
ingress_traefik_allowlisted_groups list / elements=string	A list of groups to restrict the Traefik dashboard to. Users not in any of the specified groups won’t be able to see or login to the dashboard. null or [] doesn’t restrict the access.
ingress_traefik_certificates_resolvers dictionary	The configuration for the certificate resolvers When created, it expects at least a ‘default’ entry, which will be used for all services that don’t specify an explicit resolver in their configuration ‘storage’ MUST be set as /etc/traefik/acme.json See Traefik’s documentation for more information Default: {}
ingress_traefik_dashboard_hostname string / required	The hostname under which to expose the Traefik dashboard
ingress_traefik_image string	The container image path and tag to use for Traefik Default: "docker.io/traefik:latest"
ingress_validate_certs boolean	Whether the TLS certificate should be verified when ansible makes API calls Choices: false true ← (default)
monitoring_grafana_config_path string / required	The path to where the Grafana configuration is kept This is used to install a basic dashboard for viewing metrics
template_warning string / required	A warning that this role will add to the top of each file it creates so users know it is managed by an automated process.

Entry point main – Setup a reverse proxy using podman to expose services using Traefik

Synopsis

• This sets up a Traefik webserver to act as a reverse proxy and gateway to expose the rest of the services in this collection.

Parameters

Parameter	Comments
ingress_http_port integer	The port that Traefik should use to expose its http interface on the host.
ingress_https_port integer	The port that Traefik should use to expose its https interface on the host.
ingress_networks list / elements=string / required	The list of podman networks that the Traefik pod should attach to. This is to let Traefik act as a reverse proxy for other services hosted in podman, without exposing them to other places.
ingress_traefik_certificates_resolvers dictionary	The configuration for the certificate resolvers When created, it expects at least a ‘default’ entry, which will be used for all services that don’t specify an explicit resolver in their configuration See Traefik’s documentation for more information Default: {}
ingress_traefik_configuration_files_path string / required	The directory in which the configuration files for Traefik will be stored
ingress_traefik_environment_variables dictionary	A list of environment variables to set for Traefik as <key: value> This can be used, e.g., to configure the certificate resolver. For secrets, use ingress_traefik_secrets instead. Default: {}
ingress_traefik_secrets dictionary	A list of secrets to inject into the Traefik container as <key: value> The key of each secret will be set as an environment variable pointing to the secret containing the value Default: {}
template_warning string / required	A warning that this role will add to the top of each file it creates so users know it is managed by an automated process.

Entry point provider – Configures a new provider to expose a service on the ingress

Synopsis

• This sets up a configuration fragment on Traefik to expose a new services

• See the Traefik documentation for more information

• This entry point also ensures that the service is available afterwards. As such, the service should already be configured

Parameters

Parameter	Comments
expected_status_code integer	The status code that the service is expected to return when reached at / Used when validating that the service is indeed reachable Default: true
hostname string / required	The hostname at which the service should be exposed This is used to ensure that the service is now available
ingress_custom_ca_cert string	The path on disk to a custom certificate to validate the TLS certificates if they are not available in the root certificate authorities
ingress_https_port integer	The port at which the service is exposed via the ingress, in order to be able to make API calls to the service Default: 443
ingress_name string / required	The name to give to the configuration file that the template is rendered as
ingress_traefik_configuration_files_path string / required	The path on disk where all the configurations are stored
ingress_validate_certs boolean	Whether the TLS certificate to access the service should be validated or not Choices: false true ← (default)
template_file string / required	The ansible template to resolve for generating the configuration

Collection links

• Issue Tracker
• Repository (Sources)