Switch traefik/traefik-certs-dumper Ansible role sources and adjust variable names (devture_traefik_ -> traefik_)

2024-09-27 10:14:29 +03:00
parent 8445843562
commit f93101f791
13 changed files with 260 additions and 238 deletions
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -227,20 +227,20 @@ To make Traefik reverse-proxy to these additional JVBs (living on other hosts),
 # Traefik proxying for additional JVBs. These can't be configured using Docker
 # labels, like the first JVB is, because they run on different hosts, so we add
 # the necessary configuration to the file provider.
-devture_traefik_provider_configuration_extension_yaml: |
+traefik_provider_configuration_extension_yaml: |
  http:
   routers:
     {% for host in groups['jitsi_jvb_servers'] %}

     additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-router:
       entryPoints:
-         - "{{ devture_traefik_entrypoint_primary }}"
+         - "{{ traefik_entrypoint_primary }}"
       rule: "Host(`{{ jitsi_hostname }}`) && PathPrefix(`/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] }}/`)"
       service: additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-service
-       {% if devture_traefik_entrypoint_primary != 'web' %}
+       {% if traefik_entrypoint_primary != 'web' %}

       tls:
-         certResolver: "{{ devture_traefik_certResolver_primary }}"
+         certResolver: "{{ traefik_certResolver_primary }}"

       {% endif %}

--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -21,7 +21,7 @@ To have the playbook install and use Traefik, use configuration like this (as se
 ```yaml
 matrix_playbook_reverse_proxy_type: playbook-managed-traefik

-devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
+traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
 ```

 Traefik will manage SSL certificates for all services seamlessly.
@ -38,7 +38,7 @@ matrix_playbook_reverse_proxy_type: other-traefik-container
 # Adjust to point to your Traefik container
 matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container

-devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
+traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"

 # Uncomment and tweak the variable below if the name of your federation entrypoint is different
 # than the default value (matrix-federation).
@ -148,18 +148,18 @@ matrix_playbook_ssl_enabled: true
 # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval.
 # This has the side-effect of also automatically disabling TLS for the matrix-federation entrypoint
 # (by toggling `matrix_federation_traefik_entrypoint_tls`).
-devture_traefik_config_entrypoint_web_secure_enabled: false
+traefik_config_entrypoint_web_secure_enabled: false

 # If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81`
-devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
+traefik_container_web_host_bind_port: '127.0.0.1:81'

 # We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
 # a reverse-proxy running on the local machine is safe enough.
-# If you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interface:
-# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
-# - uncomment and adjust the `devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
-devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
-# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
+# If you're publishing the port (`traefik_container_web_host_bind_port` above) to a public network interface:
+# - remove the `traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
+# - uncomment and adjust the `traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
+traefik_config_entrypoint_web_forwardedHeaders_insecure: true
+# traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']

 # Expose the federation entrypoint on a custom port (other than port 8448, which is normally used publicly).
 #
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@ -12,7 +12,7 @@ For testing purposes, you may wish to use staging certificates provide by Let's
 You can do this with the following configuration:

 ```yaml
-devture_traefik_config_certificatesResolvers_acme_use_staging: true
+traefik_config_certificatesResolvers_acme_use_staging: true
 ```


@ -23,7 +23,7 @@ For testing or other purposes, you may wish to install services without SSL term
 You can do this with the following configuration:

 ```yaml
-devture_traefik_config_entrypoint_web_secure_enabled: false
+traefik_config_entrypoint_web_secure_enabled: false
 ```


@ -46,16 +46,16 @@ To use your own SSL certificates with Traefik, you need to:

 ```yaml
 # Disable ACME / Let's Encrypt support.
-devture_traefik_config_certificatesResolvers_acme_enabled: false
+traefik_config_certificatesResolvers_acme_enabled: false

 # Disabling ACME support (above) automatically disables the creation of the SSL directory.
 # Force-enable it here, because we'll add our certificate files there.
-devture_traefik_ssl_dir_enabled: true
+traefik_ssl_dir_enabled: true

 # Tell Traefik to load our custom configuration file (certificates.yml).
 # The file is created below, in `aux_file_definitions`.
 # The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
-devture_traefik_configuration_extension_yaml: |
+traefik_configuration_extension_yaml: |
  providers:
    file:
      filename: /config/certificates.yml
@ -66,7 +66,7 @@ devture_traefik_configuration_extension_yaml: |
 aux_file_definitions:
  # Create the privkey.pem file on the server by
  # uploading a file from the computer where Ansible is running.
-  - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
+  - dest: "{{ traefik_ssl_dir_path }}/privkey.pem"
    src: /path/on/your/Ansible/computer/to/privkey.pem
    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
    # Note the indentation level.
@ -76,7 +76,7 @@ aux_file_definitions:

  # Create the cert.pem file on the server
  # uploading a file from the computer where Ansible is running.
-  - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
+  - dest: "{{ traefik_ssl_dir_path }}/cert.pem"
    src: /path/on/your/Ansible/computer/to/cert.pem
    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
    # Note the indentation level.
@ -86,7 +86,7 @@ aux_file_definitions:

  # Create the custom Traefik configuration.
  # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
-  - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
+  - dest: "{{ traefik_config_dir_path }}/certificates.yml"
    content: |
      tls:
        certificates:
@ -109,12 +109,12 @@ You can configure Traefik to use the [DNS-01 challenge type](https://letsencrypt
 This is an example for how to edit the `vars.yml` file if you're using Cloudflare:

 ```yaml
-devture_traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true
-devture_traefik_config_certificatesResolvers_acme_dnsChallenge_provider: "cloudflare"
-devture_traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: 60
-devture_traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers:
+traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true
+traefik_config_certificatesResolvers_acme_dnsChallenge_provider: "cloudflare"
+traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: 60
+traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers:
  - "1.1.1.1:53"
-devture_traefik_environment_variables_additional_variables: |
+traefik_environment_variables_additional_variables: |
  CF_API_EMAIL=redacted
  CF_ZONE_API_TOKEN=redacted
  CF_DNS_API_TOKEN=redacted
--- a/docs/configuring-playbook-traefik.md
+++ b/docs/configuring-playbook-traefik.md
@ -12,7 +12,7 @@ See the dedicated [Adjusting SSL certificate retrieval](configuring-playbook-ssl
 ## Increase logging verbosity

 ```yaml
-devture_traefik_config_log_level: DEBUG
+traefik_config_log_level: DEBUG
 ```

 ## Disable access logs
@ -20,7 +20,7 @@ devture_traefik_config_log_level: DEBUG
 This will disable access logging.

 ```yaml
-devture_traefik_config_accessLog_enabled: false
+traefik_config_accessLog_enabled: false
 ```

 ## Enable Traefik Dashboard
@ -28,23 +28,23 @@ devture_traefik_config_accessLog_enabled: false
 This will enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.DOMAIN/dashboard/` (note the trailing `/`).

 ```yaml
-devture_traefik_dashboard_enabled: true
-devture_traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}"
-devture_traefik_dashboard_basicauth_enabled: true
-devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
-devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
+traefik_dashboard_enabled: true
+traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}"
+traefik_dashboard_basicauth_enabled: true
+traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
+traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
 ```

 **WARNING**: Enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts.

 ## Additional configuration

-Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.
+Use the `traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.

 ```yaml
 # This is a contrived example.
 # You can enable and secure the Dashboard using dedicated variables. See above.
-devture_traefik_configuration_extension_yaml: |
+traefik_configuration_extension_yaml: |
  api:
    dashboard: true
 ```
@ -66,8 +66,8 @@ First, we have to adjust the static configuration of Traefik, so that we can add
 ```yaml
 # We enable all config files in the /config/ folder to be loaded.
 # `/config` is the path as it appears in the Traefik container.
-# On the host, it's actually `/matrix/traefik/config` (as defined in `devture_traefik_config_dir_path`).
-devture_traefik_configuration_extension_yaml: |
+# On the host, it's actually `/matrix/traefik/config` (as defined in `traefik_config_dir_path`).
+traefik_configuration_extension_yaml: |
  providers:
    file:
      directory: /config/
@ -79,7 +79,7 @@ If you are using a self-signed certificate on your webserver, you can tell Traef

 ```yaml
 # We enable all config files in the /config/ folder to be loaded and
-devture_traefik_configuration_extension_yaml: |
+traefik_configuration_extension_yaml: |
  providers:
    file:
      directory: /config/
@ -90,11 +90,11 @@ devture_traefik_configuration_extension_yaml: |
 ```


-Next, you have to add a new dynamic configuration file for Traefik that contains the actual information of the server using the `aux_file_definitions` variable. In this example, we will terminate SSL at the Traefik instance and connect to the other server via HTTPS. Traefik will now take care of managing the certificates. 
+Next, you have to add a new dynamic configuration file for Traefik that contains the actual information of the server using the `aux_file_definitions` variable. In this example, we will terminate SSL at the Traefik instance and connect to the other server via HTTPS. Traefik will now take care of managing the certificates.

 ```yaml
 aux_file_definitions:
-  - dest: "{{ devture_traefik_config_dir_path }}/provider_my_fancy_website.yml"
+  - dest: "{{ traefik_config_dir_path }}/provider_my_fancy_website.yml"
    content: |
      http:
        routers:
@ -117,7 +117,7 @@ If you do not want to terminate SSL at the Traefik instance (for example, becaus

 ```yaml
 aux_file_definitions:
-  - dest: "{{ devture_traefik_config_dir_path }}/providers_my_fancy_website.yml"
+  - dest: "{{ traefik_config_dir_path }}/providers_my_fancy_website.yml"
    content: |
      tcp:
        routers:
@ -134,9 +134,9 @@ aux_file_definitions:
 ```
 Changing the `url` to one with an `http://` prefix would allow to connect to the server via HTTP.

-With these changes, all TCP traffic will be reverse-proxied to the target system. 
+With these changes, all TCP traffic will be reverse-proxied to the target system.

-**WARNING**: This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```. 
+**WARNING**: This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```.


 ## Traefik behind a `proxy_protocol` reverse-proxy
@ -144,7 +144,7 @@ With these changes, all TCP traffic will be reverse-proxied to the target system
 If you run a reverse-proxy which speaks `proxy_protocol`, add the following to your configuration file:

 ```yaml
-devture_traefik_configuration_extension_yaml: |
+traefik_configuration_extension_yaml: |
  entryPoints:
    web-secure:
      proxyProtocol:
--- a/docs/howto-srv-server-delegation.md
+++ b/docs/howto-srv-server-delegation.md
@ -58,29 +58,29 @@ We cannot just disable the default resolver as that would disable SSL in quite a

 ```yaml
 # 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
-devture_traefik_configuration_extension_yaml: |
+traefik_configuration_extension_yaml: |
  certificatesResolvers:
    dns:
      acme:
        # To use a staging endpoint for testing purposes, uncomment the line below.
        # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
-        email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
+        email: {{ traefik_config_certificatesResolvers_acme_email | to_json }}
        dnsChallenge:
          provider: cloudflare
          resolvers:
            - "1.1.1.1:53"
            - "8.8.8.8:53"
-        storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
+        storage: {{ traefik_config_certificatesResolvers_acme_storage | to_json }}

 # 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare)
-devture_traefik_environment_variables: |
+traefik_environment_variables: |
  CF_API_EMAIL=redacted
  CF_ZONE_API_TOKEN=redacted
  CF_DNS_API_TOKEN=redacted
  LEGO_DISABLE_CNAME_SUPPORT=true

 # 3. Instruct the playbook to use the new ACME configuration
-devture_traefik_certResolver_primary: dns
+traefik_certResolver_primary: dns
 ```

 ## Adjust Coturn's configuration
@ -105,16 +105,16 @@ matrix_coturn_container_additional_volumes: |
    (
      [
       {
-         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
-         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
-      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
+      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
    )
  }}
 ```
@ -124,7 +124,7 @@ matrix_coturn_container_additional_volumes: |
 ```yaml
 # Choosing the reverse proxy implementation
 matrix_playbook_reverse_proxy_type: playbook-managed-traefik
-devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com
+traefik_config_certificatesResolvers_acme_email: redacted@example.com

 # To serve the federation from any domain, as long as the path matches
 matrix_synapse_container_labels_public_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`)
@ -135,25 +135,25 @@ matrix_synapse_container_labels_additional_labels: |
  traefik.http.routers.matrix-synapse-federation-api.tls.domains.sans="*.example.com"

 # Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
-devture_traefik_configuration_extension_yaml: |
+traefik_configuration_extension_yaml: |
  certificatesResolvers:
    dns:
      acme:
        # To use a staging endpoint for testing purposes, uncomment the line below.
        # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
-        email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
+        email: {{ traefik_config_certificatesResolvers_acme_email | to_json }}
        dnsChallenge:
          provider: cloudflare
          resolvers:
            - "1.1.1.1:53"
            - "8.8.8.8:53"
-        storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
+        storage: {{ traefik_config_certificatesResolvers_acme_storage | to_json }}

 # Instruct thep laybook to use the new ACME configuration
-devture_traefik_certResolver_primary: "dns"
+traefik_certResolver_primary: "dns"

 # Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare)
-devture_traefik_environment_variables: |
+traefik_environment_variables: |
  CF_API_EMAIL=redacted
  CF_ZONE_API_TOKEN=redacted
  CF_DNS_API_TOKEN=redacted
@ -168,16 +168,16 @@ matrix_coturn_container_additional_volumes: |
    (
      [
       {
-         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
-         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
-      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
+      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
    )
  }}
 ```