ansible playbook and roles

ansible/gitlab_server.yml

@@ -0,0 +1,7 @@
+---
+- hosts: gitlab_servers
+  roles:
+    - {role: 'docker', tags: ['docker'], become: true}
+    - {role: 'traefik', tags: ['traefik'], become: true}
+    - {role: 'gitlab_server', tags: ['gitlab_server'], become: true}
+

ansible/roles/docker/defaults/main.yml

@@ -0,0 +1,67 @@
+---
+# docker_log_driver: 'json-file'
+# docker_live_restore: true
+# docker_json_max_size: '300M'
+# docker_json_max_file: '3'
+# docker_json_compress: 'true'
+# docker_apt_package: 'docker.io'
+# vm_max_map_count: false
+# use docker default shutdown timeout by default
+# docker_shutdown_timeout:
+
+# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition).
+docker_edition: 'ce'
+docker_packages:
+  - "docker-{{ docker_edition }}"
+  - "docker-{{ docker_edition }}-cli"
+  - "docker-{{ docker_edition }}-rootless-extras"
+  - "containerd.io"
+docker_packages_state: present
+
+# Service options.
+docker_service_manage: true
+docker_service_state: started
+docker_service_enabled: true
+docker_restart_handler_state: restarted
+
+# Docker Compose Plugin options.
+docker_install_compose_plugin: false
+docker_compose_package: docker-compose-plugin
+docker_compose_package_state: present
+
+# Docker Compose options.
+docker_install_compose: true
+docker_compose_version: "v2.11.1"
+docker_compose_arch: "{{ ansible_architecture }}"
+docker_compose_url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-linux-{{ docker_compose_arch }}"
+docker_compose_path: /usr/local/bin/docker-compose
+
+# Docker repo URL.
+docker_repo_url: https://download.docker.com/linux
+
+# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed.
+docker_apt_release_channel: stable
+docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
+docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
+docker_apt_ignore_key_error: true
+docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg"
+
+# Used only for RedHat/CentOS/Fedora.
+docker_yum_repo_url: "{{ docker_repo_url }}/{{ (ansible_distribution == 'Fedora') | ternary('fedora','centos') }}/docker-{{ docker_edition }}.repo"
+docker_yum_repo_enable_nightly: '0'
+docker_yum_repo_enable_test: '0'
+docker_yum_gpg_key: "{{ docker_repo_url }}/centos/gpg"
+
+# A list of users who will be added to the docker group.
+docker_users: [vagrant]
+
+# Docker daemon options as a dict
+docker_daemon_options: {
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "300m",
+    "max-file": "3",
+    "compress": "true"
+  },
+  "live-restore": true
+}

ansible/roles/docker/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: restart docker
+  service:
+    name: docker
+    state: "{{ docker_restart_handler_state }}"
+  ignore_errors: "{{ ansible_check_mode }}"
+  when: docker_service_manage | bool

ansible/roles/docker/tasks/docker-users.yml

@@ -0,0 +1,7 @@
+---
+- name: Ensure docker users are added to the docker group.
+  user:
+    name: "{{ item }}"
+    groups: docker
+    append: true
+  with_items: "{{ docker_users }}"

ansible/roles/docker/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+- include_tasks: setup-RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- include_tasks: setup-Debian.yml
+  when: ansible_os_family == 'Debian'
+
+- name: Install Docker packages.
+  package:
+    name: "{{ docker_packages }}"
+    state: "{{ docker_packages_state }}"
+  notify: restart docker
+  ignore_errors: "{{ ansible_check_mode }}"
+  when: "ansible_version.full is version_compare('2.12', '<') or ansible_os_family not in ['RedHat', 'Debian']"
+
+- name: Install Docker packages (with downgrade option).
+  package:
+    name: "{{ docker_packages }}"
+    state: "{{ docker_packages_state }}"
+    allow_downgrade: true
+  notify: restart docker
+  ignore_errors: "{{ ansible_check_mode }}"
+  when: "ansible_version.full is version_compare('2.12', '>=') and ansible_os_family in ['RedHat', 'Debian']"
+
+- name: Ensure /etc/docker/ directory exists.
+  file:
+    path: /etc/docker
+    state: directory
+    mode: 0755
+  when: docker_daemon_options.keys() | length > 0
+
+- name: Configure Docker daemon options.
+  copy:
+    content: "{{ docker_daemon_options | to_nice_json }}"
+    dest: /etc/docker/daemon.json
+    mode: 0644
+  when: docker_daemon_options.keys() | length > 0
+  notify: restart docker
+
+- name: Ensure Docker is started and enabled at boot.
+  service:
+    name: docker
+    state: "{{ docker_service_state }}"
+    enabled: "{{ docker_service_enabled }}"
+  ignore_errors: "{{ ansible_check_mode }}"
+  when: docker_service_manage | bool
+
+- name: Ensure handlers are notified now to avoid firewall conflicts.
+  meta: flush_handlers
+
+# On récupère les utilisateurs membres du groupe docker si on a passé des users dans la variable docker_users
+- name: Get docker group info using getent.
+  getent:
+    database: group
+    key: docker
+    split: ':'
+  when: docker_users | length > 0
+
+# On vérifie si les users n'exsistent pas. Si c'est le cas on créé une nouvelle variable
+- name: Check if there are any users to add to the docker group.
+  set_fact:
+    at_least_one_user_to_modify: true
+  when:
+    - docker_users | length > 0
+    - item not in ansible_facts.getent_group["docker"][2] # Permet de récupérer une liste des utilisateurs renseignée dans le troisième champs.
+  with_items: "{{ docker_users }}"
+
+# Si la nouvelle variable a été définie on exécute la task
+- include_tasks: docker-users.yml
+  when: at_least_one_user_to_modify is defined

ansible/roles/docker/tasks/setup-Debian.yml

@@ -0,0 +1,55 @@
+---
+- name: Ensure old versions of Docker are not installed.
+  ansible.builtin.package:
+    name:
+      - docker
+      - docker-engine
+      - docker.io
+    state: absent
+
+- name: Ensure dependencies are installed.
+  ansible.builtin.apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+    state: present
+
+- name: Ensure additional dependencies are installed (on Ubuntu < 20.04 and any other systems).
+  ansible.builtin.apt:
+    name: gnupg2
+    state: present
+  when: ansible_distribution != 'Ubuntu' or ansible_distribution_version is version('20.04', '<')
+
+- name: Ensure additional dependencies are installed (on Ubuntu >= 20.04).
+  ansible.builtin.apt:
+    name: gnupg
+    state: present
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')
+
+- name: Add Docker apt key.
+  ansible.builtin.get_url:
+    url: "{{ docker_apt_gpg_key }}"
+    dest: /etc/apt/trusted.gpg.d/docker.asc
+    mode: '0644'
+    force: true
+  register: add_repository_key
+  ignore_errors: "{{ docker_apt_ignore_key_error }}"
+
+- name: Ensure curl is present (on older systems without SNI).
+  ansible.builtin.package: 
+    name: curl
+    state: present
+  when: add_repository_key is failed
+
+- name: Add Docker apt key (alternative for older systems without SNI).
+  shell: >
+    curl -sSL {{ docker_apt_gpg_key }} | apt-key add -
+  args:
+    warn: false
+  when: add_repository_key is failed
+
+- name: Add Docker repository.
+  apt_repository:
+    repo: "{{ docker_apt_repository }}"
+    state: present
+    update_cache: true

ansible/roles/docker/tasks/setup-RedHat.yml

@@ -0,0 +1,34 @@
+---
+- name: Ensure old versions of Docker are not installed.
+  package:
+    name:
+      - docker
+      - docker-common
+      - docker-engine
+    state: absent
+
+- name: Add Docker GPG key.
+  rpm_key:
+    key: "{{ docker_yum_gpg_key }}"
+    state: present
+
+- name: Add Docker repository.
+  get_url:
+    url: "{{ docker_yum_repo_url }}"
+    dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Configure containerd on RHEL 8.
+  block:
+    - name: Ensure container-selinux is installed.
+      package:
+        name: container-selinux
+        state: present
+
+    - name: Ensure containerd.io is installed.
+      package:
+        name: containerd.io
+        state: present
+  when: ansible_distribution_major_version | int == 8

ansible/roles/gitlab_server/defaults/main.yml

@@ -0,0 +1,16 @@
+---
+gitlab_image_tag: latest
+gitlab_server_name:
+gitlab_pages_server_name:
+gitlab_services: []
+gitlab_base_dir: /opt/gitlab
+gitlab_data_dir: '{{ gitlab_base_dir }}/data'
+gitlab_backup_dir: '{{ gitlab_data_dir }}/backups'
+gitlab_logs_dir: '{{ gitlab_base_dir }}/logs'
+gitlab_conf_dir: '{{ gitlab_base_dir }}/conf'
+gitlab_bin_dir: '{{ gitlab_base_dir }}/bin'
+traefik_network: docker.local.fr
+
+# --- puma dir ---
+puma_conf_dir: /opt/gitlab/var/puma
+puma_conf_pid: '{{ puma_conf_dir}}/puma.pid'

ansible/roles/gitlab_server/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart gitlab
+  command: docker exec gitlab gitlab-ctl restart
+
+- name: reconfigure gitlab
+  command: docker exec gitlab gitlab-ctl reconfigure

ansible/roles/gitlab_server/tasks/main.yml

@@ -0,0 +1,75 @@
+---
+- name: Install packages
+  ansible.builtin.apt:
+    name:
+      - jq
+    state: present
+
+- name: Create directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    owner: '{{ item.owner | default("root") }}'
+    group: '{{ item.group | default("root") }}'
+    mode: '{{ item.mode  | default("0755") }}'
+    state: directory
+  loop:
+    - path: '{{ gitlab_base_dir }}'
+      mode: '0700'
+    - path: '{{ gitlab_data_dir }}'
+    - path: '{{ gitlab_conf_dir }}'
+      mode: '0775'
+    - path: '{{ gitlab_logs_dir }}'
+    - path: '{{ gitlab_bin_dir }}'
+
+- name: Gitlab - Container up
+  community.docker.docker_container:
+    name: gitlab
+    image: 'gitlab/gitlab-ce:{{ gitlab_image_tag }}'
+    state: started
+    restart_policy: unless-stopped
+    volumes:
+      - '{{ gitlab_conf_dir }}:/etc/gitlab'
+      - '{{ gitlab_logs_dir }}:/var/log/gitlab'
+      - '{{ gitlab_data_dir }}:/var/opt/gitlab'
+    network_mode: '{{ traefik_network }}'
+    networks:
+      - name: '{{ traefik_network }}'
+    labels:
+      traefik.enable: 'true'
+      traefik.http.routers.gitlab.rule: 'Host(`gitlab.local.fr`)'
+      traefik.http.routers.gitlab.entrypoints: 'websecure'
+      traefik.http.services.gitlab.loadbalancer.server.port: '80'
+      traefik.http.routers.gitlab.tls: 'true'
+
+- name: Deploy gitlab config file
+  ansible.builtin.template:
+    src: gitlab.rb.j2
+    dest: '{{ gitlab_conf_dir }}/gitlab.rb'
+    owner: root
+    group: root
+    mode: '0400'
+  notify: reconfigure gitlab
+
+- name: Modify sysctl values
+  ansible.builtin.sysctl:
+    name: '{{ item.name }}'
+    value: '{{ item.value }}'
+    state: present
+  loop:
+    - name: net.core.somaxconn
+      value: 1024
+    - name: net.ipv4.tcp_max_syn_backlog
+      value: 1024
+    - name: vm.overcommit_memory
+      value: 1
+
+- name: Get initial root password for gitlab authent
+  ansible.builtin.command: docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password
+  register: _password
+  until: "_password is not failed"
+  retries: 3
+  delay: 10
+
+- name: Print password
+  ansible.builtin.debug:
+    msg: "{{ _password.stdout }}"

ansible/roles/gitlab_server/templates/gitlab.rb.j2

@@ -0,0 +1,47 @@
+{{ ansible_managed | comment }}
+
+external_url 'https://gitlab.local.fr'
+nginx['listen_port'] = 80
+nginx['listen_https'] = false
+nginx['redirect_http_to_https'] = false
+nginx['http2_enabled'] = false
+nginx['proxy_set_headers'] = {
+  "Host" => "$http_host",
+  "X-Real-IP" => "$remote_addr",
+  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
+  "X-Forwarded-Proto" => "https",
+  "X-Forwarded-Ssl" => "on"
+}
+nginx['real_ip_trusted_addresses'] = ['172.18.0.0/16']
+nginx['real_ip_header'] = 'X-Real-IP'
+nginx['real_ip_recursive'] = 'on'
+nginx['custom_gitlab_server_config'] = "\nlocation =/robots.txt { alias /etc/gitlab/robots.txt; }\n"
+
+letsencrypt['enable'] = false
+prometheus_monitoring['enable'] = false
+
+gitlab_rails['smtp_enable'] = false
+
+# gitlab_rails['gitlab_shell_ssh_port'] = 22222
+
+
+
+# --- Misc ---
+grafana['enable'] = false
+
+# --- Puma ---
+puma['enable'] = true
+puma['worker_processes'] = 2 # Nb core-1
+puma['worker_timeout'] = 60
+
+# Valeur par défaut conseiller 4
+puma['min_threads'] = 4 
+puma['max_threads'] = 4
+
+puma['per_worker_max_memory_mb'] = 1024
+
+puma['pidfile'] = '{{ puma_conf_pid }}'
+gitlab_rails['env'] = {
+   'GITLAB_RAILS_RACK_TIMEOUT' => 600
+ }
+

ansible/roles/gitlab_server/templates/robots.txt.j2

@@ -0,0 +1,2 @@
+User-Agent: *
+Disallow: /

ansible/roles/traefik/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+traefik_dev_version: 'v2.5'
+traefik_user: 'vagrant'  # user
+traefik_dev_network:
+  - docker.local.fr

ansible/roles/traefik/files/config/dynamic_conf.toml

@@ -0,0 +1,9 @@
+[[tls.certificates]]
+  certFile = "/etc/certs/local.fr.crt"
+  keyFile = "/etc/certs/local.fr.key"
+
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
+      certFile = "/etc/certs/local.fr.crt"
+      keyFile  = "/etc/certs/local.fr.key"

ansible/roles/traefik/files/config/middlewares.yml

@@ -0,0 +1,7 @@
+---
+http:
+  middlewares:
+    StagingHeader:
+      headers:
+        customRequestHeaders:
+          X-Is-Secure: "true"

ansible/roles/traefik/files/etc/certs/local.fr.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEvjCCAqagAwIBAgIUA3+jwHAAm1FF+hMbkjpEtp7r5vkwDQYJKoZIhvcNAQEL
+BQAwQjELMAkGA1UEBhMCRlIxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMjEwMDgxNTA5MTNaFw0yMzEwMDgx
+NTA5MTNaMH0xCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZGcmFuY2UxETAPBgNVBAcM
+CFRvdWxvdXNlMREwDwYDVQQKDAhsb2NhbC5mcjEOMAwGA1UECwwFbG9jYWwxDjAM
+BgNVBAMMBWxvY2FsMRcwFQYJKoZIhvcNAQkBFghsb2NhbC5mcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANY0jBXHVKKkxCac0+mFit+VcE/KbnfwXuBx
+cyS0DEQwPTPA0yuzomfmWs/EWoNZKyg4e42HWVoEq1gCXSeDzfg3cvfBNcx5nbhs
+uVMOLesIcMohmhKCrbeqBRuF1X6KM9qbJUDU0/hwQN0nyUW/yDDH4BqPY8yVYyTD
+Vjp8s/lDMhiXnKyRT5KonXqwFLxvpiiHbZu8bh6agSj+RDiPJGzidw6HqL1GavBj
+zwuzjmkJdnQKxqivwTv5BMDaWveX7+WCaTYXY3Dt/JRixlFjn7vXj+huRuOHu9GM
+vT5a0Zkm524rw2O2hbFK2Gk9upSvo5j5IPJQaH1TuCs2ChShNDMCAwEAAaNxMG8w
+HwYDVR0jBBgwFoAUZEj1ZQDuf7yPxxLCp0JqiSOM7oUwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBPAwFQYDVR0RBA4wDIIKKi5sb2NhbC5mcjAdBgNVHQ4EFgQUx1Tra1AD
+cKbECcIyyGSy5/6dadkwDQYJKoZIhvcNAQELBQADggIBAHoVo7EDCo++aGu8RsB+
+Tbufc2nGyLOv9vc+syG00SFE/K0ic0JTuOHQcGnXbsfqaq2b7mtz8UL/bbBq/hmn
+7xDkbUIigbrTQgRAhXIrv+wfUp0U8Wq6g2uCKFpak29mSfmnNdzYCQxywREwdKwS
+OzlUZbmxmjNjX3YRJHL1mO/d2Y/5QD/rgZJB3aYnE05v5pVayx+FwHx0nu5OPUFS
+sJBNjn15As1DREA6jaKYV6AYKy1kyPeo+/YuNPWndX3nlkgq3zvWvAFgwes0Oold
+TSPH1TZlFpGexUPqJ8ZKUy6nQz6gUkPr4+F7ZvuNJ4djmrm36Osc2nqTdSPapX0c
+zsI+1J82JnEVzqp4mHAIOF8MX2BZgrKNA6Uc5ftsSMQZ5irqSuNC+U2Mwsz22OBx
+pcuciW7tAPJf3MBp9yGc35pHFG5F0DcEZhHaELCx6h8+dZ+8ZwRK6Do6HSBpi98W
+2CuWePV5q9AecYv/gKXGA+N2nH3dh+eDqqPW6dNWLSfQCsoueJthRawBe249XrIG
+CUREUTr7/nn95DtYpWD4ytxHxeU+6hGHzcv2EPfQkKYSkcayhGWMwN2c6c0B1SFg
+CcwYB6OXy5mzDMUgWlioW5pdILhLyxLFB5XI4N3KjowgATJc9xgAfA7kR88tKAmM
+JxD+DMTwrvDbAkQ5iEV9GDRM
+-----END CERTIFICATE-----

ansible/roles/traefik/files/etc/certs/local.fr.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICwjCCAaoCAQAwfTELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTERMA8G
+A1UEBwwIVG91bG91c2UxETAPBgNVBAoMCGxvY2FsLmZyMQ4wDAYDVQQLDAVsb2Nh
+bDEOMAwGA1UEAwwFbG9jYWwxFzAVBgkqhkiG9w0BCQEWCGxvY2FsLmZyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jSMFcdUoqTEJpzT6YWK35VwT8pu
+d/Be4HFzJLQMRDA9M8DTK7OiZ+Zaz8Rag1krKDh7jYdZWgSrWAJdJ4PN+Ddy98E1
+zHmduGy5Uw4t6whwyiGaEoKtt6oFG4XVfooz2pslQNTT+HBA3SfJRb/IMMfgGo9j
+zJVjJMNWOnyz+UMyGJecrJFPkqiderAUvG+mKIdtm7xuHpqBKP5EOI8kbOJ3Doeo
+vUZq8GPPC7OOaQl2dArGqK/BO/kEwNpa95fv5YJpNhdjcO38lGLGUWOfu9eP6G5G
+44e70Yy9PlrRmSbnbivDY7aFsUrYaT26lK+jmPkg8lBofVO4KzYKFKE0MwIDAQAB
+oAAwDQYJKoZIhvcNAQELBQADggEBAKKp6AadSiP9tXHckhADHtzGFUpeq+CEC0Nk
+AoaVMllkZHgEppdOzoj2FfCHdb7wfSOsA1ZjIE5oooEoZjUfb+xM/GnvJcpJT+Tr
+rLT26DwXnPrsIxvzqIvMx6XsnfPcrr+3bHfW50W/jdNNDtzyeyq6kXCMMbxYat8p
+flG+SMLeiMWFK6poTNrWh+X4ZzHbmDc+ckNdwilVXAVFgr0alzd6qo4Kc6WHRiQS
+BTPjPQn9lgkq42S7kojLUXclcVfsvrHSmXTdUHtLFyj5H+7ppgs9wDWLSksOaBg2
+We9LcIGyuucaJBgbBuJ48WgtJDko0L2bpDFHRDipyQQeUCRkdRk=
+-----END CERTIFICATE REQUEST-----

ansible/roles/traefik/files/etc/certs/local.fr.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDWNIwVx1SipMQm
+nNPphYrflXBPym538F7gcXMktAxEMD0zwNMrs6Jn5lrPxFqDWSsoOHuNh1laBKtY
+Al0ng834N3L3wTXMeZ24bLlTDi3rCHDKIZoSgq23qgUbhdV+ijPamyVA1NP4cEDd
+J8lFv8gwx+Aaj2PMlWMkw1Y6fLP5QzIYl5yskU+SqJ16sBS8b6Yoh22bvG4emoEo
+/kQ4jyRs4ncOh6i9RmrwY88Ls45pCXZ0Csaor8E7+QTA2lr3l+/lgmk2F2Nw7fyU
+YsZRY5+714/obkbjh7vRjL0+WtGZJuduK8NjtoWxSthpPbqUr6OY+SDyUGh9U7gr
+NgoUoTQzAgMBAAECggEADmsUZYA4ptynBLUDC/GckBbZASXucE2ntT0ts5zC7pwT
+TTZ/gFjjvPv5GjRspfFh7Ep7q+JzwJFr5Hf+7o1QAeiJk+UCIAoCScsCYSAlNcV9
+rL1nnN4Fn2/m+XFKwO0V4chrpi+CjR3RNTxbr0GM0hZsyUeO6ihsDKocAG0rGBiu
+0ucbdCJfxl33QsEXWcFjCoX9eAobPhmM4RPAOK0yXRYrz6wBgbHfFY5A9JhT31zZ
+xzZh/Wq881FYaBsrUB/mvsBVqCwO4GL76poA574TcHrmjb1ygKwgq6+zRpzEdlej
+vY8RD2savLlkIOO0EhaCx+t+rBJ95lr3mj6AclPiAQKBgQD/tcJrx/KOaAs/pIf4
+q+3sRwduKxObJNQL63Aj+UzPIcK5pf7OwlsKmpZyz1ci/2XVF998hFLI2DKYVDNk
+w85t4MZht+cnjjlRbWux3jzesdsZa/zYCfT0MX38OZsS28nOjJ2mbijtvPbmON+n
+jw3eqEYfDlRFkYLrYcGpQKBnswKBgQDWcrzV3W8idok7SOyZ3j8i2OPaQkwDmEYI
+my7M2WNZ62q+MPNAysnni4o04Rkw5TTC0lov9jRdcK4G+h73tqM7wvDGvPUOtemx
+SfuOwg6fE8Er0cAmQ4rjBvxIVPJ6+Iz9CItyRvt1iCXvWTF9CjO6bkPmLR2QjZkh
+SgJwpGXBgQKBgCJy3R9iD3ZJ5AIN61d/6gyjwQeBfCGxg3Oboz7lbgiVlsMl7r7y
+BgvWqaAL+MQ5PgHINo5y0ShHoAFPjqDrlBrPZkpx2Q1GJsimghSzSOYDde3l02lT
+ZhGjvUJGjHKs83IFFZP/UTo989EuJktPhWHSr6etaYL5yHZndAyWLUXrAoGAfq6b
+JQ/Bhi9WFEKZGrByxagwug+uDfWXcaASvoqxKT5r+Vy7ZowlR/Zjt6c+FWdhirFu
++6RK/OQCujZpstYeicA4Mn8PmRgXrFbTF1tF/e1SkQtAopoF4uWOhUBBWimYSCYT
+EngiNiUum70qAf7T3g8jZ0dBjtJHIqYw2NAVGIECgYAtJsZZcuqeT4v0SrF3aGuq
+8TSaNFICQAPuRSeV7RN3Yq/ZzCxG0pt0N6U8/SZmOH+bx98yekRMLgY3A68XdlRi
+uiyl+RZJIhaU83dhDnfv1/F0y0MmA8mEmUoPQSZkDrwg+IwvD38ob9DQUvaBcn5G
+QBvZMa2+bHkceOnYRVfgzw==
+-----END PRIVATE KEY-----

ansible/roles/traefik/files/traefik.toml

@@ -0,0 +1,33 @@
+[accessLog]
+  filePath = "/dev/stdout"
+
+[log]
+  level = "ERROR"
+
+[providers.docker]
+  endpoint = "unix:///var/run/docker.sock"
+  watch = true
+  exposedByDefault = false
+
+[providers.file]
+  directory = "/etc/traefik/config"
+  watch = true
+
+[entryPoints]
+  [entryPoints.metrics]
+    address = ":8090"
+  [entryPoints.websecure]
+    address = ":443"
+  [entryPoints.web]
+    address = ":80"
+  [entryPoints.web.http.redirections]
+    [entryPoints.web.http.redirections.entryPoint]
+      to = "websecure"
+      scheme = "https"
+      permanent = "true"
+
+[api]
+  dashboard = true
+
+[metrics]
+  [metrics.prometheus]

ansible/roles/traefik/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+- name: reload docker via systemd
+  # reload : set things like "live-restore"
+  ansible.builtin.systemd:
+    name: docker
+    state: reloaded
+  listen: reload docker
+
+- name: restart service docker
+  # then restart :
+  # - won't be disruptive with "live-restore"
+  # - necessary when changing "log-driver"
+  ansible.builtin.service:
+    name: docker
+    state: restarted
+  when: docker_live_restore
+  listen: reload docker

ansible/roles/traefik/tasks/main.yml

@@ -0,0 +1,77 @@
+---
+- name: '{{ traefik_user }} | Create user'
+  ansible.builtin.user:
+    name: '{{ traefik_user }}'
+    password: "{{ traefik_user.hash_password | default('!') }}"
+    shell: '/bin/bash'
+    append: true
+    state: present
+  no_log: true
+  
+- name: Ensure /etc/certs exist
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: '{{ item.state }}'
+    owner: '{{ traefik_user }}'
+    group: '{{ traefik_user }}'
+    mode: '0755'
+  loop:
+    - {path: '/home/{{ traefik_user }}/config/traefik/etc/certs', state: directory}
+    - {path: '/home/{{ traefik_user }}/config/traefik/config', state: directory}
+
+- name: 'Copy cert on {{ inventory_hostname }}.'
+  ansible.builtin.copy:
+    src: 'files/{{ item }}'
+    dest: '/home/{{ traefik_user }}/config/traefik/{{ item }}'
+    owner: '{{ traefik_user }}'
+    group: '{{ traefik_user }}'
+    mode: '0740'
+  loop:
+    - etc/certs/local.fr.crt
+    - etc/certs/local.fr.key
+    - config/dynamic_conf.toml
+    - config/middlewares.yml
+    - traefik.toml
+
+- name: "Add network for container"
+  community.docker.docker_network:
+    name: "{{ item }}"
+    internal: no
+    ipam_config:
+      - subnet: 172.18.0.0/16
+        gateway: 172.18.0.1
+  loop: "{{ traefik_dev_network }}"
+
+- name: Create traefik container
+  community.docker.docker_container:
+    name: 'traefik'
+    image: 'traefik:{{ traefik_dev_version }}'
+    state: started
+    restart: true
+    restart_policy: on-failure
+    restart_retries: 3
+    purge_networks: yes
+    networks_cli_compatible: false
+    networks:
+      - name: "{{ traefik_dev_network[0] }}"
+        ipv4_address: 172.18.0.2
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - '/home/{{ traefik_user }}/config/traefik/etc/certs/:/etc/certs:ro'
+      - '/home/{{ traefik_user }}/config/traefik/config:/etc/traefik/config:ro'
+      - '/home/{{ traefik_user }}/config/traefik/traefik.toml:/traefik.toml:ro'
+    labels:
+      traefik.http.routers.api.rule: 'Host(`traefik.local.fr`)'
+      traefik.http.routers.api.service: 'api@internal'
+      traefik.http.middlewares.auth.basicauth.users: 'admin:$apr1$YNIut6CR$IAtMZlvNBBMXe7cRNXDG0.'
+      traefik.http.routers.api.entrypoints: 'websecure'
+      traefik.http.routers.api.tls: 'true'
+      traefik.enable: 'true'
+    ports:
+      - '443:443'
+      - '8090:8090'
+      - '80:80'
+    log_driver: 'json-file'
+    log_opt:
+      max-size: '1m'
+      max-file: '10'