prepare for ipv6 deployment

roles/common/tasks/main.yml

@@ -1,3 +1,12 @@
+- name: Install Debian packages
+  become: yes
+  ansible.builtin.apt:
+    name:
+     - docker-ce
+     - docker-compose-plugin
+     - ufw
+    state: latest
+
 - name: Upgrade Debian packages
   become: yes
   ansible.builtin.apt:
@@ -8,6 +17,26 @@
     state: latest
   register: apt_upgrades
 
+- name: Allow SSH
+  become: yes
+  ufw:
+    rule: allow
+    name: OpenSSH
+
+- name: Allow Web
+  become: yes
+  ufw:
+    rule: allow
+    name: WWW Full
+
+- name: Enable Firewall
+  become: yes
+  ufw:
+    state: enabled
+    policy: reject
+    direction: incoming
+    logging: on
+
 - name: Reboot if needed
   become: yes
   ansible.builtin.reboot:

roles/docker_host/tasks/main.yml

@@ -3,3 +3,31 @@
     state: directory
     path: "{{ my_svc_path }}"
     mode: "700"
+
+- name: Get IPv6 subnet for Docker
+  set_fact:
+    docker_ipv6_subnet: "{{ \
+      ansible_default_ipv6.address \
+      | ansible.utils.ipsubnet(64) \
+      | ansible.utils.ipsubnet(72, docker_ipv6_index) \
+    }}"
+
+- debug:
+    var: docker_ipv6_subnet
+
+- name: Configure Docker daemon
+  become: yes
+  template:
+    src: "daemon.json.j2"
+    dest: "/etc/docker/daemon.json"
+    owner: root
+    group: root
+    mode: "0644"
+  register: docker_daemon_config
+
+- name: Restart Docker daemon
+  become: yes
+  service:
+    name: docker
+    state: restarted
+  when: docker_daemon_config.changed

roles/docker_host/templates/daemon.json.j2

@@ -0,0 +1,4 @@
+{
+    "ipv6": true,
+    "fixed-cidr-v6": "{{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, 0) }}"
+}

roles/traefik/templates/docker-compose.yml.j2

@@ -1,35 +1,37 @@
-{% from "contrib/compose_helpers.j2" import traefik_labels with context %}
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
 {##}
-version: "3.7"
+version: "3.9"
 
 networks:
-  default:
   traefik:
     internal: true
+    enable_ipv6: true
     ipam:
       config:
         - subnet: {{ traefik_ip }}/24
+        - subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, 255) }}
 
 services:
   traefik:
     image: traefik:v2.9
     container_name: traefik
-    labels:
-      - {{ traefik_labels("traefik", service="api@internal") | indent(6) }}
     restart: unless-stopped
-    ports:
-      - "80:80"
-      - "443:443"
-      - "8080:8080"
     env_file:
       - .env.traefik
-    networks:
-      default:
-      traefik:
-        ipv4_address: {{ traefik_ip }}
+    network_mode: host
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/etc/traefik/traefik.yml:ro
-      - {{ base_volume_path }}/traefik/rules:/rules:ro
+      - ./rules:/rules:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - {{ base_volume_path }}/traefik/rules:/rules/extra:ro
       - {{ base_volume_path }}/traefik/logs:/logs
       - {{ base_volume_path }}/traefik/acme:/acme
+
+  # This is mostly just so that the traefik network gets created
+  whoami:
+    image: containous/whoami
+    container_name: whoami
+    labels:
+      - {{ helpers.traefik_labels('whoami', port=80) | indent(6) }}
+    networks:
+      - traefik

roles/traefik/templates/rules/traefik-dash.yml.j2

@@ -0,0 +1,25 @@
+http:
+  routers:
+    traefik-dash:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - web
+      service: traefik-dash
+
+    traefik-dash-tls:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - websecure
+      service: traefik-dash
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: "{{ domain }}"
+            sans:
+              - "*.{{ domain }}"
+
+  services:
+    traefik-dash:
+      loadBalancer:
+        servers:
+          - url: "http://localhost:8080"

roles/traefik/templates/traefik.yml.j2

@@ -11,9 +11,7 @@ accessLog:
 entryPoints:
   web:
     address: ":80"
-    forwardedHeaders:
-      trustedIPs:
-        - "172.16.0.0/12"
+
   websecure:
     address: ":443"