Puppet profile for Traefik reverse proxy in TLS offloading with automatic Let's Encrypt support

traefik.pp

# Installs and configures the Traefik.io reverse proxy, for TLS-offloading and
# automatic Let's Encrypt SSL management.
#
# Requirements:
#   - Module https://forge.puppet.com/praekeltfoundation/traefik and dependencies
#   - gem 'toml-rb' installed on Puppet Master
class profiles::traefik {
  file { '/var/lib/traefik/':
    ensure => 'directory',
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  } ->
  file { '/var/log/traefik/':
    ensure => 'directory',
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
  } ->
  class { '::traefik':
    version     => '1.0.3',
    config_hash => {
      'accessLogsFile'     => '/var/log/traefik/access.log',
      'traefikLogsFile'    => '/var/log/traefik/daemon.log',
      'defaultEntryPoints' => ['http', 'https'],
      'logLevel'           => 'INFO',
    },
  }
  traefik::config::section { 'web':
    description => 'Enable the statistics UI',
    order       => '60',
    hash        => {
      'address'  => ':8081',
      'readonly' => true,
    },
  }
  traefik::config::section { 'acme':
    description => "Let's Encrypt",
    order       => '40',
    hash        => {
      'email'       => '[email protected]',
      'storageFile' => '/var/lib/traefik/acme.json',
      'entryPoint'  => 'https',
      'onDemand'    => true,
    }
  }
  traefik::config::section { 'entryPoints':
    description => 'Entrypoint definitions',
    order       => '20',
    hash        => {
      'http'  => {
        'address'   => ':80',
      },
      'https' => {
        'address' => ':443',
        'tls'     => {},
      }
    }
  }
  traefik::config::file_rule { 'tlsproxy':
    description => 'Proxy to Varnish',
    order       => '30',
    frontend    => {
      'passHostHeader' => true,
    },
    backend     => {
      'servers' => {
        'server1' => {
          'url'    => 'http://127.0.0.1:6081',
        },
      }
    }
  }
}