templates/traefik-service.j2

# {{ ansible_managed }}
[Unit]
Description=Traefik
Documentation=https://doc.traefik.io/traefik/
#After=network-online.target
AssertFileIsExecutable={{ traefik_opt }}/traefik
AssertPathExists={{ traefik_etc }}/traefik.yml

[Service]
# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
User=traefik
AmbientCapabilities=CAP_NET_BIND_SERVICE
ReadOnlyDirectories=/

# configure service behavior
Type=notify
ExecStart={{ traefik_opt }}/traefik --configFile={{ traefik_etc }}/traefik.yml
Restart=always
WatchdogSec=1s

# allow writing of acme.json
#ReadWritePaths=/var/traefik/acme.json
# depending on log and entrypoint configuration, you may need to allow writing to other paths, too

# limit number of processes in this unit
#LimitNPROC=1

[Install]
WantedBy=multi-user.target
minor: add basic proxy role (#2) Reviewed-on: https://gianet.us/engineering/ansible_role_proxy/pulls/2 Co-authored-by: Luciano Giacchetta <luciano@gianet.us> Co-committed-by: Luciano Giacchetta <luciano@gianet.us> 2026-01-19 21:09:04 +00:00			`# {{ ansible_managed }}`
			`[Unit]`
			`Description=Traefik`
			`Documentation=https://doc.traefik.io/traefik/`
			`#After=network-online.target`
			`AssertFileIsExecutable={{ traefik_opt }}/traefik`
			`AssertPathExists={{ traefik_etc }}/traefik.yml`

			`[Service]`
			`# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)`
			`User=traefik`
			`AmbientCapabilities=CAP_NET_BIND_SERVICE`
			`ReadOnlyDirectories=/`

			`# configure service behavior`
			`Type=notify`
			`ExecStart={{ traefik_opt }}/traefik --configFile={{ traefik_etc }}/traefik.yml`
			`Restart=always`
			`WatchdogSec=1s`

			`# allow writing of acme.json`
			`#ReadWritePaths=/var/traefik/acme.json`
			`# depending on log and entrypoint configuration, you may need to allow writing to other paths, too`

			`# limit number of processes in this unit`
			`#LimitNPROC=1`

			`[Install]`
			`WantedBy=multi-user.target`