Traefik directories are not automatically created

[gridhead]

Describe the bug Traefik directories are not automatically created when the "Using your own SSL certificates" path is chosen.

To Reproduce My vars.yml file looks like this:

---
# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: apexaltruism.net

# The Matrix homeserver software to install.
# See:
#  - `roles/custom/matrix-base/defaults/main.yml` for valid options
# - the `docs/configuring-playbook-IMPLEMENTATION_NAME.md` documentation page, if one is available for your implementation choice
matrix_homeserver_implementation: synapse

# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: 'sasasasasasasasasasasasasasasasasasasasasasasasa'

# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
# It will retrieve SSL certificates for you on-demand and forward requests to all other components.
# For alternatives, see `docs/configuring-playbook-own-webserver.md`.
matrix_playbook_reverse_proxy_type: playbook-managed-traefik

# Ensure that public urls use https
matrix_playbook_ssl_enabled: true

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
devture_traefik_config_certificatesResolvers_acme_email: ''

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
devture_postgres_connection_password: 'P455W0RD'

# For testing or other purposes, you may wish to install services without SSL termination and 
# have services exposed to http:// instead of https://.
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval.
# This has the side-effect of also automatically disabling TLS for the matrix-federation entrypoint
# (by toggling `matrix_federation_traefik_entrypoint_tls`).
devture_traefik_config_entrypoint_web_secure_enabled: false

# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
# a reverse-proxy running on the local machine is safe enough.
# If you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interface:
# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
# - uncomment and adjust the `devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']

# Disable ACME / Let's Encrypt support.
devture_traefik_config_certificatesResolvers_acme_enabled: false

# Disabling ACME support (above) automatically disables the creation of the SSL directory.
# Force-enable it here, because we'll add our certificate files there.
devture_traefik_ssl_dir_enabled: true

# Expose the federation entrypoint on a custom port (other than port 8448, which is normally used publicly).
#
# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
# a reverse-proxy running on the local machine is safe enough.
#
# If your reverse-proxy runs on another machine, consider:
# - using `0.0.0.0:8449`, just `8449` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:8449` below
# - adjusting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom` (below) - removing `insecure: true` and enabling/configuring `trustedIPs`
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.0.1:8449'

# Depending on the value of `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` above,
# this may need to be reconfigured. See the comments above.
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
  forwardedHeaders:
    insecure: true
    trustedIPs: ['192.168.192.100']

# Tell Traefik to load our custom configuration file (certificates.yml).
# The file is created below, in `aux_file_definitions`.
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
devture_traefik_configuration_extension_yaml: |
  providers:
    file:
      filename: /config/certificates.yml
      watch: true

# Use the aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `aux_file_definitions` variable.
aux_file_definitions:
  # Create the privkey.pem file on the server by
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
    src: /home/fedohide-origin/data/apexaltruism.net/privkey.pem
    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
    # Note the indentation level.
    # content: |
    #   FILE CONTENT
    #   HERE

  # Create the cert.pem file on the server
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
    src: /home/fedohide-origin/data/apexaltruism.net/cert.pem
    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
    # Note the indentation level.
    # content: |
    #   FILE CONTENT
    #   HERE

  # Create the custom Traefik configuration.
  # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
  - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
    content: |
      tls:
        certificates:
          - certFile: /ssl/cert.pem
            keyFile: /ssl/privkey.pem
        stores:
          default:
            defaultCertificate:
              certFile: /ssl/cert.pem
              keyFile: /ssl/privkey.pem

# By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file.
# If this value is an external IP address, you can skip this section.
#
# If `ansible_host` is not the server's external IP address, you have 2 choices:
# 1. Uncomment the line below, to allow IP address auto-detection to happen (more on this below)
# 2. Uncomment and adjust the line below to specify an IP address manually
#
# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the Coturn role
# (see `roles/custom/matrix-coturn/defaults/main.yml`).
#
# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
#
# matrix_coturn_turn_external_ip_address: ''

# We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn.
# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
#
# To connect using a non-root user (and elevate to root with sudo later),
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`.
# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line
# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands.
#
# For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
# If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
# to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file.
#
# If you're running this Ansible playbook on the same server as the one you're installing to,
# consider adding an additional `ansible_connection=local` argument to the host line below.
#
# Ansible may fail to discover which Python interpreter to use on the host for some distros (like Ubuntu 20.04).
# You may sometimes need to explicitly add the argument `ansible_python_interpreter=/usr/bin/python3`
# to the host line below.

[matrix_servers]
matrix.apexaltruism.net ansible_host=192.168.0.211 ansible_ssh_user=centvirt-slva become=true become_user=root

Command used

ansible-playbook --key-file=/home/fedohide-origin/.ssh/frontier -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start

Expected behavior I expect the directories to be created automatically and then the files to be moved into them.

What happens instead

TASK [galaxy/auxiliary : Ensure AUX files are created] ************************************************************************************************************************************************************************************************************************
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/ssl/privkey.pem) => changed=false 
  ansible_loop_var: item
  checksum: 12e54d7930e615dea175797b9792638b3e1048bb
  item:
    dest: /matrix/traefik/ssl/privkey.pem
    src: /home/fedohide-origin/data/apexaltruism.net/privkey.pem
  msg: Destination directory /matrix/traefik/ssl does not exist
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/ssl/cert.pem) => changed=false 
  ansible_loop_var: item
  checksum: 4ff171b003c0c9d5f37158c99f522a7590ad2d56
  item:
    dest: /matrix/traefik/ssl/cert.pem
    src: /home/fedohide-origin/data/apexaltruism.net/cert.pem
  msg: Destination directory /matrix/traefik/ssl does not exist
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/config/certificates.yml) => changed=false 
  ansible_loop_var: item
  checksum: 50550a5ace0de7a63f286a5da5bbd00a9cea5d2c
  item:
    content: |-
      tls:
        certificates:
          - certFile: /ssl/cert.pem
            keyFile: /ssl/privkey.pem
        stores:
          default:
            defaultCertificate:
              certFile: /ssl/cert.pem
              keyFile: /ssl/privkey.pem
    dest: /matrix/traefik/config/certificates.yml
  msg: Destination directory /matrix/traefik/config does not exist

PLAY RECAP ********************************************************************************************************************************************************************************************************************************************************************
matrix.apexaltruism.net    : ok=148  changed=51   unreachable=0    failed=1    skipped=300  rescued=0    ignored=0   

TASK [galaxy/auxiliary : Ensure AUX files are created] *******************************************************************************************************************************************************************************************************************************************************************************************************************
changed: [matrix.apexaltruism.net] => (item=/matrix/traefik/ssl/privkey.pem)
changed: [matrix.apexaltruism.net] => (item=/matrix/traefik/ssl/cert.pem)
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/config/certificates.yml) => changed=false 
  ansible_loop_var: item
  checksum: 50550a5ace0de7a63f286a5da5bbd00a9cea5d2c
  item:
    content: |-
      tls:
        certificates:
          - certFile: /ssl/cert.pem
            keyFile: /ssl/privkey.pem
        stores:
          default:
            defaultCertificate:
              certFile: /ssl/cert.pem
              keyFile: /ssl/privkey.pem
    dest: /matrix/traefik/config/certificates.yml
  msg: Destination directory /matrix/traefik/config does not exist

PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
matrix.apexaltruism.net    : ok=150  changed=4    unreachable=0    failed=1    skipped=297  rescued=0    ignored=0   

Manual mitigation attempted

1. Execute the following commands in the server on which Matrix is to be deployed.

   sudo mkdir -p /matrix/traefik/config

   sudo mkdir -p /matrix/traefik/ssl

   sudo chown -R matrix:matrix /matrix/

2. Restart the playbook execution.

Matrix Server:

 Static hostname: centvirt-slva.apexaltruism.net
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: NOPE
         Boot ID: NOPE
  Virtualization: kvm
Operating System: CentOS Stream 9                 
     CPE OS Name: cpe:/o:centos:centos:9
          Kernel: Linux 5.14.0-432.el9.x86_64
    Architecture: x86-64
 Hardware Vendor: QEMU
  Hardware Model: Standard PC _Q35 + ICH9, 2009_
Firmware Version: Arch Linux 1.16.3-1-1

Ansible: If your problem appears to be with Ansible, tell us:

• where you run Ansible -- e.g. on the Matrix server itself; on another computer (which OS? distro? standard installation or containerized Ansible?)

     Static hostname: fedohide-origin.apexaltruism.net
           Icon name: computer-vm
             Chassis: vm 🖴
          Machine ID: NOPE
             Boot ID: NOPE
      Virtualization: kvm
    Operating System: Fedora Linux 41 (Cloud Edition Prerelease)              
         CPE OS Name: cpe:/o:fedoraproject:fedora:41
      OS Support End: Tue 2025-05-13
OS Support Remaining: 1y 1month 4d                                            
              Kernel: Linux 6.9.0-0.rc2.20240403git026e680b0a08.25.fc41.x86_64
        Architecture: x86-64
     Hardware Vendor: QEMU
      Hardware Model: Standard PC _Q35 + ICH9, 2009_
    Firmware Version: Arch Linux 1.16.3-1-1
       Firmware Date: Tue 2014-04-01
        Firmware Age: 10y 1w

The machine running Ansible is in the same network as the machine that is supposed to run Matrix.

• what version of Ansible you're running (see ansible --version)

ansible [core 2.16.5]
  config file = /home/fedohide-origin/projects/matrix-docker-ansible-deploy/ansible.cfg
  configured module search path = ['/home/fedohide-origin/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/fedohide-origin/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.2 (main, Mar 21 2024, 00:00:00) [GCC 14.0.1 20240316 (Red Hat 14.0.1-0)] (/usr/bin/python3)
  jinja version = 3.1.3
  libyaml = True

Additional context Add any other context about the problem here.

[xvsun]

I already issued it here #2688

It should still be same issue that the value devture_traefik_ssl_dir_enabled is not being used (no code except in the vars.yml). It's probably an easy fix.

[Keeberos]

I too have encountered this problem, but the solution is simple. Since this problem occurs only with a clean installation, I run the playbook without AUX for the first time, and in the second pass I set certificates and other settings, for this purpose I keep two configs prepared, so as not to comment and uncomment lines. Also in the second pass config for LDAP traefik authorization.