kemonine
/
lollipopcloud
Archived
1
0
Fork 0
Code Releases Activity
This repository has been archived on 2022-08-05. You can view files and clone it, but cannot push or open issues or pull requests.
lollipopcloud/services/traefik.md

3.5 KiB
Raw Blame History

Web Service Proxy (Traefik)

A simple, efficient web server that can handle SSL/TLS setup via Let's Encrypt for all of your services. Traefik uses labels on containers for configuration needs and helps with more dynamic setup of services.

Inspiration / Sources

Docker (AND OTHER!) Integration(s)

Traefik supports docker "out of the box" as well as a number of other similar setups (Docker swarm, k8s). This should help with remixes for users with clusters of small arm boards.

Adjust firewall to allow web services on internal network(s)


firewall-cmd --permanent --zone=internal --add-service http --add-service https
firewall-cmd --permanent --zone=trusted --add-service http --add-service https
firewall-cmd --reload

Adjust firewall to allow web services on external network(s)

You can skip this if you won't be using web services from the internet.


firewall-cmd --permanent --zone=public --add-service http --add-service https
firewall-cmd --reload

Install / Update / Run Script

Setup a generic script that'll auto update Traefik and launch it. You should only run this script at first launch and/or when you're looking for updates.


mkdir -p /var/traefik/acme
touch /var/traefik/acme/acme.json
chmod 600 /var/traefik/acme/acme.json

cat > /root/traefik.sh << EOF
#!/bin/bash

ARCH=\`arch\`
if [ \$ARCH == "aarch64" ]
then
    ARCH="arm64v8"
else
    ARCH="arm32v7"
fi

docker pull registry.lollipopcloud.solutions/\$ARCH/traefik:latest

docker stop traefik
docker rm traefik

##########
    change -e ACME_DNS_PROVIDER to match one from https://docs.traefik.io/configuration/acme/#provider if using DNS ACME challenges
    add -e options for each variable for your chosen dns provider
    dont include CF_API vars in portainer template
    need to create /var/traefik/acme/acme.json with 600 perms ahead of container run
    change --logLevel=DEBUG via -e? if so: set to ERROR by default
    label docs for templates: https://docs.traefik.io/configuration/backends/docker/#labels-overriding-default-behavior
##########

docker run -it \\
-e TZ=UTC \\
-e DEBUG=1 \\
-e ACME_EMAIL="user@domain.tld" \\
-e ACME_DNS_PROVIDER="--acme.dnschallenge.provider=cloudflare" \\
-e CF_API_EMAIL="user@domain.tld" \\
-e CF_API_KEY=big_string \\
-v /var/traefik:/etc/traefik \\
-v /var/run/docker.sock:/var/run/docker.sock \\
registry.lollipopcloud.solutions/\$ARCH/traefik:latest \\
--api --docker --logLevel=DEBUG --defaultentrypoints=http,https --entrypoints="Name:http address::80 Redirect.EntryPoint:https" --entrypoints="Name:https address::443 TLS" --acme=true --acme.acmelogging=true --acme.storage=/etc/traefik/acme/acme.json --acme.tlsconfig=true --acme.entrypoint=https --acme.httpchallenge.entrypoint=http --acme.email=$ACME_EMAIL --acme.onhostrule=true --acme.httpchallenge=true $ACME_DNS_PROVIDER

EOF

chmod a+x /root/traefik.sh

Run Traefik

Simply execute /root/traefik.sh to update/run.

Configuration (Optional)

See https://docs.traefik.io/ for additional details. You shouldn't need any additional configuration. Most of traefik is configured via the command line using the above approach.

Traefik is very powerful and flexible though. If you're looking for more advanced options the documentation is a great start. Be warned: it's very technical and dense.