this post was submitted on 03 May 2024
1 points (100.0% liked)

homelab.

10 readers
1 users here now

Welcome to your friendly /r/homelab, where techies and sysadmin from everywhere are welcome to share their labs, projects, builds, etc.

founded 1 year ago
MODERATORS
[email protected]
1
Need help with my traefik stack & letsencrypt dns challenge (i.redd.it)
submitted 6 months ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 
The original post: /r/homelab by /u/LordWurstbrot on 2024-05-03 07:59:21.

Need help with my traefik stack & letsencrypt dns challenge

Hello, I am trying to get letsencrypt certs for my traefik stack using the dns challenge. I can't figure out what I did wrong. I would really appreciate your help, thanks.

docker compose

version: "3.8"

services:
 authelia:
 image: authelia/authelia
 container\_name: authelia
 volumes:
 - /home/pi/src/core/authelia-data:/config
 networks:
 - proxy
 labels:
 - 'traefik.enable=true'
 - 'traefik.docker.network=proxy'
 - 'traefik.http.routers.authelia.rule=Host(`sub.domain.de`)'
 - 'traefik.http.routers.authelia.entrypoints=websecure'
 - 'traefik.http.routers.authelia.tls=true'
 - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
 - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=<https://sub.domain.de>'
 - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
 - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
 expose:
 - 9091
 restart: unless-stopped
 environment:
 - TZ=Europe/Berlin
 healthcheck:
 disable: true

traefik:
 image: "traefik:latest"
 container\_name: traefik
 restart: unless-stopped
 security\_opt:
 - "no-new-privileges:true"
 networks:
 - proxy
 ports:
 - "80:80"
 - "443:443"
 depends\_on:
 - authelia
 volumes:
 - "/etc/localtime:/etc/localtime:ro"
 - "/var/run/docker.sock:/var/run/docker.sock:ro"
 - "./traefik-data/traefik.yml:/traefik.yml:ro"
 - "./traefik-data/acme.json:/acme.json"
 - "./traefik-data/configurations:/configurations"
 - "./traefik-data/logs:/logs"
 environment:
 - NETCUP\_CUSTOMER\_NUMBER=
 - NETCUP\_API\_KEY=
 - NETCUP\_API\_PASSWORD=
 labels:
 - traefik.enable=true
 - traefik.docker.network=proxy
 - traefik.http.routers.traefik-secure.entrypoints=websecure
 # - traefik.http.routers.traefik-secure.rule=Host(`sub.domain.de`)
 - traefik.http.routers.traefik-secure.service=api@internal
 # - traefik.http.routers.portainer-secure.middlewares=authelia@docker

portainer:
 image: "portainer/portainer-ee:linux-arm"
 container\_name: portainer
 restart: unless-stopped
 security\_opt:
 - "no-new-privileges:true"
 networks:
 - proxy
 volumes:
 - "/etc/localtime:/etc/localtime:ro"
 - "/var/run/docker.sock:/var/run/docker.sock:ro"
 - "./portainer-data:/data"
 labels:
 - traefik.enable=true
 - traefik.docker.network=proxy
 - traefik.http.routers.portainer-secure.entrypoints=websecure
 - traefik.http.routers.portainer-secure.rule=Host(`sub.domain.de`)
 - traefik.http.routers.portainer-secure.service=portainer
 - traefik.http.routers.portainer-secure.middlewares=authelia@docker
 - traefik.http.services.portainer.loadbalancer.server.port=9000

crowdsec:
 image: "crowdsecurity/crowdsec:latest"
 container\_name: crowdsec
 environment:
 GID: "${GID-1000}"
 COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
 depends\_on: #uncomment if running traefik in the same compose file
 - traefik
 volumes:
 - "/home/pi/src/core/crowdsec-data/config/:/etc/crowdsec/"
 - "/home/pi/src/core/crowdsec-data/crowdsec-db:/var/lib/crowdsec/data/"
 - "/home/pi/src/core/traefik-data/logs:/var/log/traefik/:ro"
 networks:
 - proxy
 restart: unless-stopped

bouncer-traefik:
 image: "docker.io/fbonalair/traefik-crowdsec-bouncer:latest"
 container\_name: bouncer-traefik
 environment:
 CROWDSEC\_BOUNCER\_API\_KEY: 
 CROWDSEC\_AGENT\_HOST: 
 networks:
 - proxy # same network as traefik + crowdsec
 depends\_on:
 - crowdsec
 restart: unless-stopped

goaccess:
 image: 'xavierh/goaccess-for-nginxproxymanager:latest'
 container\_name: goaccess
 restart: unless-stopped
 ports:
 - '7880:7880'
 environment:
 - TZ=Europe/Berlin
 - LOG\_TYPE=TRAEFIK #optional
 volumes:
 - "/home/pi/src/core/traefik-data/logs:/opt/log"
 labels:
 - traefik.enable=false

networks:
 proxy:
 external: true

traefik.yml

api:
 dashboard: false
 # insecure: true

log:
 level: "debug"
 filePath: "/logs/traefik.log"

Configuring Multiple Filters
============================

accessLog:
 filePath: "/logs/access.log"
 filters:
 statusCodes:
 - "200"
 - "300-302"
 retryAttempts: true
 minDuration: "10ms"
 # collect logs as in-memory buffer before writing into log file
 bufferingSize: 0
 fields:
 headers:
 defaultMode: drop # drop all headers per default
 names:
 User-Agent: keep # log user agent strings

entryPoints:
 web:
 address: ":80"
 http:
 middlewares:
 - crowdsec-bouncer@file
 redirections:
 entryPoint:
 to: websecure

websecure:
 address: ":443"
 http:
 middlewares:
 - secureHeaders@file
 - crowdsec-bouncer@file
 tls:
 certResolver: letsencrypt

providers:
 docker:
 endpoint: "unix:///var/run/docker.sock"
 exposedByDefault: false
 file:
 filename: /configurations/dynamic.yml

certificatesResolvers:
 letsencrypt:
 acme:
 email: [[email protected]](mailto:[email protected])
 storage: acme.json
 keyType: EC256
 caServer: <https://acme-v02.api.letsencrypt.org/directory>
 certificatesDuration: 2160
 dnsChallenge:
 provider: netcup
 delayBeforeCheck: 1200
 resolvers:
 - "root-dns.netcup.net:53"
 - "second-dns.netcup.net:53"
 - "third-dns.netcup.net:53"
 - "8.8.8.8:53"
 - "1.1.1.1:53"

dynamic.yml

entryPoints:
 web:
 address: ":80"
 http:
 redirections:
 entryPoint:
 to: websecure
 scheme: https

websecure:
 address: ":443"

http:
 middlewares:
 crowdsec-bouncer:
 forwardauth:
 address: http://bouncer-traefik:8080/api/v1/forwardAuth
 trustForwardHeader: true

nextcloud-redirectregex: redirectRegex: regex: "https://(.*)/.well-known/(card|cal)dav" replacement: "https://${1}/remote.php/dav/"

secureHeaders: headers: forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000

user-auth: basicAuth: users: - "xxxxxx"


routers:
 nextcloud-secure:
 entryPoints:
 - websecure
 rule: Host(`sub.domain.de`)
 middlewares:
 - nextcloud-redirectregex
 service: nextcloud

hass-secure: entryPoints:

  • websecure rule: Host(sub.domain.de) service: hass

services:
 nextcloud:
 loadBalancer:
 servers:
 - url: "<http://192.168.178.72:80/>"

hass: loadBalancer: servers: - url: "http://192.168.178.23:8123/"


tls:
 options:
 default:
 cipherSuites:
 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384
 - TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
 - TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
 - TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305
 - TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305
 minVersion: VersionTLS12
no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here