I use the Traefik file provider for this.
https://doc.traefik.io/traefik/providers/file/
It picks up all my .yml configs in the watched folder which define the routers and services external to Docker.
this post was submitted on 08 Jul 2024
10 points (91.7% liked)
Selfhosted
40008 readers
1030 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Would the file provider configs live on the Traefik server, or would they need to be on the external service. Reading through this, and looking at the example configuration files doesn't really seem to point that out. Sorry for the noob questions.
Trying to understand this, but the way the documentation is written is different than I am used to.
Thank you!
No worries for the question. It's not terribly intuitive.
The configs live on the Traefik server. In my static traefik.yml config I have the following providers section, which adds the file provider in addition to the docker provider which you likely already have:
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: /config
watch: true
And in the /config folder mapped into the Traefik container I have several files for services external to docker. You can combine them or keep them separate since the watch: true setting tells it to read in all files (and it's near instant when you create them, no need to restart Traefik).
Here is my homeassistant.yml in that folder (I have a separate VM running HASS outside of Docker/Traefik):
http:
routers:
homeassistant-rtr:
entryPoints:
- https
service: homeassistant-svc
rule: "Host(`home.example.com`)"
tls:
certResolver: examplecom-dns
services:
homeassistant-svc:
loadBalancer:
servers:
- url: "http://hass1.internal.local:8123"
Hope this helps!
so in my traefik.yml file I have cloudflare set as my certresolver as follows:
certificatesResolvers:
cloudflare:
acme:
email: [email protected]
storage: acme.json
caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all aut>
#delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
And I had to get the secret mounted via the docker-compose file.
So where you have:
tls:
certResolver: examplecom-dns
Do I have to redefine all of the same information I did in my Traefik yml but in this separate config.yml?
(I did set it up in my traefik.yml and docker-compose.yml to mount and use this config, which I had commented out for later use.
Thank you so much for the help!
Edit:
Essentially I am trying to get my PiHole which is hosted on another pi setup with an SSL cert for local use only:
So in looking at your config I tried using:
http:
routers:
pihole-rtr:
entryPoints:
- https
service: pihole-rtr
rule: "Host(`ph.local.domain.com`)"
tls:
certResolver: cloudflare
services:
pihole-svc:
loadBalancer:
servers:
- url: "http://<ip>/admin"
However when doing this error logs returned:
2024-07-08T15:04:27-04:00 ERR error="the service \"pihole-rtr@file\" does not exist" entryPointName=https routerName=pihole-rtr@file
2024-07-08T15:04:28-04:00 ERR error="the service \"pihole-rtr@file\" does not exist" entryPointName=https routerName=pihole-rtr@file
I am doing something very wrong... And feel a little lost.
I think you're close.
You need to change service: pihole-rtr to service: pihole-svc.
Do I have to redefine all of the same information I did in my Traefik yml but in this separate config.yml?
No, you just need to reference it like you have. Define once, reference many.
I hate to report back, but something isn't quite working for pihole behind Traefik.
running "docker logs traefik" returns no error, and yet no certificate was presented to my pihole.
Not sure what else I might be missing or that I might have wrong.
Can you see the router and service in the Traefik dashboard and do they show any errors there?
Shows in traefik, no errors there.
If you're sure you've got a DNS entry for the Pihole FQDN pointing at Traefik, open the dev panel in your browser (F12), switch it to the Network tab, and visit the pihole URL.
See if you get anything back and especially take note of the HTTP status codes.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| HASS | Home Assistant automation software |
| HTTP | Hypertext Transfer Protocol, the Web |
| PiHole | Network-wide ad-blocker (DNS sinkhole) |
| SSL | Secure Sockets Layer, for transparent encryption |
5 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #857 for this sub, first seen 8th Jul 2024, 19:35] [FAQ] [Full list] [Contact] [Source code]