services:traefik
This is an old revision of the document!
Table of Contents
Traefik
Reverse proxy and TLS termination.
Access
| Item | Value |
|---|---|
| Dashboard | http://10.100.161.102:8080 |
| Container | CT 102 |
| IP | 10.100.161.102 |
| Ports | 80, 443, 8080 |
Installation
# Container erstellen (nesting + keyctl für Let's Encrypt) pct create 102 local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst \ --hostname traefik \ --memory 512 --swap 256 \ --cores 1 \ --net0 name=eth0,bridge=vmbr0,tag=160,ip=10.100.161.102/23,gw=10.100.161.254 \ --features nesting=1,keyctl=1 \ --unprivileged 1 \ --start 1 # Traefik installieren pct exec 102 -- bash -c ' apt update && apt install -y wget # Binary herunterladen wget https://github.com/traefik/traefik/releases/download/v3.3.3/traefik_v3.3.3_linux_amd64.tar.gz tar xzf traefik_*.tar.gz mv traefik /usr/local/bin/ chmod +x /usr/local/bin/traefik # Verzeichnisse anlegen mkdir -p /etc/traefik/conf.d /etc/traefik/ssl touch /etc/traefik/ssl/acme.json chmod 600 /etc/traefik/ssl/acme.json ' # Hauptkonfiguration pct exec 102 -- tee /etc/traefik/traefik.yaml << 'YAML' api: dashboard: true insecure: true entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure scheme: https websecure: address: ":443" providers: file: directory: /etc/traefik/conf.d watch: true certificatesResolvers: letsencrypt: acme: email: [email protected] storage: /etc/traefik/ssl/acme.json dnsChallenge: provider: cloudflare resolvers: - "1.1.1.1:53" - "8.8.8.8:53" YAML # Systemd Service pct exec 102 -- tee /etc/systemd/system/traefik.service << 'SERVICE' [Unit] Description=Traefik After=network.target [Service] Type=simple ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yaml Restart=always [Install] WantedBy=multi-user.target SERVICE # Cloudflare Token (für DNS Challenge) pct exec 102 -- mkdir -p /etc/systemd/system/traefik.service.d pct exec 102 -- tee /etc/systemd/system/traefik.service.d/cloudflare.conf << 'OVERRIDE' [Service] Environment="CF_DNS_API_TOKEN=DEIN_CLOUDFLARE_TOKEN" OVERRIDE pct exec 102 -- systemctl daemon-reload pct exec 102 -- systemctl enable --now traefik
Cloudflare API Token
- “Create Token” → “Edit zone DNS” Template
- Zone: miskam.xyz
- Token in Vaultwarden speichern
TLS / Let's Encrypt
- Provider: Let's Encrypt
- Challenge: DNS-01 via Cloudflare API
- Domain: *.home.miskam.xyz (Wildcard)
- Auto-Renewal: Ja (Traefik)
- Validity: 90 Tage
Routen
Service URLs
| Service | Valid SSL (.home.miskam.xyz) | Internal (.srv.internal) |
|---|---|---|
| n8n | https://n8n.home.miskam.xyz | https://n8n.srv.internal |
| Vaultwarden | https://vault.home.miskam.xyz | https://vault.srv.internal |
| DokuWiki | https://wiki.home.miskam.xyz | https://wiki.srv.internal |
| Uptime Kuma | https://status.home.miskam.xyz | https://status.srv.internal |
| Checkmk | https://monitoring.home.miskam.xyz | https://monitoring.srv.internal |
| Proxmox | https://hv-04.home.miskam.xyz | https://hv-04.srv.internal:8006 |
Configuration
| File | Purpose |
|---|---|
| /etc/traefik/traefik.yaml | Main config |
| /etc/traefik/conf.d/ | Dynamic routes |
| /etc/traefik/ssl/acme.json | Certificates |
Route hinzufügen
# /etc/traefik/conf.d/myservice.yml http: routers: myservice: rule: "Host(`myservice.home.miskam.xyz`) || Host(`myservice.srv.internal`)" service: myservice entryPoints: - websecure tls: certResolver: letsencrypt domains: - main: "*.home.miskam.xyz" services: myservice: loadBalancer: servers: - url: "http://10.100.161.XXX:PORT"
Traefik lädt Änderungen automatisch (file provider).
Management
# Status pct exec 102 -- systemctl status traefik # Logs pct exec 102 -- journalctl -u traefik -f # Restart pct exec 102 -- systemctl restart traefik # Zertifikat prüfen echo | openssl s_client -connect n8n.home.miskam.xyz:443 2>/dev/null | openssl x509 -noout -dates # Gespeicherte Zertifikate pct exec 102 -- cat /etc/traefik/ssl/acme.json | jq '.letsencrypt.Certificates[].domain'
Related
- Network Overview - DNS setup
- Containers - CT 102 details
services/traefik.1770422718.txt.gz · Last modified: by 127.0.0.1