Skip to content
This repository has been archived by the owner on Jun 16, 2023. It is now read-only.
/ netmaker-traefik Public archive

Sample Traefik Config for Netmaker

Notifications You must be signed in to change notification settings

bsherman/netmaker-traefik

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 

Repository files navigation

netmaker-traefik

Notice: this has been archived due to a shortage of time to maintain and test.

This is a sample traefik configuration for running Netmaker. It's mostly based on the Netmaker Quick Start but using Traefik Proxy 2.9 instead of Caddy.

Version 0.17.1

This version of the config supports Netmaker 0.17.1. Please reivew Netmaker upgrade documentation to determine any required upgrade process.

Quick Start

Note you can mostly follow the instructons from Netmaker Quick Start except for a few differences.

Note: This example uses the community version of Netmaker

  1. Prerequisites - as instructed
  2. Prepare DNS - as instructed
  3. Install Dependencies - as instructed
  4. Open Firewall - as instructed (though this config does expect you'll have firewall allowing private access to your traefik dashboard)
  5. Prepare MQ - as specified but NOTE: our docker-compose.yml uses /PATHTO/ as a placeholder rather than assuming /root/ so you may want the skip the wget of mosquitto.conf and wait.sh until directed below.
  6. Install Netmaker - Instead of downloading and using sed commands to modify the docker-config.yml I suggest using the provided (in this repo) docker-compose.yml and sample.env file to store your private/config vars.
    • So, cp sample.env .env.
    • Get the SERVER_PUBLIC_IP ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p'
    • Generate 2 unique values for MASTER_KEY/MQ_ADMIN_PASSWORD: tr -dc A-Za-z0-9 </dev/urandom | head -c 30 ; echo ''
    • Modify this .env file similarly to how it is suggested by "Quick Start" step 5, though don't change anything in the docker-compose.yml file, and only change VALUES in the .env file, not the key/variable names themselves.
    • Finally, ensure the /PATHTO values are modified in docker-compose.yml to be where you want to store specified volume data and your acme.json (the file Traefik uses to track certificate management).

Assuming you use /PATHTO, prepare the docker volumes and files like so:

mkdir -p /PATHTO/netmaker_sqldata
mkdir -p /PATHTO/netmaker_dnsconfig
mkdir -p /PATHTO/netmaker_mosquitto_data
mkdir -p /PATHTO/netmaker_mosquitto_logs
wget -O /PATHTO/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf
wget -q -O /PATHTO/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/develop/docker/wait.sh
chmod +x wait.sh
touch /PATHTO/traefik_acme.json
chmod 600 /PATHTO/traefik_acme.json

Commentary

For your security, it is VERY IMPORTANT that your firewall (ufw in the Ubuntu/Debian case) ONLY allows inbound traffic on the ports desired, unless you know why you've allowed other ports.

As mentioned in "Quick Start" that is:

  • 80 (tcp): for LetsEncrypt certificate creation
  • 443 (tcp): for Dashboard and REST API
  • 51821-518XX (udp): for WireGuard

Note that though port 80 is open, the Traefik configuration auto-redirects any non-secure HTTP requests to HTTPS. The port IS required, though, to enable LetsEncrypt certificate creation.

Differences from Caddy Reference

This docker-compose.yml for Traefik differs from the reference docker-compose.caddy.yml in a few ways. This detail is provided for the curious.

  1. Traefik replaces Caddy and Traefik labels are added where appropriate, which Caddy does not use
  2. Traefik versions of the Caddyfile basic security headers are included in the docker-compose.yml as of version 0.11
  3. Docker definitions for sqldata, dnsconfig, and mosquitto volumes are fleshed out as local volume bind mounts
  4. All other changes are to support the use of .env instead of requiring edits to the docker-compose.yml file.

Default Configuration Functionality

In this default configuration the netmaker server automatically registers itself as a client named netmaker-server-1 for each network created. However, instead of running a netclient process like typical clients, CLIENT_MODE: on means its client is embedded in the server. This allows simple automated behavior and enablement of both the the UDP hole punching and egress gateway routing features at the expense of the ability to connect to the host machine via a netmaker managed network.