diff options
Diffstat (limited to 'content/blog')
-rw-r--r-- | content/blog/tailscale-docker-https.md | 120 |
1 files changed, 62 insertions, 58 deletions
diff --git a/content/blog/tailscale-docker-https.md b/content/blog/tailscale-docker-https.md index 9a836d9..5a40809 100644 --- a/content/blog/tailscale-docker-https.md +++ b/content/blog/tailscale-docker-https.md @@ -20,23 +20,25 @@ The public domain I'm using is managed through [Google Cloud Domain](https://clo For routing the traffic I use [traefik](https://traefik.io/). The configuration for traefik looks like this: - global: - sendAnonymousUsage: false - providers: - docker: - exposedByDefault: false - entryPoints: - http: - address: ":80" - https: - address: ":443" - certificatesResolvers: - dash: - acme: - email: franck@fcuny.net - storage: acme.json - dnsChallenge: - provider: gcloud +```yaml +global: + sendAnonymousUsage: false +providers: + docker: + exposedByDefault: false +entryPoints: + http: + address: ":80" + https: + address: ":443" +certificatesResolvers: + dash: + acme: + email: franck@fcuny.net + storage: acme.json + dnsChallenge: + provider: gcloud +``` The important bit here is the `certificatesResolvers` part. I'll be using the [dnsChallenge](https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/) instead of the [httpChallenge](https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/) to obtain the certificate from let's encrypt. For this to work, I need to specify the `provider` to be [gcloud](https://go-acme.github.io/lego/dns/gcloud/). I'll also need a service account (see [this doc](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application) to create it). I run `traefik` in a docker container, and the `systemd` unit file is below. The required bits for using the `dnsChallenge` with `gcloud` are: @@ -44,7 +46,7 @@ The important bit here is the `certificatesResolvers` part. I'll be using the [d - the environment variable `GCP_PROJECT`: the name of the GCP project - mounting the service account file inside the container (I store it on the host under `/data/containers/traefik/config/sa.json`) -```systemd +```ini [Unit] Description=traefik proxy Documentation=https://doc.traefik.io/traefik/ @@ -77,45 +79,47 @@ WantedBy=multi-user.target As an example, I run [grafana](https://grafana.com/) on my home network to view metrics from the various containers / hosts. Let's pretend I use `example.net` as my domain. I want to be able to access `grafana` via <https://dash.example.net>. Here's the `systemd` unit configuration I use for this: - [Unit] - Description=Grafana in a docker container - Documentation=https://grafana.com/docs/ - After=docker.service - Requires=docker.service - - [Service] - Restart=on-failure - RuntimeDirectory=grafana - ExecStartPre=-/usr/bin/docker kill grafana-server - ExecStartPre=-/usr/bin/docker rm grafana-server - ExecStartPre=-/usr/bin/docker pull grafana/grafana:latest - - ExecStart=/usr/bin/docker run \ - -p 3000:3000 \ - -e TZ='America/Los_Angeles' \ - --name grafana-server \ - -v /data/containers/grafana/etc/grafana:/etc/grafana \ - -v /data/containers/grafana/var/lib/grafana:/var/lib/grafana \ - -v /data/containers/grafana/var/log/grafana:/var/log/grafana \ - --user=grafana \ - --label traefik.enable=true \ - --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.scheme=https \ - --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.permanent=true \ - --label traefik.http.routers.grafana-http.rule=Host(`dash.example.net`) \ - --label traefik.http.routers.grafana-http.entrypoints=http \ - --label traefik.http.routers.grafana-http.service=grafana-svc \ - --label traefik.http.routers.grafana-http.middlewares=grafana-https-redirect \ - --label traefik.http.routers.grafana-https.rule=Host(`dash.example.net`) \ - --label traefik.http.routers.grafana-https.entrypoints=https \ - --label traefik.http.routers.grafana-https.tls=true \ - --label traefik.http.routers.grafana-https.tls.certresolver=dash \ - --label traefik.http.routers.grafana-https.service=grafana-svc \ - --label traefik.http.services.grafana-svc.loadbalancer.server.port=3000 \ - grafana/grafana:latest - - ExecStop=/usr/bin/docker stop unifi-controller - - [Install] - WantedBy=multi-user.target +```ini +[Unit] +Description=Grafana in a docker container +Documentation=https://grafana.com/docs/ +After=docker.service +Requires=docker.service + +[Service] +Restart=on-failure +RuntimeDirectory=grafana +ExecStartPre=-/usr/bin/docker kill grafana-server +ExecStartPre=-/usr/bin/docker rm grafana-server +ExecStartPre=-/usr/bin/docker pull grafana/grafana:latest + +ExecStart=/usr/bin/docker run \ + -p 3000:3000 \ + -e TZ='America/Los_Angeles' \ + --name grafana-server \ + -v /data/containers/grafana/etc/grafana:/etc/grafana \ + -v /data/containers/grafana/var/lib/grafana:/var/lib/grafana \ + -v /data/containers/grafana/var/log/grafana:/var/log/grafana \ + --user=grafana \ + --label traefik.enable=true \ + --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.scheme=https \ + --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.permanent=true \ + --label traefik.http.routers.grafana-http.rule=Host(`dash.example.net`) \ + --label traefik.http.routers.grafana-http.entrypoints=http \ + --label traefik.http.routers.grafana-http.service=grafana-svc \ + --label traefik.http.routers.grafana-http.middlewares=grafana-https-redirect \ + --label traefik.http.routers.grafana-https.rule=Host(`dash.example.net`) \ + --label traefik.http.routers.grafana-https.entrypoints=https \ + --label traefik.http.routers.grafana-https.tls=true \ + --label traefik.http.routers.grafana-https.tls.certresolver=dash \ + --label traefik.http.routers.grafana-https.service=grafana-svc \ + --label traefik.http.services.grafana-svc.loadbalancer.server.port=3000 \ + grafana/grafana:latest + +ExecStop=/usr/bin/docker stop unifi-controller + +[Install] +WantedBy=multi-user.target +``` Now I can access my grafana instance via HTTPS (and <http://dash.example.net> would redirect to HTTPS) while my tailscale interface is up on the machine I'm using (e.g. my desktop or my phone). |