1 files changed, 62 insertions, 58 deletions
diff --git a/content/blog/tailscale-docker-https.md b/content/blog/tailscale-docker-https.md
index 9a836d9..5a40809 100644
--- a/content/blog/tailscale-docker-https.md
+++ b/content/blog/tailscale-docker-https.md
@@ -20,23 +20,25 @@ The public domain I'm using is managed through [Google Cloud Domain](https://clo
 
 For routing the traffic I use [traefik](https://traefik.io/). The configuration for traefik looks like this:
 
-    global:
-      sendAnonymousUsage: false
-    providers:
-      docker:
-        exposedByDefault: false
-    entryPoints:
-      http:
-        address: ":80"
-      https:
-        address: ":443"
-    certificatesResolvers:
-      dash:
-        acme:
-          email: franck@fcuny.net
-          storage: acme.json
-          dnsChallenge:
-            provider: gcloud
+```yaml
+global:
+  sendAnonymousUsage: false
+providers:
+  docker:
+    exposedByDefault: false
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+certificatesResolvers:
+  dash:
+    acme:
+      email: franck@fcuny.net
+      storage: acme.json
+      dnsChallenge:
+        provider: gcloud
+```
 
 The important bit here is the `certificatesResolvers` part. I'll be using the [dnsChallenge](https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/) instead of the [httpChallenge](https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/) to obtain the certificate from let's encrypt. For this to work, I need to specify the `provider` to be [gcloud](https://go-acme.github.io/lego/dns/gcloud/). I'll also need a service account (see [this doc](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application) to create it). I run `traefik` in a docker container, and the `systemd` unit file is below. The required bits for using the `dnsChallenge` with `gcloud` are:
 
@@ -44,7 +46,7 @@ The important bit here is the `certificatesResolvers` part. I'll be using the [d
 - the environment variable `GCP_PROJECT`: the name of the GCP project
 - mounting the service account file inside the container (I store it on the host under `/data/containers/traefik/config/sa.json`)
 
-```systemd
+```ini
 [Unit]
 Description=traefik proxy
 Documentation=https://doc.traefik.io/traefik/
@@ -77,45 +79,47 @@ WantedBy=multi-user.target
 
 As an example, I run [grafana](https://grafana.com/) on my home network to view metrics from the various containers / hosts. Let's pretend I use `example.net` as my domain. I want to be able to access `grafana` via <https://dash.example.net>. Here's the `systemd` unit configuration I use for this:
 
-    [Unit]
-    Description=Grafana in a docker container
-    Documentation=https://grafana.com/docs/
-    After=docker.service
-    Requires=docker.service
-
-    [Service]
-    Restart=on-failure
-    RuntimeDirectory=grafana
-    ExecStartPre=-/usr/bin/docker kill grafana-server
-    ExecStartPre=-/usr/bin/docker rm grafana-server
-    ExecStartPre=-/usr/bin/docker pull grafana/grafana:latest
-
-    ExecStart=/usr/bin/docker run \
-      -p 3000:3000 \
-      -e TZ='America/Los_Angeles' \
-      --name grafana-server \
-      -v /data/containers/grafana/etc/grafana:/etc/grafana \
-      -v /data/containers/grafana/var/lib/grafana:/var/lib/grafana \
-      -v /data/containers/grafana/var/log/grafana:/var/log/grafana \
-      --user=grafana \
-      --label traefik.enable=true \
-      --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.scheme=https \
-      --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.permanent=true \
-      --label traefik.http.routers.grafana-http.rule=Host(`dash.example.net`) \
-      --label traefik.http.routers.grafana-http.entrypoints=http \
-      --label traefik.http.routers.grafana-http.service=grafana-svc \
-      --label traefik.http.routers.grafana-http.middlewares=grafana-https-redirect \
-      --label traefik.http.routers.grafana-https.rule=Host(`dash.example.net`) \
-      --label traefik.http.routers.grafana-https.entrypoints=https \
-      --label traefik.http.routers.grafana-https.tls=true \
-      --label traefik.http.routers.grafana-https.tls.certresolver=dash \
-      --label traefik.http.routers.grafana-https.service=grafana-svc \
-      --label traefik.http.services.grafana-svc.loadbalancer.server.port=3000 \
-      grafana/grafana:latest
-
-    ExecStop=/usr/bin/docker stop unifi-controller
-
-    [Install]
-    WantedBy=multi-user.target
+```ini
+[Unit]
+Description=Grafana in a docker container
+Documentation=https://grafana.com/docs/
+After=docker.service
+Requires=docker.service
+
+[Service]
+Restart=on-failure
+RuntimeDirectory=grafana
+ExecStartPre=-/usr/bin/docker kill grafana-server
+ExecStartPre=-/usr/bin/docker rm grafana-server
+ExecStartPre=-/usr/bin/docker pull grafana/grafana:latest
+
+ExecStart=/usr/bin/docker run \
+  -p 3000:3000 \
+  -e TZ='America/Los_Angeles' \
+  --name grafana-server \
+  -v /data/containers/grafana/etc/grafana:/etc/grafana \
+  -v /data/containers/grafana/var/lib/grafana:/var/lib/grafana \
+  -v /data/containers/grafana/var/log/grafana:/var/log/grafana \
+  --user=grafana \
+  --label traefik.enable=true \
+  --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.scheme=https \
+  --label traefik.http.middlewares.grafana-https-redirect.redirectscheme.permanent=true \
+  --label traefik.http.routers.grafana-http.rule=Host(`dash.example.net`) \
+  --label traefik.http.routers.grafana-http.entrypoints=http \
+  --label traefik.http.routers.grafana-http.service=grafana-svc \
+  --label traefik.http.routers.grafana-http.middlewares=grafana-https-redirect \
+  --label traefik.http.routers.grafana-https.rule=Host(`dash.example.net`) \
+  --label traefik.http.routers.grafana-https.entrypoints=https \
+  --label traefik.http.routers.grafana-https.tls=true \
+  --label traefik.http.routers.grafana-https.tls.certresolver=dash \
+  --label traefik.http.routers.grafana-https.service=grafana-svc \
+  --label traefik.http.services.grafana-svc.loadbalancer.server.port=3000 \
+  grafana/grafana:latest
+
+ExecStop=/usr/bin/docker stop unifi-controller
+
+[Install]
+WantedBy=multi-user.target
+```
 
 Now I can access my grafana instance via HTTPS (and <http://dash.example.net> would redirect to HTTPS) while my tailscale interface is up on the machine I'm using (e.g. my desktop or my phone).