Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- dienste:bytecluster0002:traefik [27.09.2020 21:52] – chaos
+++ dienste:bytecluster0002:traefik [12.12.2020 20:55] (aktuell) – mape2k
@@ Zeile 1: / Zeile 1: @@
-create CT
+====== Container 'traefik' ======
-Template Debian-10-bytecluster-with-users
+===== Ressourcen =====
-Root Disk: 16G
+  * 0.5 GB RAM
+  * 1 Cores
+  * 8 GB HDD (root-fs)
-Cpu: 1
+===== System =====
-mem: 512mb
+  * interne IPs
+    * 10.2.0.1, fd00:10:2:0::1
-Network
+===== Dienste =====
-eth0 static with 10.2.0.1/24
+  * Traefik (Loadbalancer, SSL-Terminierung)
-GW 10.2.0.254
+===== Betrieb =====
-DNS use host
+==== Routing für Domain anlegen ====
+  - DNS-Eintrag anlegen
+    * Name: **Subdomain** der entsprechenden Domain
+    * Typ: **CNAME**
+    * Wert: **bytecluster0002.bytespeicher.org**
+    * TTL: **3600**
+  - Konfiguration anlegen
+    - Beispiel für einfachen Webdienst auf einem anderen Port<file|/etc/traefik/conf/testwiki.conf>
+[http.services]
+  [http.services.testwiki.loadbalancer]
+    [[http.services.testwiki.loadbalancer.servers]]
+      # Internal Destination URL and port
+      url = "http://10.2.0.10:8088"
-Login:
+[http.routers]
-<code>
+  [http.routers.testwiki]
-wget https://github.com/traefik/traefik/releases/download/v2.3.0/traefik_v2.3.0_linux_amd64.tar.gz
+    entryPoints = [ "https"]
+    # Domain used for service
+    rule = "Host(`testwiki.technikkultur-erfurt.de`)"
+    # Servicename used in http.services.SERVICENAME.loadbalancer above
+    service = "testwiki"
+    [http.routers.wiki.tls]
+      # Use Let's Encrypt
+      certResolver = "letsencrypt"
+</file>
+===== Installation =====
-git clone https://github.com/Bytespeicher/traefik
+  * Standard-Template mit Benutzern
-cd traefik
+==== Traefik ====
-tar xfz traefik_v2.3.0_linux_amd64.tar.gz
+  - Traefik herunterladen
+    * **wget https://github.com/traefik/traefik/releases/download/v2.3.1/traefik_v2.3.1_linux_amd64.tar.gz**
+  - Verzeichnisse erstellen
+    * **sudo mkdir /opt/traefik**
+    * **sudo mkdir -p /etc/traefik/{acme,conf}**
+    * **sudo mkdir /var/log/traefik**
+  - Traefik-Archiv auspacken und entfernen
+    * **<nowiki>sudo tar -xvzf traefik_v2.3.1_linux_amd64.tar.gz --directory=/opt/traefik</nowiki>**
+    * **rm traefik_v2.3.1_linux_amd64.tar.gz**
+  - Benutzer und Gruppe anlegen
+    * **<nowiki>sudo groupadd --gid 321 traefik</nowiki>**
+    * **<nowiki>sudo useradd --gid traefik --no-user-group --home-dir /opt/traefik --no-create-home --shell /usr/sbin/nologin --system --uid 321 traefik</nowiki>**
+  - Konfiguration anlegen
+    * **TODO**
+  - Service Unit anlegen<file|/etc/systemd/system/traefik.service>
+[Unit]
+Description=traefik proxy
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
-rm traefik_v2.3.0_linux_amd64.tar.gz
+[Service]
+Restart=on-abnormal
-sudo cp /path/to/traefik /usr/local/bin
+; User and group the process will run as.
+User=traefik
+Group=traefik
-sudo chown root:root /usr/local/bin/traefik
+; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
+ExecStart=/opt/traefik/traefik --configfile=/etc/traefik/traefik.toml
-sudo chmod 755 /usr/local/bin/traefik
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
-sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik
+; Use private /tmp and /var/tmp, which are discarded after traefik stops.
+PrivateTmp=true
+; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
+PrivateDevices=false
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+; ... except /etc/traefik/acme, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/etc/traefik/acme
-sudo groupadd -g 321 traefik
+; The following additional security directives only work with systemd v229 or later.
+; They further restrict privileges that can be gained by traefik. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
-sudo useradd   -g traefik --no-user-group --home-dir /var/www --no-create-home   --shell /usr/sbin/nologin   --system --uid 321 traefik
+[Install]
+WantedBy=multi-user.target
+</file>
+  - Berechtigungen setzen
+    * **sudo chown -R traefik:traefik /{opt,etc,var/log}/traefik**
+    * **sudo chmod 750 /opt/traefik/traefik**
+    * **sudo chmod 644 /etc/systemd/system/traefik.service**
+    * **sudo chown root:root /etc/systemd/system/traefik.service**
+    * **sudo chmod 644 /etc/logrotate.d/traefik**
+    * **sudo chown root:root /etc/logrotate.d/traefik**
+  - Traefik dauerhaft aktivieren und gleichzeitig starten
+    * **sudo systemctl daemon-reload**
+    * **sudo systemctl enable --now traefik.service**
-sudo mkdir /etc/traefik /var/lib/traefik /var/log/traefik
+==== Backup mit Borgmatic ====
-sudo mkdir /etc/traefik/acme
+  * siehe [[mariadb]]
-sudo chown -R root:root /etc/traefik
-sudo chown -R traefik:traefik /etc/traefik/acme
-sudo touch /var/log/traefik/traefik.log
-sudo chown traefik:traefik /var/log/traefik/traefik.log
-sudo mv *.toml /etc/traefik/
-sudo chown root:root /etc/traefik/*.toml
-sudo chmod 644 /etc/traefik/*.toml
-sudo mv traefik.service /etc/systemd/system/
-sudo chown root:root /etc/systemd/system/traefik.service
-sudo chmod 644 /etc/systemd/system/traefik.service
-sudo systemctl daemon-reload
-sudo systemctl start traefik.service
-sudo systemctl enable traefik.service
-</code>