This is a sample traefik configuration for running Netmaker. It's mostly based on the Netmaker Quick Start but using Traefik Proxy 2.9 instead of Caddy.
This version of the config supports Netmaker 0.17.1. Please reivew Netmaker upgrade documentation to determine any required upgrade process.
Note you can mostly follow the instructons from Netmaker Quick Start except for a few differences.
Note: This example uses the community version of Netmaker
- Prerequisites - as instructed
- Prepare DNS - as instructed
- Install Dependencies - as instructed
- Open Firewall - as instructed (though this config does expect you'll have firewall allowing private access to your traefik dashboard)
- Prepare MQ - as specified but NOTE: our
docker-compose.ymluses/PATHTO/as a placeholder rather than assuming/root/so you may want the skip the wget of mosquitto.conf and wait.sh until directed below. - Install Netmaker - Instead of downloading and using
sedcommands to modify thedocker-config.ymlI suggest using the provided (in this repo)docker-compose.ymlandsample.envfile to store your private/config vars.- So,
cp sample.env .env. - Get the SERVER_PUBLIC_IP
ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p' - Generate 2 unique values for MASTER_KEY/MQ_ADMIN_PASSWORD:
tr -dc A-Za-z0-9 </dev/urandom | head -c 30 ; echo '' - Modify this
.envfile similarly to how it is suggested by "Quick Start" step 5, though don't change anything in thedocker-compose.ymlfile, and only change VALUES in the.envfile, not the key/variable names themselves. - Finally, ensure the
/PATHTOvalues are modified indocker-compose.ymlto be where you want to store specified volume data and youracme.json(the file Traefik uses to track certificate management).
- So,
Assuming you use /PATHTO, prepare the docker volumes and files like so:
mkdir -p /PATHTO/netmaker_sqldata
mkdir -p /PATHTO/netmaker_dnsconfig
mkdir -p /PATHTO/netmaker_mosquitto_data
mkdir -p /PATHTO/netmaker_mosquitto_logs
wget -O /PATHTO/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf
wget -q -O /PATHTO/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/develop/docker/wait.sh
chmod +x wait.sh
touch /PATHTO/traefik_acme.json
chmod 600 /PATHTO/traefik_acme.json
For your security, it is VERY IMPORTANT that your firewall (ufw in the Ubuntu/Debian case) ONLY allows inbound traffic on the ports desired, unless you know why you've allowed other ports.
As mentioned in "Quick Start" that is:
- 80 (tcp): for LetsEncrypt certificate creation
- 443 (tcp): for Dashboard and REST API
- 51821-518XX (udp): for WireGuard
Note that though port 80 is open, the Traefik configuration auto-redirects any non-secure HTTP requests to HTTPS. The port IS required, though, to enable LetsEncrypt certificate creation.
This docker-compose.yml for Traefik differs from the reference docker-compose.caddy.yml in a few ways.
This detail is provided for the curious.
- Traefik replaces Caddy and Traefik
labelsare added where appropriate, which Caddy does not use - Traefik versions of the Caddyfile basic security headers are included in the docker-compose.yml as of version
0.11 - Docker definitions for
sqldata,dnsconfig, andmosquittovolumes are fleshed out as local volume bind mounts - All other changes are to support the use of
.envinstead of requiring edits to thedocker-compose.ymlfile.
In this default configuration the netmaker server automatically registers itself as a client named netmaker-server-1 for each network created. However, instead of running a netclient process like typical clients, CLIENT_MODE: on means its client is embedded in the server. This allows simple automated behavior and enablement of both the the UDP hole punching and egress gateway routing features at the expense of the ability to connect to the host machine via a netmaker managed network.