Hello Selfhosted peeps!

So I just got Traefik v3 setup inside my docker environment, and successfully got SSL certs for my services hosted within docker. However, I have an external device hosting PiHole and Wireguard-UI. I am looking to use the docker instance of Traefik v3 to obtain SSL certs for the internal use only for PiHole and Wireguard-UI.

I am still new to Traefik, and have no idea if this is possible, or how I would go about doing this.

Any tips, suggestions, links to documentation; I am all ears.

Video

Notes for above video

These 2 resources I utilized to help further my understanding.

Thank you

  • IHawkMike@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    No worries for the question. It’s not terribly intuitive.

    The configs live on the Traefik server. In my static traefik.yml config I have the following providers section, which adds the file provider in addition to the docker provider which you likely already have:

    providers:
      docker:
        endpoint: "unix:///var/run/docker.sock"
        exposedByDefault: false
      file:
        directory: /config
        watch: true
    

    And in the /config folder mapped into the Traefik container I have several files for services external to docker. You can combine them or keep them separate since the watch: true setting tells it to read in all files (and it’s near instant when you create them, no need to restart Traefik).

    Here is my homeassistant.yml in that folder (I have a separate VM running HASS outside of Docker/Traefik):

    http:
      routers:
        homeassistant-rtr:
          entryPoints:
          - https
          service: homeassistant-svc
          rule: "Host(`home.example.com`)"
          tls:
            certResolver: examplecom-dns
    
      services:
        homeassistant-svc:
          loadBalancer:
            servers:
              - url: "http://hass1.internal.local:8123"
    

    Hope this helps!

    • Hellmo_luciferrari@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      4 months ago

      so in my traefik.yml file I have cloudflare set as my certresolver as follows:

      certificatesResolvers:
        cloudflare:
          acme:
            email: [email protected]
            storage: acme.json
            caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
            # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
            dnsChallenge:
              provider: cloudflare
              #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all aut>
              #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
              resolvers:
                - "1.1.1.1:53"
                - "1.0.0.1:53"
      
      

      And I had to get the secret mounted via the docker-compose file.

      So where you have:

      tls:

              certResolver: examplecom-dns
      
      

      Do I have to redefine all of the same information I did in my Traefik yml but in this separate config.yml?

      (I did set it up in my traefik.yml and docker-compose.yml to mount and use this config, which I had commented out for later use.


      Thank you so much for the help!


      Edit:

      Essentially I am trying to get my PiHole which is hosted on another pi setup with an SSL cert for local use only:

      So in looking at your config I tried using:

      http:
        routers:
          pihole-rtr:
            entryPoints:
            - https
            service: pihole-rtr
            rule: "Host(`ph.local.domain.com`)"
            tls:
              certResolver: cloudflare
      
        services:
          pihole-svc:
            loadBalancer:
              servers:
                - url: "http://<ip>/admin"
      

      However when doing this error logs returned:

      
      2024-07-08T15:04:27-04:00 ERR error="the service \"pihole-rtr@file\" does not exist" entryPointName=https routerName=pihole-rtr@file
      2024-07-08T15:04:28-04:00 ERR error="the service \"pihole-rtr@file\" does not exist" entryPointName=https routerName=pihole-rtr@file
      

      I am doing something very wrong… And feel a little lost.

      • IHawkMike@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        I think you’re close.

        You need to change service: pihole-rtr to service: pihole-svc.

        Do I have to redefine all of the same information I did in my Traefik yml but in this separate config.yml?

        No, you just need to reference it like you have. Define once, reference many.

        • Hellmo_luciferrari@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          I hate to report back, but something isn’t quite working for pihole behind Traefik.

          running “docker logs traefik” returns no error, and yet no certificate was presented to my pihole.

          Not sure what else I might be missing or that I might have wrong.

          • IHawkMike@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            Can you see the router and service in the Traefik dashboard and do they show any errors there?

              • IHawkMike@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                4 months ago

                If you’re sure you’ve got a DNS entry for the Pihole FQDN pointing at Traefik, open the dev panel in your browser (F12), switch it to the Network tab, and visit the pihole URL.

                See if you get anything back and especially take note of the HTTP status codes.

                • Hellmo_luciferrari@lemm.eeOP
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  4 months ago

                  I will likely have to do some tinkering, and more reading up on this from the documentation I am thinking. I am getting HTTP 200 statuses basically across the board. When going to the FQDN it doesn’t redirect to the PiHole admin page like I was expecting. Again, likely some configuration that I have wrong.

        • Hellmo_luciferrari@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          I will give this a shot! Thank you for the help. I will report back, in hopes that between your knowledge and my fumbles that someone else too can learn from this!