This is a sample traefik configuration for running Netmaker. It's mostly based on the Netmaker Quick Start but using Traefik Proxy 2.9 instead of Caddy.
This version of the config supports Netmaker 0.17.1. Please reivew Netmaker upgrade documentation to determine any required upgrade process.
Note you can mostly follow the instructons from Netmaker Quick Start except for a few differences.
Note: This example uses the community version of Netmaker
docker-compose.yml
uses /PATHTO/
as a placeholder rather than assuming /root/
so you may want the skip the wget of mosquitto.conf and wait.sh until directed below.sed
commands to modify the docker-config.yml
I suggest using the provided (in this repo) docker-compose.yml
and sample.env
file to store your private/config vars.
cp sample.env .env
.ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p'
tr -dc A-Za-z0-9 </dev/urandom | head -c 30 ; echo ''
.env
file similarly to how it is suggested by "Quick Start" step 5, though don't change anything in the docker-compose.yml
file, and only change VALUES in the .env
file, not the key/variable names themselves./PATHTO
values are modified in docker-compose.yml
to be where you want to store specified volume data and your acme.json
(the file Traefik uses to track certificate management).Assuming you use /PATHTO
, prepare the docker volumes and files like so:
mkdir -p /PATHTO/netmaker_sqldata
mkdir -p /PATHTO/netmaker_dnsconfig
mkdir -p /PATHTO/netmaker_mosquitto_data
mkdir -p /PATHTO/netmaker_mosquitto_logs
wget -O /PATHTO/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf
wget -q -O /PATHTO/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/develop/docker/wait.sh
chmod +x wait.sh
touch /PATHTO/traefik_acme.json
chmod 600 /PATHTO/traefik_acme.json
For your security, it is VERY IMPORTANT that your firewall (ufw
in the Ubuntu/Debian case) ONLY allows inbound traffic on the ports desired, unless you know why you've allowed other ports.
As mentioned in "Quick Start" that is:
Note that though port 80 is open, the Traefik configuration auto-redirects any non-secure HTTP requests to HTTPS. The port IS required, though, to enable LetsEncrypt certificate creation.
This docker-compose.yml
for Traefik differs from the reference docker-compose.caddy.yml
in a few ways.
This detail is provided for the curious.
labels
are added where appropriate, which Caddy does not use0.11
sqldata
, dnsconfig
, and mosquitto
volumes are fleshed out as local volume bind mounts.env
instead of requiring edits to the docker-compose.yml
file.In this default configuration the netmaker
server automatically registers itself as a client named netmaker-server-1
for each network created. However, instead of running a netclient
process like typical clients, CLIENT_MODE: on
means its client is embedded in the server. This allows simple automated behavior and enablement of both the the UDP hole punching and egress gateway routing features at the expense of the ability to connect to the host machine via a netmaker
managed network.