Open Aetherinox opened 1 month ago
thomiceli
commented
1 month ago For the first part i need to investigate a bit,
For the second it's a blunder from my side since the healthcheck URL is hardcoded to call Opengist on port 6157... it should be a variable instead
thomiceli
commented
4 weeks ago Do you mind sharing your traefik conf ? Never worked with it but my first guess would be it tries to connect to the SSH server via a password instead of a key
Aetherinox
commented
4 weeks ago Yeah, I'll drop them all here. I'll throw a quick set of instructions. Traefik can be sort of a time killer if you've never set it up before.
A side note, I opted to use port 2222 for SSH in general. So I switched Gitea's SSH port from 22 over to 2222 that way I only had to add one entry for Traefik.
docker network create --driver=bridge --subnet=172.18.0.0/16 --gateway=172.18.0.1 traefikHere are the list of dirs / files you need.
Traefik stores SSL certs inside acme.json, so create blank files and chmod 600 them. They will be populated when you start Traefik with certificates. They must be chmod 600 or Traefik won't work.
cd /path/to/container/home
sudo touch docker-compose.yml
sudo touch .env
sudo mkdir -p /config
sudo touch /config/traefik.yml
sudo mkdir -p /ssl/{cloudflare,letsencrypt}
sudo touch /ssl/cloudflare/acme.json
sudo touch /ssl/letsencrypt/acme.json
sudo chmod 600 ssl/cloudflare/acme.json
sudo chmod 600 ssl/letsencrypt/acme.jsonservices:
traefik:
container_name: traefik
image: traefik:latest
hostname: ${TRAEFIK_SUBDOMAIN}.${SERVER_DOMAIN}
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
- ${PWD}/config/traefik.yml:/etc/traefik/traefik.yml:ro
- ${PWD}/config/dynamic.yml:/etc/traefik/dynamic.yml:ro
- ${PWD}/ssl/cloudflare/acme.json:/cloudflare/acme.json
- ${PWD}/ssl/letsencrypt/acme.json:/letsencrypt/acme.json
networks:
traefik:
ipv4_address: '${TRAEFIK_IP}'
environment:
- PUID=${UID}
- PGID=${GID}
- CF_API_EMAIL=${CF_DNS_EMAIL}
- CLOUDFLARE_DNS_API_TOKEN=${CF_API_TOKEN}
- CLOUDFLARE_ZONE_API_TOKEN=${CF_API_TOKEN}
ports:
- 80:80
- 443:443
- 8080:8080
# - 127.0.0.1:8080:8080
labels:
# ------------------------------------------------------------------------------------------------------
# General
# ------------------------------------------------------------------------------------------------------
- traefik.enable=true
- traefik.constraint-label=traefik
- traefik.docker.network=${SERVER_NETWORK}
# ------------------------------------------------------------------------------------------------------
# Scope > http
# ------------------------------------------------------------------------------------------------------
- traefik.http.routers.traefik-http.rule=Host(`${SERVER_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) || Host(`${TRAEFIK_SUBDOMAIN}.localhost`) || Host(`${TRAEFIK_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`www.${TRAEFIK_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`${TRAEFIK_IP}`)
- traefik.http.routers.traefik-http.service=api@internal
- traefik.http.routers.traefik-http.entrypoints=http
- traefik.http.routers.traefik-http.middlewares=https-redirect@file
# ------------------------------------------------------------------------------------------------------
# Scope > https
# ------------------------------------------------------------------------------------------------------
- traefik.http.routers.traefik-https.entrypoints=https
- traefik.http.routers.traefik-https.rule=Host(`${SERVER_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) || Host(`${TRAEFIK_SUBDOMAIN}.localhost`) || Host(`${TRAEFIK_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`www.${TRAEFIK_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`${TRAEFIK_IP}`)
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=cloudflare
- traefik.http.routers.traefik-https.tls.domains[0].main=${SERVER_DOMAIN}
- traefik.http.routers.traefik-https.tls.domains[0].sans=*.${SERVER_DOMAIN}
- traefik.http.routers.traefik-https.service=api@internal
# ------------------------------------------------------------------------------------------------------
# Services / Load Balancer
# ------------------------------------------------------------------------------------------------------
- traefik.http.services.traefik.loadbalancer.server.port=${TRAEFIK_PORT_MAIN}
- traefik.http.services.traefik.loadbalancer.server.scheme=${TRAEFIK_PROT_MAIN}
networks:
traefik:
name: ${SERVER_NETWORK}
external: true
# ------------------------------
# Domain Name
# ------------------------------
SERVER_DOMAIN=DOMAIN.COM
SERVER_IP=XX.XX.XX.XX
SERVER_NETWORK=traefik
# ------------------------------
# Group & User ID
# ------------------------------
UID=143
GID=997
# ------------------------------
# Services
# ------------------------------
TRAEFIK_SUBDOMAIN=traefik
TRAEFIK_IP=172.18.0.2
TRAEFIK_PORT_MAIN=8080
TRAEFIK_PROT_MAIN=http
# ------------------------------
# Cloudflare
# ------------------------------
CF_DNS_EMAIL=emailaddy@forcloudflare.com
CF_API_TOKEN=YOUR_API_TOKEN
This is the Traefik static file. Changes to this file require Traefik to be restarted.
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: TRACE
format: "common"
api:
dashboard: true
insecure: true
entryPoints:
ssh:
address: :2222/tcp
traefik:
address: :8080
http:
address: :80
forwardedHeaders:
trustedIPs: &trustedIps
# Cloudlare Public IP List > Start > for HTTP requests, remove this if you don't use it; https://cloudflare.com/de-de/ips/
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 104.16.0.0/13
- 104.24.0.0/14
- 108.162.192.0/18
- 131.0.72.0/22
- 141.101.64.0/18
- 162.158.0.0/15
- 172.64.0.0/13
- 173.245.48.0/20
- 188.114.96.0/20
- 190.93.240.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: :443
forwardedHeaders:
trustedIPs: *trustedIps
http:
tls:
certResolver: cloudflare
domains:
- main: domain.com
sans:
- '*.domain.com'
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: traefik
watch: true
file:
filename: "/etc/traefik/dynamic.yml"
watch: true
certificatesResolvers:
cloudflare:
acme:
email: cloudflareemail@address.com
storage: /cloudflare/acme.json
dnsChallenge:
provider: cloudflare
delaybeforecheck: 10
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
myresolver:
acme:
email: cloudflareemail@address.com
storage: /letsencrypt/acme.json
httpChallenge:
entryPoint: httpThis is the Traefik dynamic file, basically forces http to https. You do not need to restart Traefik to make changes to this file and they automatically apply:
http:
middlewares:
https-redirect:
redirectScheme:
scheme: "https"
permanent: true
services:
opengist:
container_name: opengist
image: ghcr.io/thomiceli/opengist:1
hostname: ${SERVICE_SUBDOMAIN}.${SERVER_DOMAIN}
restart: always
volumes:
- ${PWD}/data:/opengist
ports:
- ${SERVICE_PORT_SSH}:2222
healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost:80/healthcheck']
interval: 200s
timeout: 200s
retries: 5
environment:
UID: ${UID}
GID: ${GID}
OG_LOG_LEVEL: ${OG_LOG_LEVEL}
OG_GITEA_CLIENT_KEY: ${OG_GITEA_CLIENT_KEY}
OG_GITEA_SECRET: ${OG_GITEA_SECRET}
OG_GITEA_URL: ${OG_GITEA_URL}
OG_GITHUB_CLIENT_KEY: ${OG_GITHUB_CLIENT_KEY}
OG_GITHUB_SECRET: ${OG_GITHUB_SECRET}
OG_HTTP_PORT: ${SERVICE_PORT_MAIN}
networks:
traefik:
ipv4_address: '${SERVICE_IP}'
labels:
# ------------------------------------------------------------------------------------------------------
# General
# ------------------------------------------------------------------------------------------------------
- traefik.enable=true
- traefik.constraint-label=traefik
- traefik.docker.network=${SERVER_NETWORK}
# ------------------------------------------------------------------------------------------------------
# Scope > http
# ------------------------------------------------------------------------------------------------------
- traefik.http.routers.opengist-http.rule=Host(`${SERVICE_SUBDOMAIN}.localhost`) || Host(`${SERVICE_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`www.${SERVICE_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`${SERVICE_IP}`) || Host(`${SERVER_DOMAIN}`) && PathPrefix(`/${SERVICE_SUBDOMAIN}`)
- traefik.http.routers.opengist-http.service=opengist
- traefik.http.routers.opengist-http.entrypoints=http
- traefik.http.routers.opengist-http.middlewares=https-redirect@file
# ------------------------------------------------------------------------------------------------------
# Scope > https
# ------------------------------------------------------------------------------------------------------
- traefik.http.routers.opengist-https.rule=Host(`${SERVICE_SUBDOMAIN}.localhost`) || Host(`${SERVICE_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`www.${SERVICE_SUBDOMAIN}.${SERVER_DOMAIN}`) || Host(`${SERVICE_IP}`) || Host(`${SERVER_DOMAIN}`) && PathPrefix(`/${SERVICE_SUBDOMAIN}`)
- traefik.http.routers.opengist-https.service=opengist
- traefik.http.routers.opengist-https.entrypoints=https
- traefik.http.routers.opengist-https.tls=true
- traefik.http.routers.opengist-https.tls.certresolver=cloudflare
- traefik.http.routers.opengist-https.tls.domains[0].main=${SERVER_DOMAIN}
- traefik.http.routers.opengist-https.tls.domains[0].sans=*.${SERVER_DOMAIN}
# ------------------------------------------------------------------------------------------------------
# SSH
# ------------------------------------------------------------------------------------------------------
- traefik.tcp.routers.opengist-ssh.rule=HostSNI(`*`)
- traefik.tcp.routers.opengist-ssh.entrypoints=ssh
- traefik.tcp.routers.opengist-ssh.tls=true
- traefik.tcp.routers.opengist-ssh.service=opengist-ssh
- traefik.tcp.services.opengist-ssh.loadbalancer.server.port=${SERVICE_PORT_SSH}
# ------------------------------------------------------------------------------------------------------
# Load Balancer
# ------------------------------------------------------------------------------------------------------
- traefik.http.services.opengist.loadbalancer.server.port=${SERVICE_PORT_MAIN}
- traefik.http.services.opengist.loadbalancer.server.scheme=${SERVICE_PROT_MAIN}
- traefik.http.services.opengist.loadbalancer.healthcheck.path=/healthcheck
- traefik.http.services.opengist.loadbalancer.healthcheck.interval=200s
- traefik.http.services.opengist.loadbalancer.healthcheck.timeout=75ms
- traefik.http.services.opengist.loadbalancer.healthcheck.scheme=http
- traefik.http.services.opengist.loadbalancer.healthcheck.port=80
# ------------------------------------------------------------------------------------------------------
# Networks
# ------------------------------------------------------------------------------------------------------
networks:
traefik:
name: ${SERVER_NETWORK}
external: true
# ------------------------------------------------------------
# Domain Name
# ------------------------------------------------------------
SERVER_DOMAIN=domain.com
SERVER_IP=XX.XX.XX.XX
SERVER_NETWORK=traefik
# ------------------------------------------------------------
# Group & User ID
# ------------------------------------------------------------
UID=143
GID=997
# ------------------------------------------------------------
# Services
# ------------------------------------------------------------
SERVICE_SUBDOMAIN=gist
SERVICE_IP=172.18.0.19
SERVICE_PORT_MAIN=80
SERVICE_PROT_MAIN=http
SERVICE_PORT_SSH=2222
# ------------------------------------------------------------
# OpenGist Internal
# ------------------------------------------------------------
OG_LOG_LEVEL=info
OG_GITEA_CLIENT_KEY=
OG_GITEA_SECRET=
OG_GITEA_URL=https://git.domain.com
OG_GITHUB_CLIENT_KEY=
OG_GITHUB_SECRET=The only thing you should have to do is edit the .env files. Add whatever IP address the server will use, domain, and cloudflare API email / token.
This is sort of a two part question, I'm not sure if it's an Opengist issue, or Traefik.
First part, I get the following error, whether or not I use Traefik, so this is something with Opengist, that I may have not properly set up:
I looked through the documentation, and the only thing I could find was a few env variables for setting the SSH port / host IP. Not sure what I'm missing here, but I've ensured port 2222 is open.
Second question, when I set up Opengist to run on Traefik, I then edit my
docker-compose.ymlfile and I've changed the http port over to80.For some reason after that, Opengist fails the health check and portainer reports the container as
Unhealthy. Once I set Opengist back to use the default http port, it's fine.If I inspect the container, I notice this
Any direction on these would be awesome.
Edit: After doing some googling, I managed to solve the healthcheck issue with