This is a template to deploy a Traefik proxy protected by crowdsec. I'm mainly using this as a quick way to configure and deploy a secure proxy in case I need it. It includes Prometheus and Grafana to collect and display a variety of information of your Traefik and Crowdsec containers.
I've mainly chosen Grafana here because of all the community-made dashboards for all kinds of services to help you monitor and observe your important containers.
If your services need to be accessible to the public, you'll need to own and configure a domain. Configuration is done through a DNS of your choosing. Example: You can use Cloudflare to configure your A record to point to your IP address and a CNAME record to point a subdomain (e.g. for the Grafana dashboard) to @ (root domain) or a completely seperate IP. This is needed to route your domain to the right service and get valid certificates through LetsEncrypt.
Forward ports 80 and 443 to your host. This is done through your router and is different in every environment. Don't forget to put your host IP address on a static lease, so you don't lose your services all of a sudden.
Update the config file in prometheus/config and rename the Traefik host and crowdsec machine label to something that suits your environment.
Adjust the following in the traefik/traefik.yml file:
- Change the email to something you own. LetsEncrypt will send you email notifications when certificates are expiring.
- Update the grafana environment/labels to a (sub)domain you own, so that Traefik can request certificates for you and you can use your dashboard.
First, we'll need to register our bouncer to Crowdsec, so we can block unwanted guests. In the root directory of this repository, execute the following. Of course, you can rename traefik-bouncer to whatever you like:
docker-compose exec crowdsec cscli bouncers add traefik-bouncerCopy the served key and paste it in the compose behind the CROWDSEC_BOUNCER_API_KEY Next, restart the Traefik bouncer with the following:docker-compose restart bouncer
The stack should now run as expected. Please, let me know if there's anything wrong/missing.
This is basically everything you'll need to get started (with some extra's). You'll still have to configure Grafana to get some nice visuals out of your metrics.
You can adjust some things here and there to suit your needs and add containers like Nextcloud, Gitlab, Bitwarden/Vaultwarden and whatever you'd like to host. You can use the grafana service as a reference for the basic labels you'll need to make Traefik proxy to your service and generate certificates for these services.
In case Prometheus and/or grafana doesn't start correctly, it could be due to file permissions.
To fix this, you can use the following (as root) in the repository root:
chown 472:472 -R grafana && chown 1000:1000 -R prometheus
Check out the primary repositories/website for the awesome services created! Ordered as in the docker-compose:
Github repository:
Github repository:
Github repository:
- https://github.com/crowdsecurity/crowdsec Primary website:
- https://crowdsec.net
Github repository:
Github repository:
- https://github.com/prometheus/prometheus Primary website:
- https://prometheus.io/
Github repository: