Skip to content

Latest commit

 

History

History
84 lines (64 loc) · 3.86 KB

README.md

File metadata and controls

84 lines (64 loc) · 3.86 KB

traefik-crowdsec

This is a template to deploy a Traefik proxy protected by crowdsec. I'm mainly using this as a quick way to configure and deploy a secure proxy in case I need it. It includes Prometheus and Grafana to collect and display a variety of information of your Traefik and Crowdsec containers.

I've mainly chosen Grafana here because of all the community-made dashboards for all kinds of services to help you monitor and observe your important containers.

Preperations

Configure the DNS

If your services need to be accessible to the public, you'll need to own and configure a domain. Configuration is done through a DNS of your choosing. Example: You can use Cloudflare to configure your A record to point to your IP address and a CNAME record to point a subdomain (e.g. for the Grafana dashboard) to @ (root domain) or a completely seperate IP. This is needed to route your domain to the right service and get valid certificates through LetsEncrypt.

Port forward to your host

Forward ports 80 and 443 to your host. This is done through your router and is different in every environment. Don't forget to put your host IP address on a static lease, so you don't lose your services all of a sudden.

Update the Prometheus configurations

Update the config file in prometheus/config and rename the Traefik host and crowdsec machine label to something that suits your environment.

Update the Traefik configuration

Adjust the following in the traefik/traefik.yml file:

  • Change the email to something you own. LetsEncrypt will send you email notifications when certificates are expiring.

Update the docker-compose

  • Update the grafana environment/labels to a (sub)domain you own, so that Traefik can request certificates for you and you can use your dashboard.

Configuration

Register your bouncer

First, we'll need to register our bouncer to Crowdsec, so we can block unwanted guests. In the root directory of this repository, execute the following. Of course, you can rename traefik-bouncer to whatever you like:

  • docker-compose exec crowdsec cscli bouncers add traefik-bouncer Copy the served key and paste it in the compose behind the CROWDSEC_BOUNCER_API_KEY Next, restart the Traefik bouncer with the following:
  • docker-compose restart bouncer

The stack should now run as expected. Please, let me know if there's anything wrong/missing.

What to do after?

This is basically everything you'll need to get started (with some extra's). You'll still have to configure Grafana to get some nice visuals out of your metrics.

You can adjust some things here and there to suit your needs and add containers like Nextcloud, Gitlab, Bitwarden/Vaultwarden and whatever you'd like to host. You can use the grafana service as a reference for the basic labels you'll need to make Traefik proxy to your service and generate certificates for these services.

Other notes

Folder/file permissions

In case Prometheus and/or grafana doesn't start correctly, it could be due to file permissions. To fix this, you can use the following (as root) in the repository root: chown 472:472 -R grafana && chown 1000:1000 -R prometheus

Credits

Check out the primary repositories/website for the awesome services created! Ordered as in the docker-compose:

Traefik

Github repository:

Traefik Certs Dumper

Github repository:

Crowdsec

Github repository:

Crowdsec Traefik bouncer

Github repository:

Prometheus:

Github repository:

Grafana:

Github repository: