Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
dienste:bytecluster0002:traefik [27.09.2020 19:29] – angelegt hipposen | dienste:bytecluster0002:traefik [12.12.2020 21:55] (aktuell) – mape2k | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | create CT | + | ====== Container ' |
- | Template Debian-10-bytecluster-with-users | + | ===== Ressourcen ===== |
- | Root Disk: 16G | + | * 0.5 GB RAM |
+ | * 1 Cores | ||
+ | * 8 GB HDD (root-fs) | ||
- | Cpu: 1 | + | ===== System ===== |
- | mem: 512mb | + | * interne IPs |
+ | * 10.2.0.1, fd00:10:2:0::1 | ||
- | Network | + | ===== Dienste ===== |
- | eth0 static with 10.2.0.1/24 | + | * Traefik (Loadbalancer, |
- | GW 10.2.0.254 | + | ===== Betrieb ===== |
- | DNS use host | + | ==== Routing für Domain anlegen ==== |
+ | - DNS-Eintrag anlegen | ||
+ | * Name: **Subdomain** der entsprechenden Domain | ||
+ | * Typ: **CNAME** | ||
+ | * Wert: **bytecluster0002.bytespeicher.org** | ||
+ | * TTL: **3600** | ||
+ | - Konfiguration anlegen | ||
+ | - Beispiel für einfachen Webdienst auf einem anderen Port< | ||
+ | [http.services] | ||
+ | [http.services.testwiki.loadbalancer] | ||
+ | [[http.services.testwiki.loadbalancer.servers]] | ||
+ | # Internal Destination URL and port | ||
+ | url = " | ||
- | Login: | + | [http.routers] |
+ | [http.routers.testwiki] | ||
+ | entryPoints = [ " | ||
+ | # Domain used for service | ||
+ | rule = " | ||
+ | # Servicename used in http.services.SERVICENAME.loadbalancer above | ||
+ | service = " | ||
+ | [http.routers.wiki.tls] | ||
+ | # Use Let's Encrypt | ||
+ | certResolver = " | ||
+ | </ | ||
+ | ===== Installation ===== | ||
- | wget https:// | + | * Standard-Template mit Benutzern |
- | git clone https:// | + | ==== Traefik ==== |
- | cd traefik | + | - Traefik herunterladen |
+ | * **wget https:// | ||
+ | - Verzeichnisse erstellen | ||
+ | * **sudo mkdir / | ||
+ | * **sudo mkdir -p / | ||
+ | * **sudo mkdir / | ||
+ | - Traefik-Archiv auspacken und entfernen | ||
+ | * **< | ||
+ | * **rm traefik_v2.3.1_linux_amd64.tar.gz** | ||
+ | - Benutzer und Gruppe anlegen | ||
+ | * **< | ||
+ | * **< | ||
+ | - Konfiguration anlegen | ||
+ | * **TODO** | ||
+ | - Service Unit anlegen< | ||
+ | [Unit] | ||
+ | Description=traefik proxy | ||
+ | After=network-online.target | ||
+ | Wants=network-online.target systemd-networkd-wait-online.service | ||
- | tar xfz traefik_v2.3.0_linux_amd64.tar.gz | + | [Service] |
+ | Restart=on-abnormal | ||
- | rm traefik_v2.3.0_linux_amd64.tar.gz | + | ; User and group the process will run as. |
+ | User=traefik | ||
+ | Group=traefik | ||
- | sudo cp /path/to/traefik /usr/local/bin | + | ; Always set " |
+ | ExecStart=/opt/traefik/ | ||
- | sudo chown root:root / | + | ; Limit the number of file descriptors; |
+ | LimitNOFILE=1048576 | ||
- | sudo chmod 755 /usr/local/bin/traefik | + | ; Use private /tmp and /var/tmp, which are discarded after traefik stops. |
+ | PrivateTmp=true | ||
+ | ; Use a minimal /dev (May bring additional security if switched to ' | ||
+ | PrivateDevices=false | ||
+ | ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. | ||
+ | ProtectHome=true | ||
+ | ; Make /usr, /boot, /etc and possibly some more folders read-only. | ||
+ | ProtectSystem=full | ||
+ | ; ... except /etc/traefik/acme, because we want Letsencrypt-certificates there. | ||
+ | ; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! | ||
+ | ReadWriteDirectories=/ | ||
- | sudo setcap ' | + | ; The following additional security directives only work with systemd v229 or later. |
+ | ; They further restrict privileges that can be gained by traefik. Uncomment if you like. | ||
+ | ; Note that you may have to add capabilities required by any plugins in use. | ||
+ | CapabilityBoundingSet=CAP_NET_BIND_SERVICE | ||
+ | AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
+ | NoNewPrivileges=true | ||
- | sudo groupadd | + | [Install] |
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | - Berechtigungen setzen | ||
+ | * **sudo chown -R traefik: | ||
+ | * **sudo chmod 750 / | ||
+ | * **sudo chmod 644 / | ||
+ | * **sudo chown root:root / | ||
+ | * **sudo chmod 644 / | ||
+ | * **sudo chown root:root / | ||
+ | - Traefik dauerhaft aktivieren und gleichzeitig starten | ||
+ | * **sudo systemctl daemon-reload** | ||
+ | * **sudo systemctl enable --now traefik.service** | ||
- | sudo useradd | + | ==== Backup mit Borgmatic ==== |
- | sudo mkdir / | + | * siehe [[mariadb]] |
- | sudo mkdir / | ||
- | |||
- | sudo chown -R root:root / | ||
- | |||
- | sudo chown -R traefik: | ||
- | |||
- | sudo touch / | ||
- | |||
- | sudo chown traefik: | ||
- | |||
- | |||
- | sudo mv *.toml / | ||
- | |||
- | sudo chown root:root / | ||
- | |||
- | sudo chmod 644 / | ||
- | |||
- | sudo mv traefik.service / | ||
- | |||
- | sudo chown root:root / | ||
- | |||
- | sudo chmod 644 / | ||
- | |||
- | sudo systemctl daemon-reload | ||
- | |||
- | sudo systemctl start traefik.service | ||
- | |||
- | sudo systemctl enable traefik.service |