Hello,
I do have a permission problem.
Running docker rootless mode with a new fresh install server+portainer.
Portainer is working.
Yesterday I have done the first fresh install still rootless + "portainer, diun, authentik etc." All were working find in rootless mode, except already Traefix (same error message).
2024-05-10T09:32:17.980103828Z zerolog: could not write event: can't make directories for new logfile: mkdir /home/user: read-only file system
2024-05-10T09:32:23.100453231Z zerolog: could not write event: can't make directories for new logfile: mkdir /home/user: read-only file system
services:
traefik:
image: traefik:v3.0.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
read_only: true
mem_limit: 2G
cpus: 0.75
depends_on:
- dockerproxy
networks:
- $MYNET
- socket-t
ports:
- 1180:80
- 11443:443
- 8087:8080
- 1181:1181
- 11444:11444
environment:
CF_API_EMAIL: $EMAIL
CF_DNS_API_TOKEN: $TOKEN
TZ: Europe/Helsinki (always cold, where is the sun ??)
GID: ${GID-1000}
volumes:
- /etc/localtime:/etc/localtime:ro
- $BASE/logs/crowdsec/:/var/log/crowdsec
- $BASE/traefik/data/traefik.yml:/traefik.yml:ro
- $BASE/traefik/data/dynamic_conf.yml:/dynamic_conf.yml:ro
- $BASE/letsencrypt:/letsencrypt
labels:
- "traefik.enable=true"
- "traefik.docker.network=$MYNET"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.$MYDOMAIN`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.$MYDOMAIN`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=dns-cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=$MYDOMAIN"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.$MYDOMAIN"
- "traefik.http.routers.traefik-secure.service=api@internal"
# middlewares
- "traefik.http.middlewares.traefik-auth.basicauth.removeheader=true"
- "traefik.http.middlewares.traefik-auth.basicauth.users=login:xxxxxxxxxxxxxxxxxxxxxxxxxx"
# middlewares security headers
- "traefik.http.middlewares.security-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
- "traefik.http.middlewares.security-headers.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.security-headers.headers.addvaryheader=true"
- "traefik.http.middlewares.security-headers.headers.hostsproxyheaders=X-Forwarded-Host"
- "traefik.http.middlewares.security-headers.headers.sslredirect=true"
- "traefik.http.middlewares.security-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.security-headers.headers.stsseconds=63072000"
- "traefik.http.middlewares.security-headers.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.security-headers.headers.stspreload=true"
- "traefik.http.middlewares.security-headers.headers.forcestsheader=true"
- "traefik.http.middlewares.security-headers.headers.framedeny=true"
- "traefik.http.middlewares.security-headers.headers.contenttypenosniff=true"
- "traefik.http.middlewares.security-headers.headers.browserxssfilter=true"
- "traefik.http.middlewares.security-headers.headers.referrerpolicy=same-origin"
- "traefik.http.middlewares.security-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
- "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"
dockerproxy:
image: wollomatic/socket-proxy:1.3.1
container_name: t-docker-socket-proxy
command:
- '-loglevel=debug'
- '-allowfrom=0.0.0.0/0'
- '-listenip=0.0.0.0'
- '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'
- '-watchdoginterval=3600'
- '-stoponwatchdog'
- '-shutdowngracetime=10'
restart: unless-stopped
read_only: true
mem_limit: 64M
cap_drop:
- ALL
security_opt:
- no-new-privileges
user: 1000:1000 # change gid from 998 to the gid of the docker group on your host
volumes:
#- /var/run/docker.sock:/var/run/docker.sock:ro
- /run/user/1000/docker.sock:/var/run/docker.sock:ro
networks:
- socket-t
networks:
dagga-boys:
name: $MYNET
external: true
socket-t:
driver: bridge
internal: true
attachable: false
http:
middlewares:
default-whitelist:
ipWhiteList:
sourceRange:
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
secured:
chain:
middlewares:
- default-whitelist
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
authentik:
forwardauth:
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
my-traefik-get-real-ip:
plugin:
traefik-get-real-ip:
Proxy:
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn1
realIP: X-Forwarded-For
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn2
realIP: Client-Ip
- overwriteXFF: "true"
proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn3
realIP: Cf-Connecting-Ip
- proxyHeadername: '*'
realIP: RemoteAddr
#region routers
routers:
proxmox-rtr:
rule: "Host(`pve.domain`)"
entryPoints:
- "http-external"
middlewares:
- https-redirectscheme
- authentik
tls: {}
service: proxmox-svc
secure-webserver:
entryPoints:
- "https-external"
rule: "Host(`www.domain`)"
middlewares:
- https-redirectscheme
tls: {}
service: secure-webserver
homeassistant:
entryPoints:
- "https-external"
rule: "Host(`haoss.domain`)"
middlewares:
- https-redirectscheme
- authentik
tls: {}
service: homeassistant
authentik:
entryPoints:
- "https-external"
rule: "Host(`authentik.domain`)"
middlewares:
- https-redirectscheme
- authentik
priority: 10
tls: {}
service: authentik:
#region services
services:
proxmox-svc:
loadBalancer:
servers:
- url: "https://ip:8006/"
passHostHeader: true
secure-webserver:
loadBalancer:
servers:
- url: "http://ip:80"
passHostHeader: true
homeassistant:
loadBalancer:
servers:
- url: "http://ip:8123"
passHostHeader: true
authentik:
loadBalancer:
servers:
- url: "http://authentik-server:9000/outpost.goauthentik.io"
passHostHeader: true
api:
dashboard: true
insecure: true
debug: true
entryPoints:
http:
address: ":80"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
http-external:
address: ":1181"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entrypoint:
to: https-external
scheme: https
https-external:
address: ":11444"
http:
middlewares:
- crowdsec-bouncer@file
serversTransport:
insecureSkipVerify: true
providers:
docker:
network: mynet
endpoint: "tcp://t-docker-socket-proxy:2375"
exposedByDefault: false
file:
filename: /dynamic_conf.yml
watch: true
certificatesResolvers:
dns-cloudflare:
acme:
email: name@domain
storage: ./letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
caServer: https://acme-v02.api.letsencrypt.org/directory
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
experimental:
plugins:
traefik-get-real-ip:
moduleName: "github.com/Paxxs/traefik-get-real-ip"
version: "v1.0.3"
log:
level: "DEBUG"
filePath: "/home/user/.local/share/docker/volumes/logs/crowdsec/traefik.log"
accessLog:
filePath: "/home/user/.local/share/docker/volumes/logs/crowdsec/access.log"
bufferingSize: 50