Greetings all,
What I am trying to do is setup both pihole and teslamate data logging on a Rasberry Pi 4 behind my residential broadband connection. I am fairly knowledgeable with networking but not with traefik. I want both of these services to be exposed via one dynamic external IP so that I can access remotely. Since they will be exposed both of them need Traefik and lets encrypt configs using different ports.
I have tried the setup from reading online but I am running into some problems with traefik. Both services display cert errors and then a 404 error when I try to access them on their respective ports.
Right now I am trying to use a .env file to call three seperate yml files for docker. What might be the problem is that it is trying to use two instances of traefik. I would like to expose the following ports for the following services:
https 443 - PiHole
http 80 - PiHole redirect to https
53 tcp/udp - PiHole DNS
853 - PiHole DNS TLS
8443 - Teslamate HTTPS (listening on port 4000)
8442 - Graphana HTTPS (Listening on port 3000)
Here are the config files I have started to work on so far. I am thinking I need to combine these two unless you folks think I should leave them seperate.
Traefik.yml:
version: "3.3"
services:
traefik:
image: "traefik:latest"
restart: unless-stopped
command:
- "--log.level=ERROR"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.dnsovertls.address=:853"
- "--entrypoints.dns.address=:53"
- "--entrypoints.udpdns.address=:53/udp"
- "--entrypoints.web.address=:80"
- "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
- "--certificatesresolvers.mytlschallenge.acme.email=user@gmail.com"
- "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
networks:
- traefik_default
ports:
- "LOCALIP:443:443"
- "LOCALIP:853:853"
- "LOCALIP:53:53"
- "LOCALIP:53:53/udp"
- "LOCALIP:80:80"
volumes:
- "letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
traefik_default:
external: true
volumes:
letsencrypt:
pihole.yml:
version: "3"
services:
pihole:
image: pihole/pihole:latest
networks:
- traefik_default
environment:
PUID: '1000'
PGID: '1000'
TZ: 'America/New_York'
WEBPASSWORD: 'password'
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
dns:
- 8.8.8.8
- 1.1.1.1
restart: unless-stopped
labels:
- "traefik.enable=true"
# web interface
- "traefik.http.routers.pihole.rule=Host(`dynamicndshostname.com`)"
- "traefik.http.routers.pihole.entrypoints=websecure"
- "traefik.http.routers.pihole.tls.certresolver=mytlschallenge"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
# DNS-over-TLS
- "traefik.tcp.routers.dnsovertls.rule=HostSNI(`dynamicndshostname.com`)"
- "traefik.tcp.routers.dnsovertls.entrypoints=dnsovertls"
- "traefik.tcp.routers.dnsovertls.tls.certresolver=mytlschallenge"
- "traefik.tcp.routers.dnsovertls.service=pihole"
# Normal DNS coming in on 53 TCP, no TLS
- "traefik.tcp.routers.dns.rule=HostSNI(`dynamicndshostname.com`)"
- "traefik.tcp.routers.dns.entrypoints=dns"
- "traefik.tcp.routers.dns.service=pihole"
# recieves traffic from both the TLS and non-TLS traefik routers
- "traefik.tcp.services.pihole.loadbalancer.server.port=53"
# Normal DNS coming in on 53 UDP
- "traefik.udp.routers.udpdns.entrypoints=udpdns"
- "traefik.udp.routers.udpdns.service=pihole"
- "traefik.udp.services.pihole.loadbalancer.server.port=53"
networks:
traefik_default:
external: true
teslamate.yml:
version: '3'
services:
teslamate:
image: teslamate/teslamate:latest
restart: always
depends_on:
- database
environment:
- DATABASE_USER=${TM_DB_USER}
- DATABASE_PASS=${TM_DB_PASS}
- DATABASE_NAME=${TM_DB_NAME}
- DATABASE_HOST=database
- MQTT_HOST=mosquitto
- VIRTUAL_HOST=${FQDN_TM}
- CHECK_ORIGIN=true
- TZ=${TM_TZ}
volumes:
- ./import:/opt/app/import
labels:
- 'traefik.enable=true'
- 'traefik.port=4000'
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.auth.basicauth.usersfile=/auth/.htpasswd"
- "traefik.http.routers.teslamate-insecure.rule=Host(`${FQDN_TM}`)"
- "traefik.http.routers.teslamate-insecure.middlewares=redirect"
- "traefik.http.routers.teslamate.rule=Host(`${FQDN_TM}`)"
- "traefik.http.routers.teslamate.middlewares=auth"
- "traefik.http.routers.teslamate.entrypoints=websecure"
- "traefik.http.routers.teslamate.tls.certresolver=tmhttpchallenge"
database:
image: postgres:12
restart: always
environment:
- POSTGRES_USER=${TM_DB_USER}
- POSTGRES_PASSWORD=${TM_DB_PASS}
- POSTGRES_DB=${TM_DB_NAME}
volumes:
- teslamate-db:/var/lib/postgresql/data
grafana:
image: teslamate/grafana:latest
restart: always
environment:
- DATABASE_USER=${TM_DB_USER}
- DATABASE_PASS=${TM_DB_PASS}
- DATABASE_NAME=${TM_DB_NAME}
- DATABASE_HOST=database
- GRAFANA_PASSWD=${GRAFANA_PW}
- GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
- GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PW}
- GF_AUTH_BASIC_ENABLED=true
- GF_AUTH_ANONYMOUS_ENABLED=false
- GF_SERVER_ROOT_URL=https://${FQDN_GRAFANA}
volumes:
- teslamate-grafana-data:/var/lib/grafana
labels:
- 'traefik.enable=true'
- 'traefik.port=3000'
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.routers.grafana-insecure.rule=Host(`${FQDN_GRAFANA}`)"
- "traefik.http.routers.grafana-insecure.middlewares=redirect"
- "traefik.http.routers.grafana.rule=Host(`${FQDN_GRAFANA}`)"
- "traefik.http.routers.grafana.entrypoints=websecure"
- "traefik.http.routers.grafana.tls.certresolver=tmhttpchallenge"
mosquitto:
image: eclipse-mosquitto:1.6
restart: always
ports:
- 127.0.0.1:1883:1883
volumes:
- mosquitto-conf:/mosquitto/config
- mosquitto-data:/mosquitto/data
proxy:
image: traefik:v2.1
restart: always
command:
- "--global.sendAnonymousUsage=false"
- "--providers.docker"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:8080"
- "--entrypoints.websecure.address=:8443"
- "--certificatesresolvers.tmhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.tmhttpchallenge.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.tmhttpchallenge.acme.email=${LETSENCRYPT_EMAIL}"
- "--certificatesresolvers.tmhttpchallenge.acme.storage=/etc/acme/acme.json"
ports:
- 8080:8080
- 8443:8443
volumes:
- ./.htpasswd:/auth/.htpasswd
- ./acme/:/etc/acme/
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
teslamate-db:
teslamate-grafana-data:
mosquitto-conf:
mosquitto-data:
Hopefully this is possible. Thanks in advance.