From 39cf4ac288d93b9a577a60cd8fef14d8760ae24d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Sun, 7 Jun 2026 15:44:25 +0000 Subject: [PATCH] minor fixes --- cookbooks/ntfy/ntfy.container | 2 +- cookbooks/traefik/README.md | 86 +++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletion(-) diff --git a/cookbooks/ntfy/ntfy.container b/cookbooks/ntfy/ntfy.container index 3a8fa43..e88ec17 100644 --- a/cookbooks/ntfy/ntfy.container +++ b/cookbooks/ntfy/ntfy.container @@ -30,7 +30,7 @@ Volume=/etc/quadlets/ntfy/server.yml:/etc/ntfy/server.yml:ro,z Volume=/var/lib/virtiofs/data/ntfy:/var/cache/ntfy:Z # Health check -HealthCmd=wget -q --tries=1 http://localhost:8080/v1/health -O - | grep -Eo '"healthy"\s*:\s*true' || exit 1 +HealthCmd=wget -q --tries=1 http://127.0.0.1:8080/v1/health -O - | grep -qEo '"healthy"\s*:\s*true' HealthInterval=60s HealthTimeout=10s HealthStartPeriod=40s diff --git a/cookbooks/traefik/README.md b/cookbooks/traefik/README.md index 49be33e..097be77 100644 --- a/cookbooks/traefik/README.md +++ b/cookbooks/traefik/README.md @@ -82,3 +82,89 @@ sudo make uninstall clean ```sh sudo make test ``` + +## What if I want to use a TLS certificate provided by the "lego" cookbook? + +**/etc/containers/systemd/traefik.container.d/lego.conf**: + +```ini +[Unit] +# Now, Traefik depends on the lego target, which will ensure that the TLS certificates are generated and available before Traefik starts +After=lego.target +Wants=lego.target + +[Container] +# Mount the directory containing the TLS certificates generated by lego into the Traefik container +Volume=/run/quadlets/traefik/tls:/etc/traefik/tls:Z + +# Health check on HTTPS +HealthCmd=wget -q -O /dev/null --no-check-certificate --header 'Host: ping' https://127.0.0.1/ + +[Service] +# Get the TLS certificates in place before starting traefik +ExecStartPre=/bin/sh -c 'install -o 10001 -g 10000 -m 0600 -t /run/quadlets/traefik/tls /var/lib/quadlets/lego/certificates/*.crt /var/lib/quadlets/lego/certificates/*.key' +``` + +**/etc/quadlets/traefik/conf.d/tls.yaml**: + +```yaml +tls: + certificates: + - certFile: /etc/traefik/tls/f.q.d.n.crt + keyFile: /etc/traefik/tls/f.q.d.n.key + stores: + default: + defaultCertificate: + certFile: /etc/traefik/tls/f.q.d.n.crt + keyFile: /etc/traefik/tls/f.q.d.n.key + +http: + routers: + traefik-ping-tls: + rule: Host(`ping`) + entryPoints: + - https + service: "ping@internal" + tls: {} + middlewares: + - localhost-only + middlewares: + localhost-only: + ipAllowList: + sourceRange: + - "127.0.0.1/32" +``` + +**/etc/quadlets/traefik/traefik.yaml**: + +```yaml +entryPoints: + # <-- no http entrypoint here + https: + address: ":443" +``` + +**/etc/tmpfiles.d/traefik-lego.conf**: + +``` +d /run/quadlets/traefik 0755 10001 10000 - +d /run/quadlets/traefik/tls 0700 10001 10000 - +``` + + **/etc/quadlets/traefik/conf.d/$yoursite.yaml**: + +```yaml +http: + routers: + example: + rule: "Host(`service.example.test`)" + entryPoints: + - https + service: "example" + tls: {} # <-- this tells Traefik to enable TLS and find a matching certificate by SNI + services: + example: + loadBalancer: + servers: + - url: "http://127.0.0.1:8080" +```