systemd traefik.service

readme.md

systemd Service Unit for Traefik

Adapted from the forked gist and this blog. Adjusted to our own implementation.

The provided file should work with systemd version 219 or later. It might work with earlier versions. The easiest way to check your systemd version is to run systemctl --version.

Instructions

We will assume the following:

• that you want to run traefik as user traefik and group traefik, with UID and GID 321
• you are working from a non-root user account that can use 'sudo' to execute commands as root

Adjust as necessary or according to your preferences.

First, put the traefik binary in the system wide binary directory and give it appropriate ownership and permissions:

sudo cp /path/to/traefik /usr/local/bin
sudo chown root:root /usr/local/bin/traefik
sudo chmod 755 /usr/local/bin/traefik

Give the traefik binary the ability to bind to privileged ports (e.g. 80, 443) as a non-root user:

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik

Set up the user, group, and directories that will be needed:

sudo groupadd -g 321 traefik
sudo useradd \
  -g traefik --no-user-group \
  --shell /usr/sbin/nologin \
  --system --uid 321 traefik

sudo mkdir /etc/traefik
sudo mkdir /etc/traefik/acme
sudo mkdir /etc/traefik/config
sudo chown -R root:root /etc/traefik
sudo chown -R root:root /etc/traefik/config
sudo chown -R traefik:traefik /etc/traefik/acme

Place your traefik configuration files ("traefik.yaml" and "service.yaml") in the proper directory and give it appropriate ownership and permissions:

sudo cp /path/to/traefik.yaml /etc/traefik/
sudo chown root:root /etc/traefik/traefik.yaml
sudo chmod 644 /etc/traefik/traefik.yaml
sudo cp /path/to/service.yaml /etc/traefik/config/
sudo chown root:root /etc/traefik/config/service.yaml
sudo chmod 644 /etc/traefik/config/service.yaml

Install the systemd service unit configuration file, reload the systemd daemon, and start traefik:

sudo cp /path/to/traefik.service /etc/systemd/system/
sudo chown root:root /etc/systemd/system/traefik.service
sudo chmod 644 /etc/systemd/system/traefik.service
sudo systemctl daemon-reload
sudo systemctl start traefik.service

Have the traefik service start automatically on boot if you like:

sudo systemctl enable traefik.service

If traefik doesn't seem to start properly you can view the log data to help figure out what the problem is:

journalctl --boot -u traefik.service

If your GNU/Linux distribution does not use journald with systemd then check any logfiles in /var/log.

If you want to follow the latest logs from traefik you can do so like this:

journalctl -f -u traefik.service

service.yaml

http:
  # Add the router
  routers:
    website:
      rule: "Host(`www.example.com`)"
      entryPoints:
      - web
      service: webservice
    secure-website:
      rule: "Host(`www.example.com`)"
      entryPoints:
      - ssl
      service: webservice
      tls:
        certResolver: letsencrypt

  # Add the service
  services:
    webservice:
      loadBalancer:
        servers:
        - url: "http://webservice.local:8001/"
        passHostHeader: false

traefik.service

[Unit]
Description=Traefik proxy
Documentation=https://docs.traefik.io
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/traefik
AssertPathExists=/etc/traefik
AssertPathExists=/etc/traefik/config

[Service]
; Traefik >2.x supports systemd notify when ready
Type=notify

; use yaml files but you can also use toml files. See Traefik documentation
ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.yaml
Restart=always

; Traefik >2.x supports systemd watchdog
WatchdogSec=1s

; User and group the process will run as.
User=traefik
Group=traefik

; Limit the number of file descriptors (in this case enlarge...); see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576

; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true

; Prohibit access to physical devices (/dev/sda, /dev/mem, …)
PrivateDevices=true

; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true

; Make whole filesystem like /usr, /boot, /etc folders read-only.
ProtectSystem=strict

; except the static and dynamic config files
ReadOnlyPaths=/etc/traefik/traefik.yaml
ReadOnlyPaths=/etc/traefik/config

; and except /etc/ssl/traefik/acme, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/traefik/acme

; and some more security triggers
ProtectKernelTunables=true
ProtectControlGroups=true
LimitNPROC=1

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

traefik.yaml

sendAnonymousUsage: false

log:
  level: "INFO"  # DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  format: "common"

entryPoints:
  web:
    address: ":80"
  ssl:
    address: ":443"

api:
  # with this you enable the web UI
  insecure: true
  dashboard: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /etc/traefik/acme/acme.json

      # CA server to use.
      # Uncomment the line to use Let's Encrypt's staging server,
      # leave commented to go to prod.
      # Optional
      # Default: "https://acme-v02.api.letsencrypt.org/directory"
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

      # KeyType to use.
      # Optional
      # Default: "RSA4096"
      # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
      keyType: RSA4096

      # Use a TLS-ALPN-01 ACME challenge.
      tlsChallenge: true

providers:
  file:
    directory: "/etc/traefik/config"
    watch: true