Run traefik as dockeruser, and without host networking

This required port forwarding, a docker proxy, and a docker network, but the end result should be much more secure!
2022-01-15 23:44:06 +00:00
parent 1348eb8b1c
commit d5c7d94ac8
17 changed files with 150 additions and 6 deletions
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -32,21 +32,22 @@ entryPoints:
        - "{{ pve_hosts.internal_cidr }}"
        - "{{ nebula.cidr }}"
  traefik:
-    address: "{{ private_ip }}:8080"
+    address: :8080

 ping: {}

 providers:
  docker:
-    endpoint: unix:///var/run/docker.sock
+    endpoint: tcp://docker_proxy:2375
    watch: true
    exposedByDefault: false
+    network: traefik
  file:
    directory: /etc/traefik/conf
 {% if with_traefik_pages %}
  http:
    endpoint:
-      - "http://{{ traefik_pages_password }}@127.0.0.1:5000/.traefik-pages/provider"
+      - "http://{{ traefik_pages_password }}@traefik-pages:5000/.traefik-pages/provider"
 {% endif %}

 api: