This is an old revision of the document!
--- # step 0: # docker network create --driver=bridge --attachable --internal=false gateway version: "3" services: traefik: image: traefik:v2.5.3 container_name: traefik restart: unless-stopped ports: - "80:80" - "443:443" - "8080:8080" - "2222:2222" volumes: # Here is the mount of the local `ssl` directory - ./data/letsencrypt:/letsencrypt # The docker socket is mounted for auto-discovery of new services - /var/run/docker.sock:/var/run/docker.sock:ro # Globally Available User Creds - ./data/users_credentials:/users_credentials:ro # Mount config files directly - ./data/traefik-tls.toml:/traefik-tls.toml # traefik log file - /var/log/traefik:/var/log networks: - gateway command: - "--log.level=WARN" - "--accesslog=true" - "--accessLog.filePath=/var/log/access.log" #- "--accessLog.filters.statusCodes=400-499" #- "--pilot.dashboard=false" # Still being developed - "--api.dashboard=true" - "--api.insecure=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.useBindPortIP=true" - "--providers.docker.network=gateway" - "--providers.docker.watch=true" # provide a file where options can be provided # Default TLS certificates must be specified in a file :sadface: - "--providers.file.filename=/traefik-tls.toml" # Entry Points - "--entrypoints.web.address=0.0.0.0:80" - "--entrypoints.websecure.address=0.0.0.0:443" - "--entrypoints.giteassh.address=0.0.0.0:2222" # import tls options from file for the websecure entrypoint - "--entrypoints.websecure.http.tls.options=default@file" # Certificate Resolver - "--certificatesresolvers.le.acme.email=user@example.com" - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json" - "--certificatesresolvers.le.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" # Staging. You'll want to replace the acme.json file. BACKUP this file!!! #- "--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - "--certificatesresolvers.le.acme.httpchallenge=true" - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web" labels: - traefik.enable=true # Priority: Highest number == first prio # https://doc.traefik.io/traefik/routing/routers/#priority # Route traffic for *.my.lan first - traefik.http.routers.mylan.rule=hostregexp(`.*\.my\.lan`) - traefik.http.routers.mylan.entrypoints=web - traefik.http.routers.mylan.priority=1000 # global redirect to https - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`) - traefik.http.routers.http-catchall.entrypoints=web - traefik.http.routers.http-catchall.middlewares=redirect-to-https - traefik.http.routers.http-catchall.priority=1 # middleware redirect - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https networks: gateway: external: true
/traefik-tls.toml
# due to Go limitations, it is highly recommended that you use an ECDSA # certificate, or you may experience compatibility issues #[[tls.certificates]] ##certFile = "/path/to/signed_cert_plus_intermediates" ##keyFile = "/path/to/private_key" # certFile = "/traefik/certs/default.crt" # keyFile = "/traefik/certs/default.crt" [tls.options] [tls.options.default] minVersion = "VersionTLS12" cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" ]
Minimal object store server with S3 compatibility written in GO.
1. Run this on hypervisor:
curl -sfL https://get.k3s.io | sh -
2. Verify it worked:
k3s kubectl get node
Docs: https://rancher.com/docs/k3s/latest/en/cluster-access/
3. Copy /etc/rancher/k3s/k3s.yaml
on the hypervisor to your machine at ~/.kube/config
. Then replace “localhost” with the IP or name of your K3s server. kubectl
can now manage your K3s cluster.
Paste this into ~/.docker/config.json
:
{ "psFormat": "table {{.Names}}\\t{{.Image}}\\t{{.RunningFor}} ago\\t{{.Status}}\\t{{.Command}}", "imagesFormat": "table {{.Repository}}\\t{{.Tag}}\\t{{.ID}}\\t{{.Size}}" }
Seems to not require mapping UID and GIDs.
Ubuntu 20.10 supports podman install.
If on 20.04 you can add the repo: https://podman.io/getting-started/installation
apt-get install -y slirp4netns podman
$ echo “user.max_user_namespaces=28633” > /etc/sysctl.d/userns.conf $ sysctl -p /etc/sysctl.d/userns.conf