Skip to content

Instantly share code, notes, and snippets.

@ondrejsika
Forked from ubergesundheit/readme.md
Created March 19, 2019 19:42
Show Gist options
  • Save ondrejsika/3303c8fdb6cc29bb96bb563b2f8c3b18 to your computer and use it in GitHub Desktop.
Save ondrejsika/3303c8fdb6cc29bb96bb563b2f8c3b18 to your computer and use it in GitHub Desktop.
systemd traefik.service

systemd Service Unit for Traefik

Adapted from traefik systemd Service Unit

The provided file should work with systemd version 219 or later. It might work with earlier versions. The easiest way to check your systemd version is to run systemctl --version.

Instructions

We will assume the following:

  • that you want to run traefik as user traefik and group traefik, with UID and GID 321
  • you are working from a non-root user account that can use 'sudo' to execute commands as root

Adjust as necessary or according to your preferences.

First, put the traefik binary in the system wide binary directory and give it appropriate ownership and permissions:

sudo cp /path/to/traefik /usr/local/bin
sudo chown root:root /usr/local/bin/traefik
sudo chmod 755 /usr/local/bin/traefik

Give the traefik binary the ability to bind to privileged ports (e.g. 80, 443) as a non-root user:

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik

Set up the user, group, and directories that will be needed:

sudo groupadd -g 321 traefik
sudo useradd \
  -g traefik --no-user-group \
  --home-dir /var/www --no-create-home \
  --shell /usr/sbin/nologin \
  --system --uid 321 traefik

sudo usermod -aG docker traefik

sudo mkdir /etc/traefik
sudo mkdir /etc/traefik/acme
sudo chown -R root:root /etc/traefik
sudo chown -R traefik:traefik /etc/traefik/acme

Place your traefik configuration file ("traefik.toml") in the proper directory and give it appropriate ownership and permissions:

sudo cp /path/to/traefik.toml /etc/traefik/
sudo chown root:root /etc/traefik/traefik.toml
sudo chmod 644 /etc/traefik/traefik.toml

Install the systemd service unit configuration file, reload the systemd daemon, and start traefik:

sudo cp /path/to/traefik.service /etc/systemd/system/
sudo chown root:root /etc/systemd/system/traefik.service
sudo chmod 644 /etc/systemd/system/traefik.service
sudo systemctl daemon-reload
sudo systemctl start traefik.service

Have the traefik service start automatically on boot if you like:

sudo systemctl enable traefik.service

If traefik doesn't seem to start properly you can view the log data to help figure out what the problem is:

journalctl --boot -u traefik.service

If your GNU/Linux distribution does not use journald with systemd then check any logfiles in /var/log.

If you want to follow the latest logs from traefik you can do so like this:

journalctl -f -u traefik.service
[Unit]
Description=traefik proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=traefik
Group=traefik
; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/traefik/acme
; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment