francoism90/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Tested on CentOS Stream 9 with Cockpit and traefik v3.
A full working Podman Quadlet example, can be seen here: https://github.com/foxws/foxws/tree/main/podman
Overrule service

You need to overrule the Cockpit Web Service to not use TLS.
TLS is being offered by traefik in this example:
sudo systemctl edit cockpit.service
Enter the following to overrule:
[Service]
ExecStart=
ExecStart=/usr/libexec/cockpit-tls --no-tls
Create /etc/cockpit/cockpit.conf:
[WebService]
Origins = https://cockpit.example.com
ProtocolHeader = X-Forwarded-Proto
ForwardedForHeader = X-Forwarded-For
AllowUnencrypted = true

  
## dynamic.yml
http:
  services:
    cockpit:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:9090"

## traefik.container
[Unit]
Description=Proxy container
Requires=podman.socket
After=podman.socket

[Service]
EnvironmentFile=%h/.config/containers/systemd/traefik/proxy.env
Restart=always

[Container]
Image=docker.io/library/traefik:latest
AutoUpdate=registry
Volume=${PODMAN_SOCKET}:/var/run/docker.sock:ro,z
Volume=./traefik/traefik.yml:/etc/traefik/traefik.yml:ro,Z
Volume=./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro,Z
Volume=./traefik/acme:/etc/traefik/acme:rw,Z
SecurityLabelType=container_runtime_t
Network=traefik.network
PublishPort=80:80
PublishPort=443:443
Label=traefik.enable=true
Label=traefik.http.routers.mydashboard.entrypoints=websecure
Label=traefik.http.routers.mydashboard.rule="Host(`traefik.example.com`)"
Label=traefik.http.routers.mydashboard.tls=true
Label=traefik.http.routers.mydashboard.tls.certresolver=myresolver
Label=traefik.http.routers.mydashboard.service=api@internal
Label=traefik.http.routers.mydashboard.middlewares=myauth
Label=traefik.http.routers.cockpit.entrypoints=websecure
Label=traefik.http.routers.cockpit.rule="Host(`cockpit.example.com`)"
Label=traefik.http.routers.cockpit.tls=true
Label=traefik.http.routers.cockpit.tls.certresolver=myresolver
Label=traefik.http.routers.cockpit.priority=1000
Label=traefik.http.routers.cockpit.service=cockpit@file
Label=traefik.http.middlewares.myauth.basicauth.users=<see-htpasswd-command>

[Install]
WantedBy=multi-user.target default.target
	http:
	services:
	cockpit:
	loadBalancer:
	servers:
	- url: "http://host.docker.internal:9090"
	[Unit]
	Description=Proxy container
	Requires=podman.socket
	After=podman.socket

	[Service]
	EnvironmentFile=%h/.config/containers/systemd/traefik/proxy.env
	Restart=always

	[Container]
	Image=docker.io/library/traefik:latest
	AutoUpdate=registry
	Volume=${PODMAN_SOCKET}:/var/run/docker.sock:ro,z
	Volume=./traefik/traefik.yml:/etc/traefik/traefik.yml:ro,Z
	Volume=./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro,Z
	Volume=./traefik/acme:/etc/traefik/acme:rw,Z
	SecurityLabelType=container_runtime_t
	Network=traefik.network
	PublishPort=80:80
	PublishPort=443:443
	Label=traefik.enable=true
	Label=traefik.http.routers.mydashboard.entrypoints=websecure
	Label=traefik.http.routers.mydashboard.rule="Host(`traefik.example.com`)"
	Label=traefik.http.routers.mydashboard.tls=true
	Label=traefik.http.routers.mydashboard.tls.certresolver=myresolver
	Label=traefik.http.routers.mydashboard.service=api@internal
	Label=traefik.http.routers.mydashboard.middlewares=myauth
	Label=traefik.http.routers.cockpit.entrypoints=websecure
	Label=traefik.http.routers.cockpit.rule="Host(`cockpit.example.com`)"
	Label=traefik.http.routers.cockpit.tls=true
	Label=traefik.http.routers.cockpit.tls.certresolver=myresolver
	Label=traefik.http.routers.cockpit.priority=1000
	Label=traefik.http.routers.cockpit.service=cockpit@file
	Label=traefik.http.middlewares.myauth.basicauth.users=<see-htpasswd-command>

	[Install]
	WantedBy=multi-user.target default.target