RustDesk and Traefik Docker Compose Configuration

docker-compose.yml

# A minimal configuration to host a RustDesk server with Traefik v3 (also works with Traefik v2).
#
# This configuration is based on a single Rustdesk container hosting the two hbbr and hbbs services
# instead of running two separate containers as in the official documentation.
# See https://rustdesk.com/docs/en/self-host/rustdesk-server-oss/docker/ for more information.
#
# This configuration is adapted from https://gist.github.com/FracKenA/5015150a6057afe9a22bf2e4b9d5f2b6.
#
# Pay attention to the comments in the file and adapt the configuration to your needs.
# Once deployed you must configure the Rustdesk client in the Network tab to use the domain
# name of the relay server and the port 21117.
# ID server: DOMAIN_NAME:21116
# Relay server: DOMAIN_NAME:21117
# Key: THE_PUBLIC_KEY

version: "3"
services:
  # Traefik proxy
  #
  # This traefik configuration is the strict minimum to make Rustdesk work without any other services
  # such as Traefik dashboard. Adapt it to your needs.
  traefik:
    container_name: traefik
    image: traefik:v3.0
    ports:
      # Rustdesk ports
      # Those MUST be open on your router and firewall and forwarded to the host running
      # this docker-compose file.
      - 21115:21115/tcp
      - 21116:21116/tcp
      - 21117:21117/tcp
      - 21118:21118/tcp
      - 21119:21119/tcp
      - 21116:21116/udp
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped
    command:
      - --global.checkNewVersion=false
      - --global.sendAnonymousUSage=false
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --log.level=INFO
      - --accesslog.filters.statuscodes=400-499
      # Rustdesk entrypoints
      - --entrypoints.rd5-tcp.address=:21115/tcp # ID Server - NAT type test
      - --entrypoints.rd6-tcp.address=:21116/tcp # ID Server - TCP hole punching
      - --entrypoints.rd6-udp.address=:21116/udp # ID Server - ID registration and heartbeat
      - --entrypoints.rd8-tcp.address=:21118/tcp # ID Server - Web client
      - --entrypoints.rd7-tcp.address=:21117/tcp # Relay Server - Relay services
      - --entrypoints.rd9-tcp.address=:21119/tcp # Relay Server - Web client

  # RustDesk ID/Rendezvous server and Relay server
  #
  # This container uses rustdesk-server-s6 instead of rustdesk-server. The difference is that
  # rustdesk-server-s6 is based on s6-overlay which runs the two services hbbr and hbbs in the same
  # container.
  rustdesk:
    container_name: rustdesk
    image: rustdesk/rustdesk-server-s6:latest
    volumes:
      - LOCAL_DIR_TO_HOST_THE_DATABASE:/db
      - LOCAL_DIR_TO_HOST_THE_KEYS:/data
    restart: unless-stopped
    environment:
      - RELAY=DOMAIN_NAME:21117
      - ENCRYPTED_ONLY=1
      - DB_URL=/db/db_v2.sqlite3
      # The private and public keys must be generated with the following command:
      # Generate the private key: `openssl genpkey -algorithm Ed25519 -out private.key`
      # Generate the public key: `openssl pkey -in private.key -pubout -out public.key`
      # Display botk keys and copy them below: `cat private.key public.key`
      # openssl rsa -in private.pem -pubout -out public.pem
      - KEY_PRIV=THE_PRIVATE_KEY
      - KEY_PUB=THE_PUBLIC_KEY
      - RUST_LOG=debug
    labels:
      - traefik.enable=true
      # 21115/tcp
      - traefik.tcp.routers.rustdesk-rd5.entrypoints=rd5-tcp
      - traefik.tcp.routers.rustdesk-rd5.rule=HostSNI(`*`)
      - traefik.tcp.routers.rustdesk-rd5.service=rustdesk-rd5
      - traefik.tcp.services.rustdesk-rd5.loadbalancer.server.port=21115
      - traefik.tcp.routers.rustdesk-rd5.tls=false
      - traefik.tcp.routers.rustdesk-rd5.tls.passthrough=true
      # 21116/tcp
      - traefik.tcp.routers.rustdesk-rd6.entrypoints=rd6-tcp
      - traefik.tcp.routers.rustdesk-rd6.rule=HostSNI(`*`)
      - traefik.tcp.routers.rustdesk-rd6.service=rustdesk-rd6
      - traefik.tcp.services.rustdesk-rd6.loadbalancer.server.port=21116
      - traefik.tcp.routers.rustdesk-rd6.tls=false
      - traefik.tcp.routers.rustdesk-rd6.tls.passthrough=true
      # 21118/tcp
      - traefik.tcp.routers.rustdesk-rd8.entrypoints=rd8-tcp
      - traefik.tcp.routers.rustdesk-rd8.rule=HostSNI(`*`)
      - traefik.tcp.routers.rustdesk-rd8.service=rustdesk-rd8
      - traefik.tcp.services.rustdesk-rd8.loadbalancer.server.port=21118
      - traefik.tcp.routers.rustdesk-rd8.tls=false
      - traefik.tcp.routers.rustdesk-rd8.tls.passthrough=true
      # 21116/udp
      - traefik.udp.routers.rustdesk-rd6.entrypoints=rd6-udp
      - traefik.udp.routers.rustdesk-rd6.service=rustdesk-rd6
      - traefik.udp.services.rustdesk-rd6.loadbalancer.server.port=21116
      # 21117/tcp
      - traefik.tcp.routers.rustdesk-rd7.entrypoints=rd7-tcp
      - traefik.tcp.routers.rustdesk-rd7.rule=HostSNI(`*`)
      - traefik.tcp.routers.rustdesk-rd7.service=rustdesk-rd7
      - traefik.tcp.services.rustdesk-rd7.loadbalancer.server.port=21117
      - traefik.tcp.routers.rustdesk-rd7.tls=false
      - traefik.tcp.routers.rustdesk-rd7.tls.passthrough=true
      # 21119/tcp
      - traefik.tcp.routers.rustdesk-rd9.entrypoints=rd9-tcp
      - traefik.tcp.routers.rustdesk-rd9.rule=HostSNI(`*`)
      - traefik.tcp.routers.rustdesk-rd9.service=rustdesk-rd9
      - traefik.tcp.services.rustdesk-rd9.loadbalancer.server.port=21119
      - traefik.tcp.routers.rustdesk-rd9.tls=false
      - traefik.tcp.routers.rustdesk-rd9.tls.passthrough=true

Hi,

Could you help me out? Im following your instructions to the letter but i get an error (docker logs):

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service key-secret: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
**Invalid Secret key
Key pair not valid**
s6-rc: warning: unable to start service key-secret: command exited 1
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

I tried multiple things:

1. Created the ed25519 keys and put them straight into the data-folder, including:

-----BEGIN PRIVATE KEY-----
KEY_HERE
-----END PRIVATE KEY-----

2. Add key to docker-compose.yml:

version: "3"
services:
  rustdesk-server:
    image: rustdesk/rustdesk-server-s6:latest
    hostname: rustdesk-server
    container_name: rustdesk-server
    restart: unless-stopped
    environment:
      - RELAY=rustdesk.domain.tld:21117
      - ENCRYPTED_ONLY=1
      - KEY_PRIV="MC4CAQAwBQYDK2VwBCIEIPmqsNFAy48dn9HkRq0TIMUfEAtJGQVR4vBnkzVL0yqp"
      - KEY_PUB="MCowBQYDK2VwAyEAcYSptRi+SbMAimuN3vW7bsf84BwP0ILxEWYuRdKIYEo="
      - DB_URL=/db/db_v2.sqlite3
      - RUST_LOG=debug
    volumes:
      - /some/path/data/rustdesk/db:/db
      - /some/path/data/rustdesk/data:/data
    networks:
      - network
    labels (other labels are in file and not the issue):
      - traefik.enable=true
    
networks:
  network:
    external: true

Also, what do i need to do with: "openssl rsa -in private.pem -pubout -out public.pem" ? Doesnt seem to be connected with the commands above.

as per official documentation the keys can be generated using docker run --rm --entrypoint /usr/bin/rustdesk-utils rustdesk/rustdesk-server-s6:latest genkeypair. This worked for me, the gist should be updated with this command.