Coverage decreased (-0.4%) to 87.788% when pulling ddc0565 on anbraten:feature/traefik-config into a5ae767 on exoframejs:develop.

@yamalight
Custom traefik config should be working now. I am basically writing a generated yml-config to .exoframe/.internal/traefik/traefik.yml merged from the old config part and the user defined config file. You are free to overwrite everything in the custom config, but it also works without a custom config file at all.

Currently config changes for traefik aren't watched at all. If this is needed I would suggest using some kind of nodemon script to restart the complete server. Extending the current config reload mechanism would be quite complicated.

@anbraten thanks for your work! I'll try to have a look in the next few days

Alright, had a look.
Here's my current thoughts:

• I think we shouldn't allow replacing config completely as not having some defaults might break some things (if you want completely custom config - you can just roll your own instance)
• I think using file based config discovery would likely be a nicer solution - i.e. we have base config that cannot be changed, it includes directory that is written to volume where user can put custom subconfigs for traefik (this'll also allow dynamically updating config)

Thoughts?

Traefik has two parts of config. Static file traefik.yml and dynamic configuration to define services and their settings. Docs
Using suggested file based config discovery would only work for service definitions.

But I would like to be able to use dnschallenge instead of the normal httpChallenge.

Example:

server.config.yml:

debug: false
letsencrypt: true
letsencryptEmail: [email protected]
compress: true
baseDomain: exoframe.example.org
cors: false
updateChannel: stable
traefikImage: 'traefik:latest'
traefikName: exoframe-traefik
traefikArgs: {}
exoframeNetwork: exoframe
publicKeysPath: /root/.ssh
plugins:
  install: []

Generated traefik.yml (without custom config file)

In this PR Exoframe would generate a config at ~/.exoframe/.internal/traefik/traefik.yml by the above settings looking like this:

log:
  level: warning
  filePath: /var/traefik/traefik.log
entryPoints:
  websecure:
    address: ':443'
providers:
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    exposedByDefault: false
certificatesResolvers:
  exoframeChallenge:
    acme:
      httpChallenge:
        entryPoint: web
      email: [email protected]
      storage: /var/traefik/acme.json

Set custom settings

To add change ssl-challenge to dnschallenge I would create a file at ~/.exoframe/traefik/traefik.yml

certificatesResolvers:
  dnschallenge:
    acme:
      email: "[email protected]"
      storage: "/var/traefik/acme.json"
      dnsChallenge:
        provider: "httpreq"

Final traefik.yml

Exoframe will save the merged config at ~/.exoframe/.internal/traefik/traefik.yml:

log:
  level: warning
  filePath: /var/traefik/traefik.log
entryPoints:
  websecure:
    address: ':443'
providers:
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    exposedByDefault: false
certificatesResolvers:
  exoframeChallenge:
    acme:
      email: [email protected]
      storage: /var/traefik/acme.json
      dnsChallenge:
        provider: httpreq

Hmm, that's fair enough 🤔
I guess we'll need a note in the docs saying you gotta be very careful about modifying that config then 😅
Anyway, thanks for all the work - I'll merge this 👍

Hmm, that's fair enough thinking
I guess we'll need a note in the docs saying you gotta be very careful about modifying that config then sweat_smile
Anyway, thanks for all the work - I'll merge this +1

Thanks for accepting new features.

PS: Please be careful with the merging before WIP tag / title is removed. 😉

@anbraten whoops, I assumed you have finished with it - or am I wrong here? 😅

Hey, just a friendly heads-up: it appears as though this has been merged and the docs haven't caught up with it yet. I was so confused for a while because traefikArgs was not getting set and it kept telling me api not enabled.

The only clue I got was that there was a traefikDisableGeneratedConfig option auto-generated in server.config.yml that had no documentation on it.

I did a grep on the output of the server's dist/index.js for traefik and found this PR was present in exoframe/server:latest.

Did manage to finally get this working locally though with the following in ~/exoframe-server/traefik/traefik.yml (I use this name to separate it from ~/.exoframe for CLI):

api:
    insecure: true
    dashboard: true

And the following start command:

#!/bin/bash

EXOFRAME_SUBDOMAIN="exoframe"
DOMAIN="mysite.localhost"

docker run -it \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v ~/exoframe-server:/root/.exoframe \
  -v ~/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro \
  -e EXO_PRIVATE_KEY=my-private-key \
  --label traefik.enable=true \
  --label "traefik.http.routers.api.rule=Host(\`traefik.${EXOFRAME_SUBDOMAIN}.${DOMAIN}\`)" \
  --label traefik.http.routers.api.service=api@internal \
  --label "traefik.http.routers.exoframe-server.rule=Host(\`${EXOFRAME_SUBDOMAIN}.${DOMAIN}\`)" \
  --restart always \
  --name exoframe-server \
  exoframe/server

The dashboard should now be available at http://traefik.exoframe.mysite.localhost

I'm not entirely sure why it has a websecure for 443 when trying to access it via HTTPS fails due to not being set up properly, but I also don't understand networking well to be honest.

It's worth noting that these two lines can both be set in the traefik.yml, and the api@internal is enabled by default when api is set at all in the config file:

  --label "traefik.http.routers.api.rule=Host(\`traefik.${EXOFRAME_SUBDOMAIN}.${DOMAIN}\`)" \
  --label traefik.http.routers.api.service=api@internal \

@GavinRay97 you are totally right! I somehow missed the docs updates.
Will add a ticket for that - PRs welcome though :)