Part 1. The beginning
So, I've been running my homelab for a while now, running several services on it, some of which are exposed to the outside. I'd like to be able to access my media collection and photo library and things like that.
In order to make it happen, one could go with a bunch of various HomeLab Homepage software, but I'm quite hands on, so I decided to use Traefik.
Traefik is a proxy server in it's basic form, and unlike nginx it has a bunch of nifty features, such as dynamic runtime configuration, automatic certificate provisioning, built-in metric, etc. It does sacrifice the ability to do other things, though. Not sure if you can proxy directly to unix sockets, for instance. Or run php
. But as I wasn't having fun with certbot
and nginx
on my “production” machine, automatically dealing with certificates was a really nice thing to have.
I've created an lxc
container in my ProxMox instance, rolled out Alpine on it, and downloaded the traefik binary. After poking a bit with the documentation, I was able to create a directory with config files (I guess my nostalgia for nginx
's /etc/nginx/sites-available/
is ingrained too deeply). Once I put some yaml
files into that directory the server would automatically pick them up and reconfigure itself without having to do any restarts... Awesome.
Part 2. Keeping up to date
Some time after starting with my ProxMox journey, I've discovered the excellent VE Helper Scripts. It's a collection of small scripts that help you automatically provision various pieces of software (traefik being one of them). I've used it so far to provision Home Assistant for managing my smart home, iVentoy for iPXE booting, n8n and NodeRed for playing with various automation pipelines. It makes a quick work of these things and also allows you to update the main software for that VM or Container.
But the traefik container I've installed manually, so any time I wanted to do an update, I'd have to ssh into it, download new traefik binary, and do that whole song and dance, so I thought, why don't I migrate to a new container, provisioned with a helper script, so that I can keep it updated much easier.
Part 3. The new container
I got the container provisioned, but now I started feeling like manual configuration in yaml
files is suboptimal. I'm getting quite lazy with age, and having some kind of UI for some tasks certainly has its draws. I began looking and stumbled upon Mantrae, which provides a UI for configuring Traefik.
You see, Traefik can dynamically read its configuration from a URL. And Mantrae outputs a traefik-compatible JSON file. It can also connect to traefik's API to get a bunch of information from the existing instance.
I deployed it and started configuring the new instance. (All the traffic was still routed to the old traefik instance).
To create the configuration you can use the following command:
systemctl edit --force --full mantrae.service
and put in the following config
[Unit]
After=network.target
Description=Traefik Configuration Daemon
[Service]
EnvironmentFile=-/opt/mantrae/.env
Type=simple
ExecStart=/opt/mantrae/current/mantrae
[Install]
WantedBy=network.target
In my case I keep my software that I install from binaries under /opt/software-name/v1.2.3
and then I symlink /opt/software-name/current
to a most recent version. This way I can extract the tarball into the corresponding version, adjust the symlink and try it out. I can easily roll back to the previous version as well.
Make sure to generate secrets as the docs suggest and put them into the .env
file. I've also changed my admin username and password. You can find all the env vars in the documentation.
Part 4. Configuration
After downloading a binary and creating a quick systemd
launch configuration I was able to get to the Web UI.

This points to the traefik instance, and once it's created you should be able to see the stats

Now we can create a Router...
... and add a service

I couldn't get Mantrae to automatically detect my certificate resolver, but you can look it up in your traefik.yaml
, in my case it was predictably Let's Encrypt
certificatesResolvers:
letsencrypt:
So just type letsencrypt
in the “Resolver” field.
Part 5. Wiring up traefik and switchover
In order for traefik to use it, we have to add it to the main config. Originally I tried to put it into the dynamic folder, but that didn't work at all, so just put it into the main config, probably /etc/traefik/traefik.yaml
providers:
file:
directory: /etc/traefik/conf.d/
watch: true
http:
endpoint: http://localhost:3000/api/Default
In my case they both run on the same container, and the capitalization matters in the url.
After restarting traefik
I was able to see the http
provider in the dashboard

I've configured all my existing services, basically mirroring my original traefik instance via Mantrae, so that all of them were set up through it's UI. After comparing the two dashboards, to make sure everything is the same, there was one step left. I wanted to re-use my certificates that were already provisioned, so a quick
scp old-traefik:/opt/traefik/acme.json /etc/traefik/ssl/acme.json
and the cert storage was moved over.
Then I simply went to my router, and pointed it to the IP address of the new container, and that was done...
My Uptime Kuma has recorded a small blip of an outage, as my router was restarting, but that quickly got resolved.
I'll write about setting that up in another post
#homelab #traefik #mantrae #uptimekuma