Evening y’all
I’ll try to keep it brief, I need to move my reverse proxy (traefik) to another machine and I’m opting to utilize Docker Swarm for the first time this way I’m not exposing a bunch of ports on my main server over my network, so ideally I’d like to have almost everything listening on local host while traefik does it’s thing in the background
Now I gotta ask, is Docker Swarm the best way to go about this? I know very little about Kubernetes and from what I’ve read/watched it seems like Swarm was designed for this very purpose however, I could be entirely wrong here.
What are some key changes that differ typical Compose files from Swarm?
Snippet of my current compose file:
services:
homepage:
image: ghcr.io/gethomepage/homepage
hostname: homepage
container_name: homepage
networks:
main:
ipv4_address: 172.18.0.2
environment:
PUID: 0 # optional, your user id
PGID: 0 # optional, your group id
HOMEPAGE_ALLOWED_HOSTS: MY.DOMAIN,*
ports:
- '127.0.0.1:80:3000'
volumes:
- ./config/homepage:/app/config # Make sure your local config directory exists
- /var/run/docker.sock:/var/run/docker.sock #:ro # optional, for docker integrations
- /home/user/Pictures:/app/public/icons
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.homepage.rule=Host(`MY.DOMAIN`)"
- "traefik.http.routers.homepage.entrypoints=https"
- "traefik.http.routers.homepage.tls=true"
- "traefik.http.services.homepage.loadbalancer.server.port=3000"
- "traefik.http.routers.homepage.middlewares=fail2ban@file"
traefik:
image: traefik:v3.2
container_name: traefik
hostname: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
main:
ipv4_address: 172.18.0.26
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- target: 80
published: 55262
mode: host
# Listen on port 443, default for HTTPS
- target: 443
published: 57442
mode: host
environment:
CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
# CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
secrets:
- cf_api_token
env_file: .env # use .env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik/traefik.yml:/traefik.yml:ro
- ./config/traefik/acme.json:/acme.json
# - ./opt:/opt
#- ./config/traefik/config.yml:/config.yml:ro
- ./config/traefik/custom-yml:/custom
# - ./config/traefik/homebridge.yml:/homebridge.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.MY.DOMAIN`)"
#- "traefik.http.middlewares.traefik-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 208.118.140.130, 172.18.0.0/16"
#- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.MY.DOMAIN`)"
#- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=MY.DOMAIN"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.MY.DOMAIN"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik.middlewares=fail2ban@file"
networks:
main:
external: true
ipam:
config:
- subnet: 172.18.0.0/16
gateway: 172.18.0.1
I censored out my actual domain with MY.DOMAIN so if that confuses people i apologize.
You must log in or # to comment.
I run swarm in my homelab and have done for years, traefik runs on my manager and uses the docker swarm networks to get to services.
My traefik compose makes all the service networks, then each service compose has an external network that all the containers connect to.
This is my example config, this might help - https://github.com/mhzawadi/docker-stash/tree/master/swarm
I have used Docker Swarm in my homelab for years without big issues, you just have to be aware of its limitations. For example, I use SWAG for my reverse proxy and it works better as a compose deployment on an individual docker node because then it can identify incoming IPs. All of the backend communication runs on internal networks, which helps isolate them.
I like using Swarm at home because it is simple and easy while providing good scalability and security (yes, I know podman would be more secure, but I haven’t taken that plunge yet).
That being said, Docker Swarm isn’t used in the industry much. So if you are looking to expand on your IT skills, K8s is the way.
I’ve worked with Swarm in a startup setting. It was an absolute nightmare. We eventually gave up and moved to Kubernetes.
That said, your use case does sound simpler. As I recall, we had to set up service discovery (with Hashicorp Consul) and secret management (with Hashicorp Vault) ourselves. I believe we also used Traefik for load balancing. There were other components as well, but I don’t remember it all. This was over 5 years ago, though.
The difficulty wasn’t configuring each piece but getting them to work together. There was also the time burned learning all the different tools. Kubernetes is great because everything is meant to work together.
But if it’s just two machines with separate configuration, do you even need orchestration? Is there a lot of overhead to just manage them individually?
Unfortunately, it was too long ago to remember the details of differences between compose and swarm. I do remember it was a very trivial conversion.
