https://github.com/primus852/traefik-ddns

This repository provides configuration files and instructions for setting up a Cloudflare Dynamic DNS (DDNS) service and a Traefik reverse proxy with Let's Encrypt SSL/TLS support. It includes Docker Compose configurations, environment variable templates, and detailed usage instructions to automate DNS updates and manage SSL certificates.
https://github.com/primus852/traefik-ddns

cloudflare ddns docker docker-compose letsencrypt ssl-tls traefik

Last synced: 8 months ago
JSON representation

This repository provides configuration files and instructions for setting up a Cloudflare Dynamic DNS (DDNS) service and a Traefik reverse proxy with Let's Encrypt SSL/TLS support. It includes Docker Compose configurations, environment variable templates, and detailed usage instructions to automate DNS updates and manage SSL certificates.

• Host: GitHub
• URL: https://github.com/primus852/traefik-ddns
• Owner: primus852
• Created: 2025-01-03T07:53:31.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-05-18T17:44:44.000Z (9 months ago)
• Last Synced: 2025-05-18T18:35:55.843Z (9 months ago)
• Topics: cloudflare, ddns, docker, docker-compose, letsencrypt, ssl-tls, traefik
• Language: Makefile
• Homepage:
• Size: 410 KB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          

# Cloudflare DDNS and Traefik Configuration

This repository contains configuration files and instructions for setting up a Cloudflare Dynamic DNS (DDNS) service and a Traefik reverse proxy with Let's Encrypt SSL/TLS support.

---

## Table of Contents

1. [Overview](#overview)

2. [Requirements](#requirements)

3. [Configuration Files](#configuration-files)

    - [config.ddns.json](#configddnsjson)

    - [compose.yml](#composeyml)

    - [.env.dist](#envdist)

    - [acme.json](#acmejson)

4. [Usage](#usage)

    - [Environment Variables](#environment-variables)

    - [Running the Services](#running-the-services)

5. [Dashboard Access](#dashboard-access)

6. [Updating Configuration](#updating-configuration)

7. [Troubleshooting](#troubleshooting)

8. [Makefile Usage](#makefile-usage)

8. [Maintenance and Updates](#maintenance-and-updates)

9. [Security Considerations](#security-considerations)

10. [Support](#support)

---

## Overview

This setup provides:

- **Dynamic DNS updates**: Automatically updates A and AAAA records in Cloudflare.

- **Reverse proxy management**: Handles routing and SSL/TLS certificates with Traefik.

- **Automatic SSL certificate renewal**: Uses Let's Encrypt with DNS-01 challenges.

---

## Requirements

- Docker and Docker Compose installed.

- A Cloudflare account with an API token that has DNS edit permissions.

- Domain names managed through Cloudflare.

---

## Configuration Files

### `config.ddns.json`

Configures the Cloudflare DDNS updater.

```json

{

  "cloudflare": [

    {

      "authentication": {

        "api_token": "your-cloudflare-api-token"

      },

      "zone_id": "your-cloudflare-zone-id",

      "subdomains": [

        {

          "name": "*.your-subdomain",

          "proxied": false

        }

      ]

    }

  ],

  "a": true,

  "aaaa": true,

  "purgeUnknownRecords": true,

  "ttl": 300

}

```

- **`zone_id`**: The Cloudflare zone identifier for your domain.

- **`subdomains`**: List of subdomains to update dynamically.

### `compose.yml`

Defines Docker Compose services for DDNS and Traefik.

```yaml

services:

  ddns:

    image: timothyjmiller/cloudflare-ddns:latest

    container_name: ddns

    network_mode: 'host'

    environment:

      - PUID=1000

      - PGID=1000

    volumes:

      - ./config.ddns.json:/config.json:ro

    restart: unless-stopped

  traefik:

    image: traefik:latest

    container_name: traefik

    ports:

      - "80:80"

      - "443:443"

    volumes:

      - /var/run/docker.sock:/var/run/docker.sock:ro

      - ./certs:/letsencrypt

    command:

      - "--api=true"

      - "--api.dashboard=true"

      - "--entrypoints.web.address=:80"

      - "--entrypoints.websecure.address=:443"

      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"

      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

      - "--certificatesResolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"

      - "--certificatesResolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"

    environment:

      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}

      - CERT_MAIL=${CERT_MAIL}

    restart: unless-stopped

```

### `.env.dist`

A template environment file for storing sensitive variables.

```env

# Cloudflare

CF_DNS_API_TOKEN=your-cloudflare-api-token

CERT_MAIL=your-email@example.com

# Let's Encrypt

MAIN_DOMAIN=your-main-domain.com

SANS_DOMAIN=*.your-main-domain.com

# Dashboard

DASHBOARD_DOMAIN=traefik.localhost

DASHBOARD_ENABLED=true

# WhoAmI Sample

WHOAMI_DOMAIN=whoami.localhost

```

- **`CF_DNS_API_TOKEN`**: Your Cloudflare API token with DNS permissions.

- **`CERT_MAIL`**: Email address for Let's Encrypt notifications.

- **`MAIN_DOMAIN`**: The primary domain for the SSL certificate.

- **`SANS_DOMAIN`**: Additional domains (wildcards) for the SSL certificate.

- **`DASHBOARD_ENABLED`**: Enable Traefik dashboard (default: `false`).

- **`DASHBOARD_DOMAIN`**: URL of the traefik dashboard, if `DASHBOARD_ENABLED=true`

- **`WHOAMI_DOMAIN`**: URL of the whoami service, for demo purposes

### `acme.json`

This file stores SSL/TLS certificates managed by Traefik. Will be created automatically. Ensure it has restricted permissions after creation:

```bash

chmod 600 acme.json

```

---

## Usage

### Environment Variables

1. Copy `.env.dist` to `.env`:

   ```bash

   cp .env.dist .env

   ```

2. Edit `.env` to provide the required values.

### Running the Services

1. Start the Docker Compose services:

   ```bash

   docker-compose up -d

   ```

2. Check if the services are running:

   ```bash

   docker ps

   ```

---

## Dashboard Access

1. Ensure Traefik's dashboard is enabled in the `compose.yml` file under the `command` section.

2. Visit the dashboard using your domain:

   ```

   https://your-domain/dashboard

   ```

---

## Updating Configuration

### For `config.ddns.json`

- Modify the subdomains or zone ID.

- Restart the DDNS service:

  ```bash

  docker-compose restart ddns

  ```

### For `compose.yml`

- Make necessary updates to the services or environment variables.

- Rebuild and restart:

  ```bash

  docker-compose up -d --build

  ```

---

## Troubleshooting

### DNS Updates Not Reflecting

- Verify the API token and `zone_id` in `config.ddns.json`.

- Check DDNS logs:

  ```bash

  docker logs ddns

  ```

### SSL Certificates Not Issued

- Ensure DNS records are correctly set up.

- Check Traefik logs:

  ```bash

  docker logs traefik

  ```

---

## Makefile Usage

The `Makefile` provides convenient commands to manage the Docker Compose services. Below are the available targets and their usage:  

### Targets

- `start-ddns`: Starts the Cloudflare DDNS service.

- `start-traefik`: Starts the Traefik service.

- `start`: Starts both the DDNS and Traefik services, including whoami sample.

- `start-dev`: Starts both the DDNS and Traefik services

- `stop`: Stops all running services.

- `down`: Stops and removes all services.

### Usage

To use the `Makefile` targets, run the following commands in your terminal:  

  

`make `, e.g., `make start` to start both services and the sample application.

### Production Usage

To start the services in production mode, use `ENV=prod make `

## Maintenance and Updates

### Updating Docker Images

1. Pull the latest images:

   ```bash

   docker-compose pull

   ```

2. Restart the services:

   ```bash

   docker-compose up -d

   ```

### Backing Up Configuration

- Backup important files:

  - `.env`

  - `config.ddns.json`

  - `acme.json`

  - `compose.yml`

---

## Security Considerations

- **File Permissions**: Restrict access to sensitive files like `.env`, `config.ddns.json`, and `acme.json`.

- **API Tokens**: Use scoped API tokens with minimal permissions.

- **Regular Updates**: Keep Docker images and configurations up-to-date.

---

## Support

For support:

- Open an issue on the repository.

- Refer to [Traefik Documentation](https://doc.traefik.io/traefik/).

- Refer to [Cloudflare API Documentation](https://developers.cloudflare.com/api/).

---

## Cloudflare Setup

### Sample config.ddns.json

```json

{

  "cloudflare": [

    {

      "authentication": {

        "api_token": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

      },

      "zone_id": "XXXXXXXXXXXXXXXX",

      "subdomains": [

        {

          "name": "*.dev",

          "proxied": false

        }

      ]

    }

  ],

  "a": true,

  "aaaa": true,

  "purgeUnknownRecords": true,

  "ttl": 300

}

```

leading to the following DNS records:

![cf_setup.png](images/cf_setup.png)

### API Token

The Cloudflare API token can be obtained from the Cloudflare dashboard under `My Profile` -> `API Tokens` -> `Create Token`.

(https://dash.cloudflare.com/profile/api-tokens)

![cf_token.png](images/cf_token.png)

### Zone ID

The zone ID can be found in the Cloudflare dashboard under the domain's `Overview` tab.

![cf_zone_id.png](images/cf_zone_id.png)

Feel free to contribute or suggest improvements!