traefik/SETUP-INSTRUCTIONS.md

# Traefik Setup - Next Steps

## Current Status ✅

Traefik has been successfully installed and configured! Here's what's done:

- ✅ Traefik container running
- ✅ Mealie connected to Traefik network
- ✅ HTTP to HTTPS redirect working
- ✅ Automatic SSL with Let's Encrypt configured
- ✅ Gogs routing configured

## What You Need to Do

### 1. Configure DNS Records ⚠️ REQUIRED

Before SSL certificates can be obtained, you need to add DNS A records pointing to your server's **public IP address**:

```
Type    Name                            Value (Points to)
----    ----                            -----------------
A       recipes.pkartchner.com          YOUR_PUBLIC_IP
A       git.pkartchner.com              YOUR_PUBLIC_IP
A       traefik.pkartchner.com          YOUR_PUBLIC_IP  (optional - for dashboard)
```

**How to find your public IP:**
```bash
curl ifconfig.me
```

**Where to add DNS records:**
- Log in to your domain registrar (where you bought pkartchner.com)
- Go to DNS management
- Add the A records above
- Wait 5-60 minutes for DNS propagation

### 2. Configure EdgeRouter Port Forwarding

Forward ports 80 and 443 from your EdgeRouter to this server:

```
WAN Port    LAN IP              LAN Port    Protocol
--------    ------              --------    --------
80          YOUR_SERVER_IP      80          TCP
443         YOUR_SERVER_IP      443         TCP
```

**EdgeRouter CLI commands:**
```bash
configure
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward wan-interface eth0
set port-forward rule 1 description "HTTP to Traefik"
set port-forward rule 1 forward-to address YOUR_SERVER_IP
set port-forward rule 1 forward-to port 80
set port-forward rule 1 original-port 80
set port-forward rule 1 protocol tcp
set port-forward rule 2 description "HTTPS to Traefik"
set port-forward rule 2 forward-to address YOUR_SERVER_IP
set port-forward rule 2 forward-to port 443
set port-forward rule 2 original-port 443
set port-forward rule 2 protocol tcp
commit
save
exit
```

### 3. Verify SSL Certificates (After DNS Propagates)

Once DNS is configured and propagated:

```bash
# Check Traefik logs for SSL certificate generation
docker logs traefik -f

# You should see messages like:
# "Server responded with a certificate"
# "Certificate obtained for domain recipes.pkartchner.com"
```

### 4. Test Your Setup

After DNS propagation and SSL certificates are obtained:

**Test Mealie:**
```bash
# Should redirect to HTTPS and show valid certificate
curl -I https://recipes.pkartchner.com
```

**Test Gogs:**
```bash
# Should redirect to HTTPS and show valid certificate
curl -I https://git.pkartchner.com
```

**Access Traefik Dashboard:**
```
URL: https://traefik.pkartchner.com
Username: admin
Password: change-this-password
```

### 5. Change Traefik Dashboard Password

Generate a new password hash:
```bash
apt install apache2-utils
echo $(htpasswd -nb admin YourNewPassword) | sed -e s/\\$/\\$\\$/g
```

Update the password in `/srv/docker-compose/traefik/docker-compose.yml`:
```yaml
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$NEW_HASH"
```

Then restart Traefik:
```bash
cd /srv/docker-compose/traefik
docker compose restart
```

## Troubleshooting

### SSL Certificate Errors

If you see "DNS problem: NXDOMAIN" in logs:
- ✅ DNS records are not set up yet or haven't propagated
- ⏰ Wait for DNS propagation (can take up to 24 hours)
- 🔍 Check DNS with: `dig recipes.pkartchner.com` or `nslookup recipes.pkartchner.com`

### Can't Access Services

1. **Check if Traefik is running:**
   ```bash
   docker ps | grep traefik
   ```

2. **Check Traefik logs:**
   ```bash
   docker logs traefik --tail 50
   ```

3. **Verify containers are on Traefik network:**
   ```bash
   docker network inspect traefik
   ```

4. **Test local access:**
   ```bash
   curl -H "Host: recipes.pkartchner.com" http://localhost
   ```

### 503 Service Unavailable

- Check if Mealie/Gogs containers are running
- Verify they're on the Traefik network
- Check container logs

## Services Summary

| Service | Domain | Backend Port | Status |
|---------|--------|--------------|--------|
| Mealie | recipes.pkartchner.com | localhost:9091 | ✅ Configured |
| Gogs | git.pkartchner.com | gogs.pkartchner.com:3000 | ✅ Configured |
| Traefik | traefik.pkartchner.com | localhost:8080 | ✅ Configured |

## Important Security Notes

1. **Firewall**: Only ports 80, 443, and 22 (SSH) should be open to the internet
2. **Dashboard**: Change the default Traefik dashboard password immediately
3. **Backups**: acme.json contains your SSL certificates - back it up
4. **Updates**: Regularly update Traefik for security patches

## Quick Commands

```bash
# View Traefik dashboard locally
curl http://localhost:8080/dashboard/

# Check SSL certificates
docker exec traefik cat /acme.json | jq .

# Restart all services
cd /srv/docker-compose/traefik && docker compose restart
cd /srv/docker-compose/mealie && docker compose restart

# View logs
docker logs traefik -f
docker logs mealie -f
```

## When Everything is Working

You should be able to:
- ✅ Access Mealie at https://recipes.pkartchner.com (with valid SSL)
- ✅ Access Gogs at https://git.pkartchner.com (with valid SSL)
- ✅ Access Traefik dashboard at https://traefik.pkartchner.com
- ✅ HTTP automatically redirects to HTTPS
- ✅ All connections encrypted with Let's Encrypt certificates