Deploy PocketBase with Docker behind traefik
Deploy PocketBase backend server on Docker with TLS certs behind traefik reverse proxy
PocketBase is an open source backend with REST API in a single binary as a standalone application or as a library with built-in Authentication, dashboard.
Prerequisites:
- Docker, Follow Official documentation to install the docker here.
- traefik.
- Valid fqdn domain hosting DNS at Cloudflare.
- Cloudflare API TOKEN with Zone read/write permissions.
docker engine install
Follow Official documentation to install the docker here or One liner at,
1
curl -sSL https://get.docker.com/ | sh
traefik
traefik can be setup with the guide here.
Here’s the certificates resolver set of traefik,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: [email protected]
storage: acme.json
dnsChallenge:
provider: cloudflare
disablePropagationCheck: true
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
Make sure to Cloudflare API token
CF_API_TOKENin the docker compose environment variables.
1
2
3
4
environment:
- CF_API_TOKEN=
#- [email protected]
#- CF_API_KEY= # use either api key or api token based on you usecase
API KEY in combination of email can also be used but it’s not recommended.
For full traefik setup visit repo https://github.com/kdpuvvadi/homelab/tree/main/traefik.
Setup
Directory structure
recommended directory structure as following
1
2
3
4
myapp/
pb_data/
pb_hooks/
pb_public
Setting Encryption.
PocketBase stores application Settings in plain text formant (json). To store your PocketBase settings encrypted, generate a 32 char random string and encrypt the setting with that key.
1
openssl rand -hex 16
compose
Docker compose file can be found at [https://github.com/kdpuvvadi/pocketbase]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
---
services:
pocketbase:
image: ghcr.io/kdpuvvadi/pocketbase:latest
container_name: pocketbase
volumes:
- ./pb_data:/usr/src/app/pb_data
- ./pb_public:/usr/src/app/pb_public
- ./pb_hooks:/usr/src/app/pb_hooks
environment:
PB_ENCRYPTION_KEY: 32charkey # replace it with the one generated by $ openssl rand -hex 16
ports: # optional if it is running behind proxy, good for debugging & health checks
- 8090:8090
command: --encryptionEnv=PB_ENCRYPTION_KEY
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy" # replace it based on your setup
- "traefik.http.routers.pb.entrypoints=https"
- "traefik.http.routers.pb.rule=Host(`pb.example.net`)" # change it to fqdn
- "traefik.http.routers.pb.middlewares=default-headers@file"
- "traefik.http.routers.pb.tls=true"
- "traefik.http.routers.pb.service=pb"
- "traefik.http.services.pb.loadbalancer.server.scheme=http"
- "traefik.http.services.pb.loadbalancer.server.port=8090"
networks:
- proxy # replace it with the network name used by traefik proxy it based on your setup
restart: unless-stopped
healthcheck:
test: curl --fail http://localhost:8090/api/health || exit 1
interval: 30s
retries: 5
start_period: 10s
timeout: 5s
networks:
proxy: # replace it based on your setup
external: true
DNS records should already pointed to you traefik host. Not the PocketBase server. e.g. if traefik host IP is
10.20.20.5,Arecord forpb.example.netshould point to10.20.20.5.
Deploy the app with
1
docker compose up -d
Now, PocketBase should be available at https://pb.example.net with tls certificates enabling HTTPS. Dashboard should be available at https://pb.example.net/_.
Conclusion
For more details and documentation, visit docker repo and Official documentation. Any queries, feel free to drop a comment. Au Revoir