Skip to content

Instantly share code, notes, and snippets.

@ubergesundheit

ubergesundheit/readme.md

Last active October 15, 2025 18:11
Show Gist options
  • Save ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85 to your computer and use it in GitHub Desktop.
Save ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85 to your computer and use it in GitHub Desktop.
Download ZIP
systemd traefik.service
Raw
readme.md

systemd Service Unit for Traefik

Adapted from caddy systemd Service Unit

The provided file should work with systemd version 219 or later. It might work with earlier versions. The easiest way to check your systemd version is to run systemctl --version.

Instructions

We will assume the following:

  • that you want to run traefik as user traefik and group traefik, with UID and GID 321
  • you are working from a non-root user account that can use 'sudo' to execute commands as root

Adjust as necessary or according to your preferences.

First, put the traefik binary in the system wide binary directory and give it appropriate ownership and permissions:

sudo cp /path/to/traefik /usr/local/bin
sudo chown root:root /usr/local/bin/traefik
sudo chmod 755 /usr/local/bin/traefik

Give the traefik binary the ability to bind to privileged ports (e.g. 80, 443) as a non-root user:

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik

Set up the user, group, and directories that will be needed:

sudo groupadd -g 321 traefik
sudo useradd \
  -g traefik --no-user-group \
  --home-dir /var/www --no-create-home \
  --shell /usr/sbin/nologin \
  --system --uid 321 traefik

sudo mkdir /etc/traefik
sudo mkdir /etc/traefik/acme
sudo chown -R root:root /etc/traefik
sudo chown -R traefik:traefik /etc/traefik/acme

Place your traefik configuration file ("traefik.toml") in the proper directory and give it appropriate ownership and permissions:

sudo cp /path/to/traefik.toml /etc/traefik/
sudo chown root:root /etc/traefik/traefik.toml
sudo chmod 644 /etc/traefik/traefik.toml

Install the systemd service unit configuration file, reload the systemd daemon, and start traefik:

sudo cp /path/to/traefik.service /etc/systemd/system/
sudo chown root:root /etc/systemd/system/traefik.service
sudo chmod 644 /etc/systemd/system/traefik.service
sudo systemctl daemon-reload
sudo systemctl start traefik.service

Have the traefik service start automatically on boot if you like:

sudo systemctl enable traefik.service

If traefik doesn't seem to start properly you can view the log data to help figure out what the problem is:

journalctl --boot -u traefik.service

If your GNU/Linux distribution does not use journald with systemd then check any logfiles in /var/log.

If you want to follow the latest logs from traefik you can do so like this:

journalctl -f -u traefik.service
Raw
traefik.service
[Unit]
Description=traefik proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=traefik
Group=traefik
; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/traefik/acme
; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
@bendog
Copy link

bendog commented Feb 20, 2020

I also had to run this to allow traefik to have access to /var/run/docker.sock

sudo usermod -aG docker traefik

@Nokius
Copy link

Nokius commented Oct 31, 2020

If your system has SELinux enabled you need to

sudo restorecon -irv /usr/local/bin/traefik

@obsti8383
Copy link

Nice! Thanks a lot!

@ThaRising
Copy link

Thank you very much for this!

@hashilbasheer
Copy link

i have followed the same and getting failed while checking the systemctl status traefik.service. and no useful message in journalctl.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment