nanobot/ara

Fork 0

Files

T

nanobot ad3e1b526a feat: add nanobot and traefik-infrastructure ARAs (Seal L1 validated)

2026-05-05 22:35:48 +02:00

6.0 KiB

Raw Blame History

title, authors, year, venue, doi, ara_version, domain, keywords, claims_summary, abstract

title

authors

year

venue

doi

ara_version

domain

keywords

claims_summary

abstract

Traefik + Technitium DNS + Docker Networking on Unraid: Circular Dependency Resolution

Makar Novozhilov (operator)

Claude (primary troubleshooting agent)

2026

Home Infrastructure / Ops

internal:traefik-infrastructure-unraid

1.0

infrastructure/ops

traefik

docker

unraid

technitium

dns

letsencrypt

acme

reverse-proxy

docker-networking

circular-dependency

Technitium DNS running in host network mode is reachable from bridge containers via the docker0 gateway IP (172.17.0.1), not via the Unraid host LAN IP (192.168.1.50)

Setting Docker daemon DNS to 172.17.0.1 in /etc/docker/daemon.json eliminates 8-second DNS latency for all bridge-networked containers

The ACME/Let's Encrypt circular dependency (Traefik needs DNS to resolve Let's Encrypt endpoints, but Technitium DNS is behind Traefik) is broken by configuring Traefik with an explicit upstream DNS server bypassing Technitium

Static IP assignment via startup scripts in /boot/config/go persists Docker daemon and iptables configuration across Unraid reboots

Traefik in a bridge-networked Docker container cannot use 127.0.0.1 as a backend URL; it must use the host LAN IP or docker0 gateway IP

This ARA documents the infrastructure configuration, failure modes, dead ends, and working solutions for a Traefik reverse proxy + Technitium DNS + Docker networking setup on an Unraid home server (UM790 Pro). The central problem was a circular dependency: Traefik needed DNS to resolve Let's Encrypt ACME endpoints, but the DNS server (Technitium) was itself a Docker container exposed through Traefik. Secondary problems included 8-second DNS latency from containers caused by unreachable nameservers in resolv.conf, and a complementary issue where containers running in host network mode could not use the docker0 bridge gateway IP. Solutions required explicit DNS configuration in daemon.json, iptables DNAT rules, and startup script persistence in /boot/config/go. Several plausible-looking approaches (adding 1.1.1.1 to container DNS, host networking for all containers, editing resolv.conf directly) either failed or caused new problems.

Traefik + Technitium DNS + Docker Networking on Unraid

Overview

The wylab.me home server runs Traefik v2 as a reverse proxy in front of 20+ Docker containers on an Unraid server (UM790 Pro, 32GB RAM). Technitium DNS runs as a Docker container in host network mode, handling internal DNS for the wylab.me domain.

The infrastructure accumulated two interlocking problems:

DNS latency: All bridge-networked Docker containers experienced ~8-second latency on every DNS query. Root cause: /etc/resolv.conf listed 192.168.1.50 (Technitium's LAN IP) first, but UDP responses from that IP were dropped by Docker's NAT/conntrack layer for bridge-networked containers.
ACME circular dependency: Traefik could not obtain Let's Encrypt TLS certificates because it resolved ACME endpoints through Technitium DNS. If Technitium was unavailable or misconfigured, Traefik's certificate renewal would fail — and Technitium's own management UI (dns.wylab.me) was itself served by Traefik, creating a chicken-and-egg loop.

The solutions were: (a) set Docker daemon DNS to 172.17.0.1 (the docker0 bridge gateway, where Technitium listens in host mode), (b) add iptables DNAT rules for host-networked containers, and (c) persist both in /boot/config/go. The Traefik ACME resolver was configured to use an explicit public DNS server (bypassing Technitium) for certificate operations.

Several dead ends were attempted: directly editing /etc/resolv.conf inside containers (caused a self-inflicted outage), adding 1.1.1.1 to a single container's DNS (not persistent, no system-wide fix), and using host networking for Traefik (creates different routing problems).

Layer Index

Cognitive Layer (`/logic`)

File	Description
problem.md	Observations → gaps → key insight
claims.md	6 falsifiable claims (C01–C06)
concepts.md	7 key infrastructure concepts
experiments.md	4 verification experiments (E01–E04)
solution/architecture.md	Component graph: Traefik + Technitium + Docker
solution/algorithm.md	DNS resolution path + ACME flow
solution/constraints.md	Boundary conditions and limitations
solution/heuristics.md	6 operational heuristics (H01–H06)
related_work.md	Upstream tools and known issues

Physical Layer (`/src`)

File	Description	Claims
configs/traefik.md	Traefik static config with ACME	C03, C05
configs/docker-daemon.md	Docker daemon DNS config	C01, C02
execution/startup_config.sh	/boot/config/go persistence script	C04
execution/dynamic_route.yml	Canonical Traefik dynamic config template	C05
environment.md	System environment

Exploration Graph (`/trace`)

File	Description
exploration_tree.yaml	12-node research DAG with 4 dead ends

Evidence (`/evidence`)

File	Description
README.md	Full index: 4 tables
tables/dns_resolution_states.md	Before/after DNS latency measurements
tables/resolv_conf_original.md	Original broken resolv.conf content
tables/container_network_matrix.md	Container networking modes and DNS reachability
tables/traefik_config_timeline.md	Traefik config progression timeline

6.0 KiB Raw Blame History Unescape Escape

Traefik + Technitium DNS + Docker Networking on Unraid

Overview

Layer Index

Cognitive Layer (/logic)

Physical Layer (/src)

Exploration Graph (/trace)

Evidence (/evidence)

6.0 KiB

Raw Blame History

Cognitive Layer (`/logic`)

Physical Layer (`/src`)

Exploration Graph (`/trace`)

Evidence (`/evidence`)