add traefik

cloud/nginx.conf

@@ -1,41 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name cloud.oxyta.net www.cloud.oxyta.net;
-    return 301 https://cloud.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.cloud.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://cloud.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name cloud.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/cloud.log;
-    error_log  /var/log/nginx/cloud.err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:9000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-

docker-compose.yml

@@ -20,10 +20,18 @@ services:
   cloud_app:
     image: nextcloud
     restart: always
+    depends_on:
+      - cloud_db
+      - traefik
+    labels:
+      - "traefik.backend=nextcloud"
+      - "traefik.docker.network=oxyta_traefik"
+      - "traefik.frontend.rule=Host:cloud.${CHATONS_DOMAIN}"
+      - "traefik.enable=true"
+      - "traefik.port=80"
     networks:
       - cloud
-    ports:
-      - "127.0.0.1:9000:80"
+      - traefik
     volumes:
       - ${CHATONS_ROOT_DIR}/nextcloud/app:/var/www/html
 
@@ -32,14 +40,22 @@ services:
   git_app:
     image: gitlab/gitlab-ce
     restart: always
+    depends_on:
+      - traefik
     environment:
       - GITLAB_OMNIBUS_CONFIG |
         external_url 'https://git.${CHATONS_DOMAIN}'
     hostname: 'git.${CHATONS_DOMAIN}' # required by gitlab
+    labels:
+      - "traefik.backend=gitlab"
+      - "traefik.docker.network=oxyta_traefik"
+      - "traefik.frontend.rule=Host:git.${CHATONS_DOMAIN}"
+      - "traefik.enable=true"
+      - "traefik.port=80"
     networks:
       - git
+      - traefik
     ports:
-      - "127.0.0.1:9002:80"
       - "22:22"
     volumes:
       - ${CHATONS_ROOT_DIR}/gitlab/app/config:/etc/gitlab
@@ -51,10 +67,19 @@ services:
   homepage_app:
     build: homepage
     restart: always
+    depends_on:
+      - traefik
+    labels:
+      - "traefik.backend=homepage"
+      - "traefik.docker.network=oxyta_traefik"
+      # note: www must also be present because we need its certificate
+      # and it is required for traefik redirection to work too (in traefik.yml)
+      - "traefik.frontend.rule=Host:${CHATONS_DOMAIN},www.${CHATONS_DOMAIN}"
+      - "traefik.enable=true"
+      - "traefik.port=80"
     networks:
       - homepage
-    ports:
-      - "127.0.0.1:8999:80"
+      - traefik
 
   ### SERVICE: pad
 
@@ -71,21 +96,47 @@ services:
   pad_app:
     build: pad
     restart: always
+    depends_on:
+      - pad_db
+      - traefik
     env_file:
       - pad/.env
     environment:
       - ETHERPAD_DB_HOST=pad_db
       - ETHERPAD_TITLE=Bloc Note
+    labels:
+      - "traefik.backend=etherpad"
+      - "traefik.docker.network=oxyta_traefik"
+      - "traefik.frontend.rule=Host:pad.${CHATONS_DOMAIN}"
+      - "traefik.enable=true"
+      - "traefik.port=9001"
     networks:
       - pad
-    ports:
-      - "127.0.0.1:9001:9001"
+      - traefik
     volumes:
       - ${CHATONS_ROOT_DIR}/etherpad/app:/opt/etherpad-lite/var
 
+### TRAEFIK
+
+  traefik:
+    image: traefik
+    command: --docker.domain=${CHATONS_DOMAIN} --acme.email=${CHATONS_MAIL}
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+      - 127.0.0.1:8080:8080
+    networks:
+      - traefik
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${CHATONS_ROOT_DIR}/traefik/acme.json:/acme.json
+      - ${CHATONS_ROOT_DIR}/traefik/traefik.toml:/traefik.toml
+
 ### NETWORKS
 
 networks:
+  traefik:
   cloud:
   git:
   homepage:

git/nginx.conf

@@ -1,41 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name git.oxyta.net www.git.oxyta.net;
-    return 301 https://git.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.git.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://git.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name git.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/git.log;
-    error_log  /var/log/nginx/git.err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:9002;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-

homepage/nginx.conf

@@ -1,40 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name oxyta.net www.oxyta.net;
-    return 301 https://oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/log;
-    error_log  /var/log/nginx/err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:8999;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}

nginx.conf

@@ -1,28 +0,0 @@
-worker_processes  1;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include           mime.types;
-    default_type      application/octet-stream;
-    keepalive_timeout 65;
-    sendfile          on;
-    gzip              on;
-    gzip_http_version 1.1;
-    gzip_comp_level   2;
-    gzip_types        text/plain text/css
-                      application/x-javascript text/xml
-                      application/xml application/xml+rss
-                      text/javascript;
-    include           /etc/nginx/sites-enabled/*;
-    server {
-        listen 80 default_server;
-        listen [::]:80;
-        server_name _;
-        location /.well-known {
-            alias /srv/letsencrypt/.well-known;
-        }
-    }
-}

pad/nginx.conf

@@ -1,41 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name pad.oxyta.net www.pad.oxyta.net;
-    return 301 https://pad.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.pad.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://pad.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name pad.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/pad.log;
-    error_log  /var/log/nginx/pad.err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:9001;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-

setup.sh

@@ -20,8 +20,16 @@ echo "CHATONS_MAIL=$CHATONS_MAIL" >> .env
 
 # Export specific environment configuration
 
+mkdir -p cloud pad
+
 echo "MYSQL_PASSWORD=$CHATONS_MYSQL_PASSWORD" > cloud/.env
 echo "MYSQL_ROOT_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" >> cloud/.env
 echo "MYSQL_ROOT_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" > pad/.env
 echo "ETHERPAD_DB_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" >> pad/.env
 
+# Configure traefik
+
+mkdir -p "$CHATONS_ROOT_DIR/traefik"
+touch "$CHATONS_ROOT_DIR/traefik/acme.json"
+chmod 600 "$CHATONS_ROOT_DIR/traefik/acme.json"
+sed "s/###DOMAIN###/$CHATONS_DOMAIN/" traefik/traefik.toml > "$CHATONS_ROOT_DIR/traefik/traefik.toml"

traefik/traefik.toml

@@ -0,0 +1,32 @@
+debug = false
+checkNewVersion = true
+logLevel = "ERROR"
+defaultEntryPoints = ["https","http"]
+
+[web]
+# web ui on 8080
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.redirect]
+    # For this to work, there must be a corresponding frontend rule
+    # See https://github.com/containous/traefik/issues/919#issuecomment-311033114
+    # TODO For now the setup script replace those placeholders
+    regex = "^https://www.###DOMAIN###/(.*)"
+    replacement = "https://###DOMAIN###/$1"
+  [entryPoints.https.tls]
+
+[docker]
+endpoint = "unix:///var/run/docker.sock"
+watch = true
+exposedbydefault = false
+
+[acme]
+storage = "acme.json"
+entryPoint = "https"
+OnHostRule = true