From 32f16fee744ea2e0160d8292be209626948d9735 Mon Sep 17 00:00:00 2001
From: Fabio Tielen // Code Agency <info@codeagency.be>
Date: Wed, 10 Jan 2024 14:13:35 +0100
Subject: [PATCH 1/2] ADD: Traefik support - initial commit

---
 .env.example                           |  2 ++
 docker-compose.override.local.yml      |  6 ++++
 docker-compose.override.production.yml |  6 ++++
 docker-compose.yml                     | 43 ++++++++++++++++++++++++++
 traefik/acme.json                      |  0
 5 files changed, 57 insertions(+)
 create mode 100644 traefik/acme.json

diff --git a/.env.example b/.env.example
index d29a6d1..8e51b2a 100644
--- a/.env.example
+++ b/.env.example
@@ -144,6 +144,7 @@ ODOO_PROFILES="odoo"
 POSTGRES_PROFILES="postgres"
 NGINX_PROFILES="nginx"
 NGINX_PROXY_PROFILES="proxy"
+TRAEFIK_PROFILES="traefik"
 ACME_COMPANION_PROFILES="acme"
 KEYDB_PROFILES="keydb"
 MINIO_PROFILES="minio"
@@ -156,6 +157,7 @@ KEYDB_TAG=latest
 MINIO_TAG=latest
 NGINX_TAG=1.25.3
 NGINX_PROXY_TAG=1.4.0
+TRAEFIK_TAG=2.11
 ACME_COMPANION_TAG=2.2.9
 PGADMIN_TAG=8.1
 
diff --git a/docker-compose.override.local.yml b/docker-compose.override.local.yml
index 690dc5c..e5bfcf8 100644
--- a/docker-compose.override.local.yml
+++ b/docker-compose.override.local.yml
@@ -21,6 +21,12 @@ services:
       - 80:80
       - 443:443
 
+  traefik: 
+    restart: 'no'
+    ports:
+      - 80:80
+      - 443:443
+
   letsencrypt:
     restart: 'no'
 
diff --git a/docker-compose.override.production.yml b/docker-compose.override.production.yml
index 4aa221d..3054d5f 100644
--- a/docker-compose.override.production.yml
+++ b/docker-compose.override.production.yml
@@ -21,6 +21,12 @@ services:
       - 80:80
       - 443:443
 
+  traefik: 
+    restart: 'unless-stopped'
+    ports:
+      - 80:80
+      - 443:443
+
   letsencrypt:
     restart: unless-stopped
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 7a34114..48687ed 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -117,6 +117,48 @@ services:
       - internal
     profiles: [$NGINX_PROXY_PROFILES]
 
+  traefik:
+    container_name: traefik
+    image: "traefik:${TRAEFIK_TAG}"
+    networks:
+      - internal
+    command:
+      - --api.dashboard=true
+      - --api.insecure=false
+      - --api.debug=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --providers.docker
+      - --log.level=INFO
+      - --accesslog.filepath=/var/log/traefik/access.log
+      - --certificatesresolvers.leresolver.acme.httpchallenge=true
+      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
+      - --certificatesresolvers.leresolver.acme.email=xxxxxx@yourdomain.tld #Set your email address here, is for the generation of SSL certificates with Let's Encrypt. 
+      - --certificatesresolvers.leresolver.acme.storage=/acme.json
+        # - --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+      - --serversTransport.insecureSkipVerify=true
+    tty: true
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./acme.json:/acme.json"
+      - traefik_logs:/var/log/traefik
+    labels:
+      - "traefik.enable=true"
+
+      # Catch all HTTP trafic and redirect it to HTTPS
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # Traefik Dashboard route
+      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.yourdomain.tld`)"
+      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dashboard.tls.certresolver=leresolver"
+      - "traefik.http.routers.traefik-dashboard.service=api@internal"
+    profiles: [$TRAEFIK_PROFILES]
+
+
   letsencrypt:
     image: nginxproxy/acme-companion:${ACME_COMPANION_TAG}
     depends_on:
@@ -216,6 +258,7 @@ volumes:
   vhost:
   certs:
   acme:
+  traefik_logs:
 
 networks:
   internal:
diff --git a/traefik/acme.json b/traefik/acme.json
new file mode 100644
index 0000000..e69de29

From 5620db94a104d334e69cefc92d6f23ab312081d6 Mon Sep 17 00:00:00 2001
From: Yhael S <yhaelopez@gmail.com>
Date: Sat, 20 Jan 2024 06:11:18 -0600
Subject: [PATCH 2/2] added environment variables

---
 .env.example                           | 34 ++++++++++++++++++++
 docker-compose.override.production.yml | 14 ++++++++-
 docker-compose.yml                     | 43 +++++++++-----------------
 3 files changed, 62 insertions(+), 29 deletions(-)

diff --git a/.env.example b/.env.example
index 8e51b2a..e32aa46 100644
--- a/.env.example
+++ b/.env.example
@@ -315,6 +315,40 @@ POSTGRES_USER=${POSTGRES_MAIN_USER}
 POSTGRES_PASSWORD=${POSTGRES_MAIN_PASSWORD}
 PGDATA=/var/lib/postgresql/data/${PROJECT_NAME}
 
+#---------------#
+#    Traefik    #
+#---------------#
+# Volumes
+ACME_JSON=/acme.json
+TRAEFIK_LOGS=/var/log/traefik
+
+# Command
+API_DASHBOARD=true
+API_INSECURE=true
+API_DEBUG=false
+ENTRYPOINTS_WEB_ADDRESS=:80
+ENTRYPOINTS_WEBSECURE_ADDRESS=:443
+TRAEFIK_LOG_LEVEL=INFO
+ACCESSLOG_FILEPATH=${TRAEFIK_LOGS}/access.log
+ACME_HTTPCHALLENGE=true
+ACME_HTTPCHALLENGE_ENTRYPOINT=web
+ACME_EMAIL=mail@example.com
+ACME_STORAGE=${ACME_JSON}
+# For prod use: https://acme-v02.api.letsencrypt.org/directory
+ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory
+INSERCURE_SKIP_VERIFY=true
+
+# Labels
+TRAEFIK_ENABLE=true
+HTTP_CATCHALL_ENTRYPOINTS=web
+HTTP_CATCHALL_MIDDLEWARES=redirect-to-https
+MIDDLEWARES_REDIRECT_SCHEME=https
+
+TRAEFIK_DASHBOARD_DOMAIN=traefik.odoocker.test
+TRAEFIK_DASHBOARD_ENTRYPOINTS=websecure
+TRAEFIK_DASHBOARD_TLS_CERTRESOLVER=leresolver
+TRAEFIK_DASHBOARD_SERVICE=api@internal
+
 #-------------#
 #    Nginx    #
 #-------------#
diff --git a/docker-compose.override.production.yml b/docker-compose.override.production.yml
index 3054d5f..eec5ef7 100644
--- a/docker-compose.override.production.yml
+++ b/docker-compose.override.production.yml
@@ -22,10 +22,22 @@ services:
       - 443:443
 
   traefik: 
-    restart: 'unless-stopped'
+    restart: unless-stopped
     ports:
       - 80:80
       - 443:443
+    command:
+      - --entrypoints.websecure.address=${ENTRYPOINTS_WEBSECURE_ADDRESS}
+      - --certificatesresolvers.leresolver.acme.httpchallenge=${ACME_HTTPCHALLENGE}
+      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=${ACME_HTTPCHALLENGE_ENTRYPOINT}
+      - --certificatesresolvers.leresolver.acme.email=${ACME_EMAIL}
+      - --certificatesresolvers.leresolver.acme.storage=${ACME_STORAGE}
+      - --certificatesresolvers.leresolver.acme.caserver=${ACME_CASERVER}
+    labels:
+      - traefik.http.routers.http-catchall.middlewares=${HTTP_CATCHALL_MIDDLEWARES}
+      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=${MIDDLEWARES_REDIRECT_SCHEME}
+      - traefik.http.routers.traefik-dashboard.entrypoints=${TRAEFIK_DASHBOARD_ENTRYPOINTS}
+      - traefik.http.routers.traefik-dashboard.tls.certresolver=${TRAEFIK_DASHBOARD_TLS_CERTRESOLVER}
 
   letsencrypt:
     restart: unless-stopped
diff --git a/docker-compose.yml b/docker-compose.yml
index 48687ed..7e803ce 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -123,42 +123,29 @@ services:
     networks:
       - internal
     command:
-      - --api.dashboard=true
-      - --api.insecure=false
-      - --api.debug=true
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
+      - --api.dashboard=${API_DASHBOARD}
+      - --api.insecure=${API_INSECURE}
+      - --api.debug=${API_DEBUG}
+      - --entrypoints.web.address=${ENTRYPOINTS_WEB_ADDRESS}
       - --providers.docker
-      - --log.level=INFO
-      - --accesslog.filepath=/var/log/traefik/access.log
-      - --certificatesresolvers.leresolver.acme.httpchallenge=true
-      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
-      - --certificatesresolvers.leresolver.acme.email=xxxxxx@yourdomain.tld #Set your email address here, is for the generation of SSL certificates with Let's Encrypt. 
-      - --certificatesresolvers.leresolver.acme.storage=/acme.json
-        # - --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
-      - --serversTransport.insecureSkipVerify=true
+      - --log.level=${TRAEFIK_LOG_LEVEL}
+      - --accesslog.filepath=${ACCESSLOG_FILEPATH}
+      - --serversTransport.insecureSkipVerify=${INSERCURE_SKIP_VERIFY}
     tty: true
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "./acme.json:/acme.json"
-      - traefik_logs:/var/log/traefik
+      - ${DOCKER_SOCK}:${DOCKER_SOCK}:ro
+      - ./acme.json:${ACME_JSON}
+      - traefik_logs:${TRAEFIK_LOGS}
     labels:
-      - "traefik.enable=true"
-
+      - traefik.enable=${TRAEFIK_ENABLE}
       # Catch all HTTP trafic and redirect it to HTTPS
-      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.http-catchall.entrypoints=web"
-      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-
+      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
+      - traefik.http.routers.http-catchall.entrypoints=${HTTP_CATCHALL_ENTRYPOINTS}
       # Traefik Dashboard route
-      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.yourdomain.tld`)"
-      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
-      - "traefik.http.routers.traefik-dashboard.tls.certresolver=leresolver"
-      - "traefik.http.routers.traefik-dashboard.service=api@internal"
+      - traefik.http.routers.traefik-dashboard.rule=Host(`${TRAEFIK_DASHBOARD_DOMAIN}`)
+      - traefik.http.routers.traefik-dashboard.service=${TRAEFIK_DASHBOARD_SERVICE}
     profiles: [$TRAEFIK_PROFILES]
 
-
   letsencrypt:
     image: nginxproxy/acme-companion:${ACME_COMPANION_TAG}
     depends_on: