From 43e00d7045780ec23e3a3fbb201d9b59f05e32ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89lie=20Bouttier?= <elie@bouttier.eu>
Date: Mon, 11 Sep 2023 17:17:35 +0000
Subject: [PATCH] traefik https

---
 .env.dev                |  2 ++
 .env.prod               |  2 ++
 .gitignore              |  5 ++---
 config/traefik/.gitkeep |  0
 docker-compose.yml      | 28 +++++++++++++++++++---------
 5 files changed, 25 insertions(+), 12 deletions(-)
 create mode 100644 config/traefik/.gitkeep

diff --git a/.env.dev b/.env.dev
index 108f97d..74bbdd9 100644
--- a/.env.dev
+++ b/.env.dev
@@ -4,6 +4,8 @@ HOST="localhost"
 HTTP_PORT=8081
 HTTPS_PORT=8083
 
+ACME_EMAIL=""
+
 POSTGRES_USER="geonatadmin"
 POSTGRES_PASSWORD="geonatpasswd"
 POSTGRES_HOST="postgres"
diff --git a/.env.prod b/.env.prod
index aef0e2c..27fd395 100644
--- a/.env.prod
+++ b/.env.prod
@@ -4,6 +4,8 @@ HOST="example.com"
 HTTP_PORT=80
 HTTPS_PORT=443
 
+ACME_EMAIL=""
+
 POSTGRES_USER="geonatadmin"
 POSTGRES_PASSWORD="geonatpasswd"
 POSTGRES_HOST="postgres"
diff --git a/.gitignore b/.gitignore
index daa140d..70cfd53 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,6 @@
 .env
-config/*
-data/taxhub/static/*
-data/geonature/media/*
+/config/
+/data/
 !data/**/.gitkeep
 !data/**/*.sample
 *.swp
diff --git a/config/traefik/.gitkeep b/config/traefik/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/docker-compose.yml b/docker-compose.yml
index ad13cdb..24ccba1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -40,10 +40,16 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.http.redirections.entrypoint.to=:${HTTPS_PORT}"  # use binded port instead of websecure
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
       - "--entrypoints.websecure.address=:443"
+      - "--certificatesResolvers.acme-resolver.acme.email=${ACME_EMAIL}"
+      - "--certificatesResolvers.acme-resolver.acme.storage=/etc/traefik/certs/acme.json"
+      - "--certificatesResolvers.acme-resolver.acme.tlsChallenge=true"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./data/traefik/certs:/certs
+      - ./config/traefik:/etc/traefik/dynamic
+      - ./data/traefik/certs:/etc/traefik/certs
     ports:
       - ${HTTP_PORT:-80}:80
       - ${HTTPS_PORT:-443}:443
@@ -93,8 +99,9 @@ services:
       - PYTHONPATH=/dist/config
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.usershub.rule=Host(`${USERSHUB_DOMAIN}`) && PathPrefix(`${USERSHUB_PREFIX:-/usershub}`)"
-      - "traefik.http.routers.usershub.entrypoints=web"
+      - "traefik.http.routers.usershub.rule=Host(`${USERSHUB_DOMAIN}`) && PathPrefix(`${USERSHUB_PREFIX}`)"
+      - "traefik.http.routers.usershub.entrypoints=websecure"
+      - "traefik.http.routers.usershub.tls.certResolver=acme-resolver"
 
   taxhub:
     <<: *defaults
@@ -112,8 +119,9 @@ services:
       - PYTHONPATH=/dist/config
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.taxhub.rule=Host(`${TAXHUB_DOMAIN}`) && PathPrefix(`${TAXHUB_PREFIX:-/taxhub}`)"
-      - "traefik.http.routers.taxhub.entrypoints=web"
+      - "traefik.http.routers.taxhub.rule=Host(`${TAXHUB_DOMAIN}`) && PathPrefix(`${TAXHUB_PREFIX}`)"
+      - "traefik.http.routers.taxhub.entrypoints=websecure"
+      - "traefik.http.routers.taxhub.tls.certResolver=acme-resolver"
 
   geonature-worker:
     <<: *geonature-backend-defaults
@@ -140,8 +148,9 @@ services:
       - ${GEONATURE_MEDIA_DIRECTORY:-./data/geonature/media}:/dist/media
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.geonature-backend.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_BACKEND_PREFIX:-/geonature/api}`)"
-      - "traefik.http.routers.geonature-backend.entrypoints=web"
+      - "traefik.http.routers.geonature-backend.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_BACKEND_PREFIX}`)"
+      - "traefik.http.routers.geonature-backend.entrypoints=websecure"
+      - "traefik.http.routers.geonature-backend.tls.certResolver=acme-resolver"
 
   geonature-frontend:
     image: ${GEONATURE_FRONTEND_IMAGE}
@@ -150,8 +159,9 @@ services:
       - API_ENDPOINT="${GEONATURE_BACKEND_PROTOCOL}://${GEONATURE_BACKEND_HOST}${GEONATURE_BACKEND_PREFIX}"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.geonature.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_FRONTEND_PREFIX:-/}`)"
-      - "traefik.http.routers.geonature.entrypoints=web"
+      - "traefik.http.routers.geonature.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_FRONTEND_PREFIX}`)"
+      - "traefik.http.routers.geonature.entrypoints=websecure"
+      - "traefik.http.routers.geonature.tls.certResolver=acme-resolver"
 
 volumes:
   redis: