Verified Commit 40d3117d authored by Quentin Duchemin's avatar Quentin Duchemin
Browse files

Upgrade all services for Traefik v2 ; clean Compose files ; update doc

parent ef5a6e85
......@@ -112,30 +112,37 @@ Il est suggéré d'éviter les volumes déclarés `external` :
## Reverse-proxy
Si le service est un service **HTTP(S)** (*i.e.* Web), on utilisera systématiquement le reverse-proxy [Traefik](https://wiki.picasoft.net/doku.php?id=technique:infrastructure:archi#traefik) et on bindera **pas** son port interne sur un port de l'hôte.
Si le service est un service **HTTP(S)** (*i.e.* Web), on utilisera systématiquement le reverse-proxy Traefik et on bindera **pas** son port interne sur un port de l'hôte.
En effet, Traefik permet de gérer tout pour nous : la redirection vers le bon conteneur et le bon port en fonction du nom de domaine, la création et le renouvellement des certificats, etc.
Il suffit pour ce faire d'ajouter les bons labels, et d'ajouter le conteneur au réseau par défaut de Traefik, qui s'appelle `docker_default`, et existe indépendamment de Docker Compose.
Il suffit pour ce faire d'ajouter les bons labels, et d'ajouter le conteneur au réseau par défaut de Traefik, qui s'appelle `proxy`, et existe indépendamment de Docker Compose.
Exemple à reprendre :
```yaml
networks:
docker_default:
proxy:
external: true
services:
exemple:
networks:
- docker_default
- proxy
labels:
# Traefik va prendre ce conteneur en compte
traefik.enable: true
# websecure correspond au port 443 de la machine (config Traefik)
# Remplacer <exemple> par le nom du conteneur
traefik.http.routers.<exemple>.entrypoints: websecure
# Il redirigera vers ce port, exposé par le conteneur
traefik.port: <port>
# Remplacer <exemple> par le nom du conteneur
# Remplacer app.picasoft.net par l'URL souhaitée
traefik.http.routers.<exemple>.rule: Host(`app.picasoft.net`)
# Lorsque l'utilisateur consulte cette URL
traefik.frontend.rule: <exemple>.picasoft.net
# Remplacer <exemple> par le nom du conteneur
# Remplacer 80 par le port du service
traefik.http.services.<exemple>.loadbalancer.server.port: 80
```
## Healthcheck
......@@ -182,7 +189,7 @@ Ce qui nous donnerait quelque chose comme :
networks:
# C'est le réseau dans lequel se trouve
# Traefik sur toutes les machines.
docker_default:
proxy:
external: true
# Ce réseau est créé uniquement pour
# ce fichier Compose.
......@@ -190,11 +197,11 @@ networks:
services:
exemple:
# On voit que le service est dans le réseau docker_default, pour être
# On voit que le service est dans le réseau proxy, pour être
# accessible depuis Traefik, mais aussi dans le réseau db, pour
# pouvoir parler à la base de données.
networks:
- docker_default
- proxy
- db
# La base de donnée n'est que dans son réseau, et n'est donc
# pas accessible depuis Internet.
......
......@@ -114,7 +114,7 @@ Si nécessaire. Certains services ne sont pas accessibles depuis Internet.
Remplacez les URL de production (`.picasoft.net`) par des URL de tests (`.test.picasoft.net`), sauf dans le nom de l'image :
* Si le service utilise Traefik, voir du côté de `traefik.frontend.rule` dans le fichier Compose
* Si le service utilise Traefik, voir du côté de `traefik.http.services.<service>.loadbalancer.server.port` dans le fichier Compose
* Si le service utilise des fichiers de configuration, remplacez les références aux URL...
### Créer les fichiers d'example
......
......@@ -2,16 +2,13 @@ version: "3.7"
networks:
etherpad_main:
name: "etherpad_main"
external: true
etherpad_week:
name: "etherpad_week"
external: true
plume:
name: plume
external: true
wekan:
name: "wekan"
docker_default:
external: true
name: "docker_default"
services:
db-backup:
......@@ -24,7 +21,6 @@ services:
env_file:
- ./secrets/db.secrets
networks:
- docker_default
- etherpad_main
- etherpad_week
- plume
......
version : "2.4"
version : "3.7"
volumes:
dokuwiki-app:
name: "dokuwiki-app"
networks:
docker_default:
proxy:
external: true
services:
......@@ -15,15 +15,11 @@ services:
container_name: dokuwiki-app
volumes:
- dokuwiki-app:/var/www/html
security_opt:
- no-new-privileges
mem_limit: "2048m"
cpus: "0.20"
pids_limit: 1024
labels:
- "traefik.frontend.rule=Host:wiki.picasoft.net"
- "traefik.port=80"
- "traefik.enable=true"
traefik.http.routers.dokuwiki-app.entrypoints: websecure
traefik.http.routers.dokuwiki-app.rule: Host(`wiki.picasoft.net`)
traefik.http.services.dokuwiki-app.loadbalancer.server.port: 80
traefik.enable: true
restart: unless-stopped
networks:
- docker_default
- proxy
version : "2.4"
version : "3."
volumes:
etherpad-db:
......@@ -12,33 +12,26 @@ volumes:
networks:
standard:
name: "etherpad_main"
name: etherpad_main
week:
name: "etherpad_week"
docker_default:
name: etherpad_week
proxy:
external: true
name: "docker_default"
services:
etherpad-app:
image: registry.picasoft.net/pica-etherpad:1.8.4
build: .
container_name: etherpad-app
depends_on:
- etherpad-db
security_opt:
- no-new-privileges
mem_limit: "2048m"
cpus: 0.6
pids_limit: 1024
env_file: ./secrets/etherpad-app.secrets
volumes:
- ./settings.json:/opt/etherpad-lite/settings.json
- deleted-pads-standard:/opt/etherpad-lite/deleted_pads
labels:
traefik.http.routers.etherpad-app.entrypoints: websecure
traefik.http.routers.etherpad-app.rule: Host(`pad.picasoft.net`)
traefik.http.services.etherpad-app.loadbalancer.server.port: 8080
traefik.enable: true
traefik.frontend.rule: "Host:pad.picasoft.net"
traefik.port: 8080
environment:
DB_HOST: "etherpad-db"
LOGLEVEL: "INFO"
......@@ -47,45 +40,35 @@ services:
THEME: "colibris"
TITLE: "Picapad"
TRUST_PROXY: "true"
restart: unless-stopped
networks:
- docker_default
- proxy
- standard
depends_on:
- etherpad-db
restart: unless-stopped
etherpad-db:
image: postgres:12
container_name: etherpad-db
security_opt:
- no-new-privileges
mem_limit: "2048m"
cpus: "0.40"
pids_limit: 1024
volumes:
- etherpad-db:/var/lib/postgresql/data
env_file: ./secrets/etherpad-db.secrets
restart: unless-stopped
networks:
- standard
restart: unless-stopped
etherpad-week-app:
image: registry.picasoft.net/pica-etherpad:1.8.4
container_name: etherpad-week-app
build: .
depends_on:
- etherpad-week-db
security_opt:
- no-new-privileges
mem_limit: "2048m"
cpus: 0.6
pids_limit: 1024
env_file: ./secrets/etherpad-week-app.secrets
volumes:
- ./settings_week.json:/opt/etherpad-lite/settings.json
- deleted-pads-week:/opt/etherpad-lite/deleted_pads
labels:
traefik.enable: true
traefik.frontend.rule: "Host:week.pad.picasoft.net"
traefik.port: 8080
traefik.http.routers.etherpad-week-app.entrypoints: websecure
traefik.http.routers.etherpad-week-app.rule: Host(`week.pad.picasoft.net`)
traefik.http.services.etherpad-week-app.loadbalancer.server.port: 8080
environment:
DB_HOST: "etherpad-week-db"
LOGLEVEL: "INFO"
......@@ -94,19 +77,16 @@ services:
THEME: "colibris"
TITLE: "Picapad Hebdo"
TRUST_PROXY: "true"
restart: unless-stopped
depends_on:
- etherpad-week-db
networks:
- docker_default
- proxy
- week
restart: unless-stopped
etherpad-week-db:
image: postgres:12
container_name: etherpad-week-db
security_opt:
- no-new-privileges
mem_limit: "2048m"
cpus: "0.40"
pids_limit: 1024
volumes:
- weekpad-db:/var/lib/postgresql/data
env_file: ./secrets/etherpad-week-db.secrets
......
......@@ -2,8 +2,8 @@ version: '3.7'
networks:
metrics:
docker_default:
name: docker_default
proxy:
external: true
volumes:
grafana:
......@@ -27,11 +27,12 @@ services:
- GF_AUTH_LDAP_ALLOW_SIGN_UP=false
env_file: ./secrets/grafana.secrets
labels:
- "traefik.frontend.rule=Host:grafana.picasoft.net"
- "traefik.port=3000"
- "traefik.enable=true"
traefik.http.routers.grafana.entrypoints: websecure
traefik.http.routers.grafana.rule: Host(`grafana.picasoft.net`)
traefik.http.services.grafana.loadbalancer.server.port: 3000
traefik.enable: true
networks:
- docker_default
- proxy
- metrics
restart: unless-stopped
......
......@@ -7,7 +7,7 @@
"url": "pica01.picasoft.net",
"port": 2376,
"exclude": [],
"default_network": "docker_default",
"default_network": "proxy",
"tls_config":
{
"ca_cert": "auth/pica01/ca.pem",
......@@ -20,7 +20,7 @@
"url": "pica02.picasoft.net",
"port": 2376,
"exclude": [],
"default_network": "docker_default",
"default_network": "proxy",
"tls_config":
{
"ca_cert": "auth/pica02/ca.pem",
......@@ -33,7 +33,7 @@
"url": "pica01-test.picasoft.net",
"port": 2376,
"exclude": [],
"default_network": "docker_default",
"default_network": "proxy",
"tls_config":
{
"ca_cert": "auth/pica01-test/ca.pem",
......@@ -44,7 +44,7 @@
{
"name": "monitoring",
"url": "localhost",
"default_network": "docker_default"
"default_network": "proxy"
}
],
"color_scheme": {
......
......@@ -6,7 +6,7 @@ volumes:
lufi-files:
networks:
docker_default:
proxy:
external: true
lufi:
......@@ -22,11 +22,12 @@ services:
- lufi-files:/lufi/files
- ./lufi.conf:/lufi/lufi.conf
networks:
- docker_default
- proxy
- lufi
labels:
traefik.frontend.rule: Host:drop.picasoft.net
traefik.port: 8081
traefik.http.routers.lufi.entrypoints: websecure
traefik.http.routers.lufi.rule: Host(`drop.picasoft.net`)
traefik.http.services.lufi.loadbalancer.server.port: 8081
traefik.enable: true
env_file:
- ./secrets/lufi.secrets
......
......@@ -3,7 +3,7 @@ version: "3.7"
networks:
mail:
name: pica-mail
docker_default:
proxy:
external: true
volumes:
......@@ -44,7 +44,7 @@ services:
- "587:587"
networks:
- mail
- docker_default
- proxy
volumes:
- mail-mta-log:/var/log
#doit contenir selecteur.domaine.rsa
......@@ -85,8 +85,7 @@ services:
#prefixe DKIM, utilise pour identifier la clef
DKIM_SELECTOR: janv2019
labels:
traefik.frontend.rule: Host:mail.picasoft.net
traefik.port: 80
traefik.http.routers.pica-mail-mta.rule: Host(`mail.picasoft.net`)
traefik.enable: true
tls-certs-monitor.enable: true
tls-certs-monitor.action: restart
version : "2.4"
version : "3.7"
networks:
docker_default:
proxy:
external: true
name: "docker_default"
mattermost:
volumes:
mattermost-config:
......@@ -30,12 +30,13 @@ services:
- MM_SITEURL=https://team.picasoft.net
env_file: ./secrets/mattermost-db.secrets
labels:
- "traefik.frontend.rule=Host:team.picasoft.net"
- "traefik.port=8000"
- "traefik.frontend.passHostHeader=true"
- "traefik.enable=true"
traefik.http.routers.mattermost-app.entrypoints: websecure
traefik.http.routers.mattermost-app.rule: Host(`team.picasoft.net`)
traefik.http.services.mattermost-app.loadbalancer.server.port: 8000
traefik.enable: true
networks:
- docker_default
- proxy
- mattermost
depends_on:
- mattermost-db
restart: unless-stopped
......@@ -48,5 +49,5 @@ services:
- /etc/localtime:/etc/localtime:ro
env_file: ./secrets/mattermost-db.secrets
networks:
- docker_default
- mattermost
restart: unless-stopped
......@@ -5,7 +5,7 @@ volumes:
name: influxdb-services
networks:
docker_default:
proxy:
external: true
metrics:
......@@ -36,10 +36,11 @@ services:
- INFLUXDB_REPORTING_DISABLED=true
env_file: ./secrets/influxdb.secrets
labels:
traefik.frontend.rule: "Host:influxdb.picasoft.net"
traefik.port: 8086
traefik.enable: true
traefik.http.routers.influxdb-services.entrypoints: websecure
traefik.http.routers.influxdb-services.rule: Host(`influxdb.picasoft.net`)
traefik.http.services.influxdb-services.loadbalancer.server.port: 8086
traefik.enable: true
networks:
- metrics
- docker_default
- proxy
restart: always
version: "2.4"
version: "3.7"
networks:
docker_default:
proxy:
external: true
name: "docker_default"
services:
mumble-web:
......@@ -12,12 +11,12 @@ services:
environment:
MUMBLE_SERVER: "voice.picasoft.net:64738"
networks:
- docker_default
- proxy
volumes:
- ./config.json:/home/node/dist/config.local.js
labels:
- "traefik.frontend.rule=Host:voice.picasoft.net"
- "traefik.port=8080"
- "traefik.frontend.passHostHeader=true"
- "traefik.enable=true"
traefik.http.routers.mumble-web.entrypoints: websecure
traefik.http.routers.mumble-web.rule: Host(`voice.picasoft.net`)
traefik.http.services.mumble-web.loadbalancer.server.port: 8080
traefik.enable: true
restart: unless-stopped
version: "2.4"
version: "3.7"
networks:
docker_default:
proxy:
external: true
name: "docker_default"
volumes:
murmur-data:
......@@ -23,12 +22,13 @@ services:
- murmur-data:/data
- /DATA/docker/certs/voice.picasoft.net/:/certs
networks:
- docker_default
- proxy
labels:
- "traefik.enable=true"
- "traefik.port=8000"
- "traefik.frontend.rule=Host:voice.picasoft.net;Path:/metrics"
- "tls-certs-monitor.enable=true"
- "tls-certs-monitor.action=kill:SIGUSR1"
- "tls-certs-monitor.owner=103"
traefik.http.routers.murmur.entrypoints: websecure
traefik.http.routers.murmur.rule: Host(`voice.picasoft.net`) && Path('/metrics')
traefik.http.services.murmur.loadbalancer.server.port: 8000
traefik.enable: true
tls-certs-monitor.enable: true
tls-certs-monitor.action: kill:SIGUSR1
tls-certs-monitor.owner: 103
restart: unless-stopped
......@@ -2,7 +2,7 @@ version: '3.7'
networks:
nextcloud_cet:
name: nextcloud_cet
docker_default:
proxy:
external: true
volumes:
......@@ -34,11 +34,17 @@ services:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
env_file: ./secrets/cloudcet.secrets
labels:
- "traefik.frontend.rule=Host:cloudcet.picasoft.net"
- "traefik.port=80"
- "traefik.enable=true"
traefik.http.routers.cloudcet.entrypoints: websecure
traefik.http.routers.cloudcet.rule: Host(`cloudcet.picasoft.net`)
traefik.http.services.cloudcet.loadbalancer.server.port: 80
traefik.enable: true
# https://docs.nextcloud.com/server/16/admin_manual/configuration_server/reverse_proxy_configuration.html
traefik.http.routers.cloudcet.middlewares: cloudcet@docker
traefik.http.middlewares.cloudcet.redirectregex.permanent: true
traefik.http.middlewares.cloudcet.redirectregex.regex: ^/.well-known/(card|cal)dav
traefik.http.middlewares.cloudcet.redirectregex.replacement: /remote.php/dav/
networks:
- docker_default
- proxy
- nextcloud_cet
depends_on:
- cloudcet
......
......@@ -8,8 +8,8 @@ volumes:
networks:
nextcloud:
docker_default:
name: docker_default
proxy:
external: true
services:
nextcloud-app:
......@@ -38,15 +38,17 @@ services:
- nextcloud-app
networks:
- nextcloud
- docker_default
- proxy
labels:
- "traefik.frontend.rule=Host:cloud.picasoft.net"
- "traefik.port=80"
- "traefik.enable=true"
traefik.http.routers.nextcloud-web.entrypoints: websecure
traefik.http.routers.nextcloud-web.rule: Host(`cloud.picasoft.net`)
traefik.http.services.nextcloud-web.loadbalancer.server.port: 80
traefik.enable: true
# https://docs.nextcloud.com/server/16/admin_manual/configuration_server/reverse_proxy_configuration.html
- "traefik.frontend.redirect.permanent=true"
- "traefik.frontend.redirect.regex=https://(.*)/.well-known/(card|cal)dav"
- "traefik.frontend.redirect.replacement=https://$$1/remote.php/dav/"
traefik.http.routers.nextcloud-web.middlewares: nextcloud-web@docker
traefik.http.middlewares.nextcloud-web.redirectregex.permanent: true
traefik.http.middlewares.nextcloud-web.redirectregex.regex: ^/.well-known/(card|cal)dav
traefik.http.middlewares.nextcloud-web.redirectregex.replacement: /remote.php/dav/
restart: unless-stopped
nextcloud-db:
......
......@@ -33,13 +33,14 @@ mon_site:
volumes:
- mon_site:/var/www/html
labels:
traefik.frontend.rule: Host:mon_site.picasoft.net
traefik.port: 80
traefik.http.routers.mon_site.entrypoints: websecure
traefik.http.routers.mon_site.rule: Host(`mon_site.picasoft.net`)
traefik.http.services.mon_site.loadbalancer.server.port: 80
traefik.enable: true
environment:
AUTOINDEX: true
networks:
- docker_default
- proxy
restart: unless-stopped
```
......
......@@ -15,7 +15,7 @@ volumes:
name: stiegler
networks:
docker_default:
proxy:
external: true
x-image-name: &NGINX_IMAGE
......@@ -29,11 +29,12 @@ services:
volumes:
- website:/var/www/html
labels:
traefik.frontend.rule: Host:www.picasoft.net,picasoft.net
traefik.port: 80
traefik.http.routers.website.entrypoints: websecure
traefik.http.routers.website.rule: Host(`www.picasoft.net`, 'picasoft.net')
traefik.http.services.website.loadbalancer.server.port: 80
traefik.enable: true
networks:
- docker_default
- proxy
restart: unless-stopped
doc:
......@@ -43,11 +44,12 @@ services:
volumes:
- doc:/var/www/html
labels:
traefik.frontend.rule: Host:doc.picasoft.net
traefik.port: 80
traefik.http.routers.doc.entrypoints: websecure
traefik.http.routers.doc.rule: Host(`doc.picasoft.net`)
traefik.http.services.doc.loadbalancer.server.port: 80
traefik.enable: true
networks:
- docker_default
- proxy