Upgrade all services for Traefik v2 ; clean Compose files ; update doc

doc/guide_bonnes_pratiques.md

@@ -112,30 +112,37 @@ Il est suggéré d'éviter les volumes déclarés `external` :
 
 ## Reverse-proxy
 
-Si le service est un service **HTTP(S)** (*i.e.* Web), on utilisera systématiquement le reverse-proxy [Traefik](https://wiki.picasoft.net/doku.php?id=technique:infrastructure:archi#traefik) et on bindera **pas** son port interne sur un port de l'hôte.
+Si le service est un service **HTTP(S)** (*i.e.* Web), on utilisera systématiquement le reverse-proxy Traefik et on bindera **pas** son port interne sur un port de l'hôte.
 
 En effet, Traefik permet de gérer tout pour nous : la redirection vers le bon conteneur et le bon port en fonction du nom de domaine, la création et le renouvellement des certificats, etc.
 
-Il suffit pour ce faire d'ajouter les bons labels, et d'ajouter le conteneur au réseau par défaut de Traefik, qui s'appelle `docker_default`, et existe indépendamment de Docker Compose.
+Il suffit pour ce faire d'ajouter les bons labels, et d'ajouter le conteneur au réseau par défaut de Traefik, qui s'appelle `proxy`, et existe indépendamment de Docker Compose.
 
 Exemple à reprendre :
 
 ```yaml
 networks:
-  docker_default:
+  proxy:
     external: true
 
 services:
   exemple:
     networks:
-      - docker_default
+      - proxy
     labels:
       # Traefik va prendre ce conteneur en compte
       traefik.enable: true
+      # websecure correspond au port 443 de la machine (config Traefik)
+      # Remplacer <exemple> par le nom du conteneur
+      traefik.http.routers.<exemple>.entrypoints: websecure
       # Il redirigera vers ce port, exposé par le conteneur
-      traefik.port: <port>
+      # Remplacer <exemple> par le nom du conteneur
+      # Remplacer app.picasoft.net par l'URL souhaitée
+      traefik.http.routers.<exemple>.rule: Host(`app.picasoft.net`)
       # Lorsque l'utilisateur consulte cette URL
-      traefik.frontend.rule: <exemple>.picasoft.net
+      # Remplacer <exemple> par le nom du conteneur
+      # Remplacer 80 par le port du service
+      traefik.http.services.<exemple>.loadbalancer.server.port: 80
 ```
 
 ## Healthcheck
@@ -182,7 +189,7 @@ Ce qui nous donnerait quelque chose comme :
 networks:
   # C'est le réseau dans lequel se trouve
   # Traefik sur toutes les machines.
-  docker_default:
+  proxy:
     external: true
   # Ce réseau est créé uniquement pour
   # ce fichier Compose.
@@ -190,11 +197,11 @@ networks:
 
 services:
   exemple:
-    # On voit que le service est dans le réseau docker_default, pour être
+    # On voit que le service est dans le réseau proxy, pour être
     # accessible depuis Traefik, mais aussi dans le réseau db, pour
     # pouvoir parler à la base de données.
     networks:
-      - docker_default
+      - proxy
       - db
   # La base de donnée n'est que dans son réseau, et n'est donc
   # pas accessible depuis Internet.

doc/update_and_test.md

@@ -114,7 +114,7 @@ Si nécessaire. Certains services ne sont pas accessibles depuis Internet.
 
 Remplacez les URL de production (`.picasoft.net`) par des URL de tests (`.test.picasoft.net`), sauf dans le nom de l'image :
 
-* Si le service utilise Traefik, voir du côté de `traefik.frontend.rule` dans le fichier Compose
+* Si le service utilise Traefik, voir du côté de `traefik.http.services.<service>.loadbalancer.server.port` dans le fichier Compose
 * Si le service utilise des fichiers de configuration, remplacez les références aux URL...
 
 ### Créer les fichiers d'example

pica-db-backup/docker-compose.yml

@@ -2,16 +2,13 @@ version: "3.7"
 
 networks:
   etherpad_main:
-    name: "etherpad_main"
+    external: true
   etherpad_week:
-    name: "etherpad_week"
+    external: true
   plume:
-    name: plume
+    external: true
   wekan:
-    name: "wekan"
-  docker_default:
     external: true
-    name: "docker_default"
 
 services:
   db-backup:
@@ -24,7 +21,6 @@ services:
     env_file:
       - ./secrets/db.secrets
     networks:
-      - docker_default
       - etherpad_main
       - etherpad_week
       - plume

pica-dokuwiki/docker-compose.yml

-version : "2.4"
+version : "3.7"
 
 volumes:
   dokuwiki-app:
     name: "dokuwiki-app"
 
 networks:
-  docker_default:
+  proxy:
     external: true
 
 services:
@@ -15,15 +15,11 @@ services:
     container_name: dokuwiki-app
     volumes:
       - dokuwiki-app:/var/www/html
-    security_opt:
-      - no-new-privileges
-    mem_limit: "2048m"
-    cpus: "0.20"
-    pids_limit: 1024
     labels:
-      - "traefik.frontend.rule=Host:wiki.picasoft.net"
-      - "traefik.port=80"
-      - "traefik.enable=true"
+      traefik.http.routers.dokuwiki-app.entrypoints: websecure
+      traefik.http.routers.dokuwiki-app.rule: Host(`wiki.picasoft.net`)
+      traefik.http.services.dokuwiki-app.loadbalancer.server.port: 80
+      traefik.enable: true
     restart: unless-stopped
     networks:
-      - docker_default
+      - proxy

pica-etherpad/docker-compose.yml

-version : "2.4"
+version : "3."
 
 volumes:
   etherpad-db:
@@ -12,33 +12,26 @@ volumes:
 
 networks:
   standard:
-    name: "etherpad_main"
+    name: etherpad_main
   week:
-    name: "etherpad_week"
-  docker_default:
+    name: etherpad_week
+  proxy:
     external: true
-    name: "docker_default"
 
 services:
   etherpad-app:
     image: registry.picasoft.net/pica-etherpad:1.8.4
     build: .
     container_name: etherpad-app
-    depends_on:
-      - etherpad-db
-    security_opt:
-      - no-new-privileges
-    mem_limit: "2048m"
-    cpus: 0.6
-    pids_limit: 1024
     env_file: ./secrets/etherpad-app.secrets
     volumes:
       - ./settings.json:/opt/etherpad-lite/settings.json
       - deleted-pads-standard:/opt/etherpad-lite/deleted_pads
     labels:
+      traefik.http.routers.etherpad-app.entrypoints: websecure
+      traefik.http.routers.etherpad-app.rule: Host(`pad.picasoft.net`)
+      traefik.http.services.etherpad-app.loadbalancer.server.port: 8080
       traefik.enable: true
-      traefik.frontend.rule: "Host:pad.picasoft.net"
-      traefik.port: 8080
     environment:
       DB_HOST: "etherpad-db"
       LOGLEVEL: "INFO"
@@ -47,45 +40,35 @@ services:
       THEME: "colibris"
       TITLE: "Picapad"
       TRUST_PROXY: "true"
-    restart: unless-stopped
     networks:
-      - docker_default
+      - proxy
       - standard
+    depends_on:
+      - etherpad-db
+    restart: unless-stopped
 
   etherpad-db:
     image: postgres:12
     container_name: etherpad-db
-    security_opt:
-      - no-new-privileges
-    mem_limit: "2048m"
-    cpus: "0.40"
-    pids_limit: 1024
     volumes:
       - etherpad-db:/var/lib/postgresql/data
     env_file: ./secrets/etherpad-db.secrets
-    restart: unless-stopped
     networks:
       - standard
+    restart: unless-stopped
 
   etherpad-week-app:
     image: registry.picasoft.net/pica-etherpad:1.8.4
     container_name: etherpad-week-app
     build: .
-    depends_on:
-      - etherpad-week-db
-    security_opt:
-      - no-new-privileges
-    mem_limit: "2048m"
-    cpus: 0.6
-    pids_limit: 1024
     env_file: ./secrets/etherpad-week-app.secrets
     volumes:
       - ./settings_week.json:/opt/etherpad-lite/settings.json
       - deleted-pads-week:/opt/etherpad-lite/deleted_pads
     labels:
-      traefik.enable: true
-      traefik.frontend.rule: "Host:week.pad.picasoft.net"
-      traefik.port: 8080
+      traefik.http.routers.etherpad-week-app.entrypoints: websecure
+      traefik.http.routers.etherpad-week-app.rule: Host(`week.pad.picasoft.net`)
+      traefik.http.services.etherpad-week-app.loadbalancer.server.port: 8080
     environment:
       DB_HOST: "etherpad-week-db"
       LOGLEVEL: "INFO"
@@ -94,19 +77,16 @@ services:
       THEME: "colibris"
       TITLE: "Picapad Hebdo"
       TRUST_PROXY: "true"
-    restart: unless-stopped
+    depends_on:
+      - etherpad-week-db
     networks:
-      - docker_default
+      - proxy
       - week
+    restart: unless-stopped
 
   etherpad-week-db:
     image: postgres:12
     container_name: etherpad-week-db
-    security_opt:
-      - no-new-privileges
-    mem_limit: "2048m"
-    cpus: "0.40"
-    pids_limit: 1024
     volumes:
       - weekpad-db:/var/lib/postgresql/data
     env_file: ./secrets/etherpad-week-db.secrets

pica-grafana-prom/docker-compose.yml

@@ -2,8 +2,8 @@ version: '3.7'
 
 networks:
   metrics:
-  docker_default:
-    name: docker_default
+  proxy:
+    external: true
 
 volumes:
   grafana:
@@ -27,11 +27,12 @@ services:
       - GF_AUTH_LDAP_ALLOW_SIGN_UP=false
     env_file: ./secrets/grafana.secrets
     labels:
-      - "traefik.frontend.rule=Host:grafana.picasoft.net"
-      - "traefik.port=3000"
-      - "traefik.enable=true"
+      traefik.http.routers.grafana.entrypoints: websecure
+      traefik.http.routers.grafana.rule: Host(`grafana.picasoft.net`)
+      traefik.http.services.grafana.loadbalancer.server.port: 3000
+      traefik.enable: true
     networks:
-      - docker_default
+      - proxy
       - metrics
     restart: unless-stopped
 

pica-graphbot/config.json

@@ -7,7 +7,7 @@
 			"url": "pica01.picasoft.net",
 			"port": 2376,
 			"exclude": [],
-			"default_network": "docker_default",
+			"default_network": "proxy",
 			"tls_config":
 			{
 				"ca_cert": "auth/pica01/ca.pem",
@@ -20,7 +20,7 @@
 			"url": "pica02.picasoft.net",
 			"port": 2376,
 			"exclude": [],
-			"default_network": "docker_default",
+			"default_network": "proxy",
 			"tls_config":
 			{
 				"ca_cert": "auth/pica02/ca.pem",
@@ -33,7 +33,7 @@
 			"url": "pica01-test.picasoft.net",
 			"port": 2376,
 			"exclude": [],
-			"default_network": "docker_default",
+			"default_network": "proxy",
 			"tls_config":
 			{
 				"ca_cert": "auth/pica01-test/ca.pem",
@@ -44,7 +44,7 @@
 		{
 			"name": "monitoring",
 			"url": "localhost",
-			"default_network": "docker_default"
+			"default_network": "proxy"
 		}
 	],
   "color_scheme": {

pica-lufi/docker-compose.yml

@@ -6,7 +6,7 @@ volumes:
   lufi-files:
 
 networks:
-  docker_default:
+  proxy:
     external: true
   lufi:
 
@@ -22,11 +22,12 @@ services:
       - lufi-files:/lufi/files
       - ./lufi.conf:/lufi/lufi.conf
     networks:
-      - docker_default
+      - proxy
       - lufi
     labels:
-      traefik.frontend.rule: Host:drop.picasoft.net
-      traefik.port: 8081
+      traefik.http.routers.lufi.entrypoints: websecure
+      traefik.http.routers.lufi.rule: Host(`drop.picasoft.net`)
+      traefik.http.services.lufi.loadbalancer.server.port: 8081
       traefik.enable: true
     env_file:
       - ./secrets/lufi.secrets

pica-mail/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.7"
 networks:
   mail:
     name: pica-mail
-  docker_default:
+  proxy:
     external: true
 
 volumes:
@@ -44,7 +44,7 @@ services:
       - "587:587"
     networks:
       - mail
-      - docker_default
+      - proxy
     volumes:
       - mail-mta-log:/var/log
       #doit contenir selecteur.domaine.rsa
@@ -85,8 +85,7 @@ services:
       #prefixe DKIM, utilise pour identifier la clef
       DKIM_SELECTOR: janv2019
     labels:
-      traefik.frontend.rule: Host:mail.picasoft.net
-      traefik.port: 80
+      traefik.http.routers.pica-mail-mta.rule: Host(`mail.picasoft.net`)
       traefik.enable: true
       tls-certs-monitor.enable: true
       tls-certs-monitor.action: restart

pica-mattermost/docker-compose.yml

-version : "2.4"
+version : "3.7"
 networks:
-  docker_default:
+  proxy:
     external: true
-    name: "docker_default"
+  mattermost:
 
 volumes:
   mattermost-config:
@@ -30,12 +30,13 @@ services:
       - MM_SITEURL=https://team.picasoft.net
     env_file: ./secrets/mattermost-db.secrets
     labels:
-      - "traefik.frontend.rule=Host:team.picasoft.net"
-      - "traefik.port=8000"
-      - "traefik.frontend.passHostHeader=true"
-      - "traefik.enable=true"
+      traefik.http.routers.mattermost-app.entrypoints: websecure
+      traefik.http.routers.mattermost-app.rule: Host(`team.picasoft.net`)
+      traefik.http.services.mattermost-app.loadbalancer.server.port: 8000
+      traefik.enable: true
     networks:
-      - docker_default
+      - proxy
+      - mattermost
     depends_on:
       - mattermost-db
     restart: unless-stopped
@@ -48,5 +49,5 @@ services:
       - /etc/localtime:/etc/localtime:ro
     env_file: ./secrets/mattermost-db.secrets
     networks:
-      - docker_default
+      - mattermost
     restart: unless-stopped

pica-metrics-bot/docker-compose.yml

@@ -5,7 +5,7 @@ volumes:
     name: influxdb-services
 
 networks:
-  docker_default:
+  proxy:
     external: true
   metrics:
 
@@ -36,10 +36,11 @@ services:
         - INFLUXDB_REPORTING_DISABLED=true
       env_file: ./secrets/influxdb.secrets
       labels:
-        traefik.frontend.rule: "Host:influxdb.picasoft.net"
-        traefik.port: 8086
-        traefik.enable: true
+      traefik.http.routers.influxdb-services.entrypoints: websecure
+      traefik.http.routers.influxdb-services.rule: Host(`influxdb.picasoft.net`)
+      traefik.http.services.influxdb-services.loadbalancer.server.port: 8086
+      traefik.enable: true
       networks:
         - metrics
-        - docker_default
+        - proxy
       restart: always

pica-mumble-web/docker-compose.yml

-version: "2.4"
+version: "3.7"
 networks:
-  docker_default:
+  proxy:
     external: true
-    name: "docker_default"
 
 services:
   mumble-web:
@@ -12,12 +11,12 @@ services:
     environment:
       MUMBLE_SERVER: "voice.picasoft.net:64738"
     networks:
-      - docker_default
+      - proxy
     volumes:
       - ./config.json:/home/node/dist/config.local.js
     labels:
-      - "traefik.frontend.rule=Host:voice.picasoft.net"
-      - "traefik.port=8080"
-      - "traefik.frontend.passHostHeader=true"
-      - "traefik.enable=true"
+      traefik.http.routers.mumble-web.entrypoints: websecure
+      traefik.http.routers.mumble-web.rule: Host(`voice.picasoft.net`)
+      traefik.http.services.mumble-web.loadbalancer.server.port: 8080
+      traefik.enable: true
     restart: unless-stopped

pica-murmur/docker-compose.yml

-version: "2.4"
+version: "3.7"
 networks:
-  docker_default:
+  proxy:
     external: true
-    name: "docker_default"
 
 volumes:
   murmur-data:
@@ -23,12 +22,13 @@ services:
       - murmur-data:/data
       - /DATA/docker/certs/voice.picasoft.net/:/certs
     networks:
-      - docker_default
+      - proxy
     labels:
-      - "traefik.enable=true"
-      - "traefik.port=8000"
-      - "traefik.frontend.rule=Host:voice.picasoft.net;Path:/metrics"
-      - "tls-certs-monitor.enable=true"
-      - "tls-certs-monitor.action=kill:SIGUSR1"
-      - "tls-certs-monitor.owner=103"
+      traefik.http.routers.murmur.entrypoints: websecure
+      traefik.http.routers.murmur.rule: Host(`voice.picasoft.net`) && Path('/metrics')
+      traefik.http.services.murmur.loadbalancer.server.port: 8000
+      traefik.enable: true
+      tls-certs-monitor.enable: true
+      tls-certs-monitor.action: kill:SIGUSR1
+      tls-certs-monitor.owner: 103
     restart: unless-stopped

pica-nextcloud/cet/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.7'
 networks:
   nextcloud_cet:
     name: nextcloud_cet
-  docker_default:
+  proxy:
     external: true
 
 volumes:
@@ -34,11 +34,17 @@ services:
       - ./nginx.conf:/etc/nginx/nginx.conf:ro
     env_file: ./secrets/cloudcet.secrets
     labels:
-      - "traefik.frontend.rule=Host:cloudcet.picasoft.net"
-      - "traefik.port=80"
-      - "traefik.enable=true"
+      traefik.http.routers.cloudcet.entrypoints: websecure
+      traefik.http.routers.cloudcet.rule: Host(`cloudcet.picasoft.net`)
+      traefik.http.services.cloudcet.loadbalancer.server.port: 80
+      traefik.enable: true
+      # https://docs.nextcloud.com/server/16/admin_manual/configuration_server/reverse_proxy_configuration.html
+      traefik.http.routers.cloudcet.middlewares: cloudcet@docker
+      traefik.http.middlewares.cloudcet.redirectregex.permanent: true
+      traefik.http.middlewares.cloudcet.redirectregex.regex: ^/.well-known/(card|cal)dav
+      traefik.http.middlewares.cloudcet.redirectregex.replacement: /remote.php/dav/
     networks:
-      - docker_default
+      - proxy
       - nextcloud_cet
     depends_on:
       - cloudcet

pica-nextcloud/pica/docker-compose.yml

@@ -8,8 +8,8 @@ volumes:
 
 networks:
   nextcloud:
-  docker_default:
-    name: docker_default
+  proxy:
+    external: true
 
 services:
   nextcloud-app:
@@ -38,15 +38,17 @@ services:
       - nextcloud-app
     networks:
       - nextcloud
-      - docker_default
+      - proxy
     labels:
-      - "traefik.frontend.rule=Host:cloud.picasoft.net"
-      - "traefik.port=80"
-      - "traefik.enable=true"
+      traefik.http.routers.nextcloud-web.entrypoints: websecure
+      traefik.http.routers.nextcloud-web.rule: Host(`cloud.picasoft.net`)
+      traefik.http.services.nextcloud-web.loadbalancer.server.port: 80
+      traefik.enable: true
       # https://docs.nextcloud.com/server/16/admin_manual/configuration_server/reverse_proxy_configuration.html
-      - "traefik.frontend.redirect.permanent=true"
-      - "traefik.frontend.redirect.regex=https://(.*)/.well-known/(card|cal)dav"
-      - "traefik.frontend.redirect.replacement=https://$$1/remote.php/dav/"
+      traefik.http.routers.nextcloud-web.middlewares: nextcloud-web@docker
+      traefik.http.middlewares.nextcloud-web.redirectregex.permanent: true
+      traefik.http.middlewares.nextcloud-web.redirectregex.regex: ^/.well-known/(card|cal)dav
+      traefik.http.middlewares.nextcloud-web.redirectregex.replacement: /remote.php/dav/
     restart: unless-stopped
 
   nextcloud-db:

pica-nginx/README.md

@@ -33,13 +33,14 @@ mon_site:
   volumes:
     - mon_site:/var/www/html
   labels:
-    traefik.frontend.rule: Host:mon_site.picasoft.net
-    traefik.port: 80
+    traefik.http.routers.mon_site.entrypoints: websecure
+    traefik.http.routers.mon_site.rule: Host(`mon_site.picasoft.net`)
+    traefik.http.services.mon_site.loadbalancer.server.port: 80
     traefik.enable: true
   environment:
     AUTOINDEX: true
   networks:
-    - docker_default
+    - proxy
   restart: unless-stopped
 ```
 

pica-nginx/docker-compose.yml

@@ -15,7 +15,7 @@ volumes:
     name: stiegler
 
 networks:
-  docker_default:
+  proxy:
     external: true
 
 x-image-name: &NGINX_IMAGE
@@ -29,11 +29,12 @@ services:
     volumes:
       - website:/var/www/html
     labels:
-      traefik.frontend.rule: Host:www.picasoft.net,picasoft.net
-      traefik.port: 80
+      traefik.http.routers.website.entrypoints: websecure
+      traefik.http.routers.website.rule: Host(`www.picasoft.net`, 'picasoft.net')
+      traefik.http.services.website.loadbalancer.server.port: 80
       traefik.enable: true
     networks:
-      - docker_default
+      - proxy
     restart: unless-stopped
 
   doc:
@@ -43,11 +44,12 @@ services:
     volumes:
       - doc:/var/www/html
     labels:
-      traefik.frontend.rule: Host:doc.picasoft.net
-      traefik.port: 80
+      traefik.http.routers.doc.entrypoints: websecure
+      traefik.http.routers.doc.rule: Host(`doc.picasoft.net`)
+      traefik.http.services.doc.loadbalancer.server.port: 80
       traefik.enable: true
     networks:
-      - docker_default
+      - proxy
     restart: unless-stopped
 
   school:
@@ -57,11 +59,12 @@ services:
     volumes:
       - school:/var/www/html
     labels:
-      traefik.frontend.rule: Host:school.picasoft.net
-      traefik.port: 80
+      traefik.http.routers.school.entrypoints: websecure
+      traefik.http.routers.school.rule: Host(`school.picasoft.net`)
+      traefik.http.services.school.loadbalancer.server.port: 80
       traefik.enable: true
     networks:
-      - docker_default
+      - proxy
     restart: unless-stopped
 
   radio:
@@ -71,13 +74,14 @@ services:
     volumes:
       - radio:/var/www/html
     labels:
-      traefik.frontend.rule: Host:radio.picasoft.net
-      traefik.port: 80
+      traefik.http.routers.radio.entrypoints: websecure
+      traefik.http.routers.radio.rule: Host(`radio.picasoft.net`)
+      traefik.http.services.radio.loadbalancer.server.port: 80
       traefik.enable: true
     networks:
-      - docker_default
+      - proxy
     restart: unless-stopped
-    
+
   culture:
     container_name: culture
     image: *NGINX_IMAGE
@@ -85,13 +89,14 @@ services:
     volumes:
       - culture:/var/www/html
     labels:
-      traefik.frontend.rule: Host:culture.picasoft.net
-      traefik.port: 80
+      traefik.http.routers.culture.entrypoints: websecure
+      traefik.http.routers.culture.rule: Host(`culture.picasoft.net`)
+      traefik.http.services.culture.loadbalancer.server.port: 80
       traefik.enable: true
     environment:
       AUTOINDEX: "true"
     networks:
-      - docker_default
+      - proxy
     restart: unless-stopped
 
   stiegler:
@@ -101,9 +106,10 @@ services:
     volumes:
       - stiegler:/var/www/html
     labels:
-      traefik.frontend.rule: Host:stiegler.picasoft.net
-      traefik.port: 80
+      traefik.http.routers.stiegler.entrypoints: websecure
+      traefik.http.routers.stiegler.rule: Host(`stiegler.picasoft.net`)
+      traefik.http.services.stiegler.loadbalancer.server.port: 80
       traefik.enable: true
     networks:
-      - docker_default
+      - proxy
     restart: unless-stopped

pica-openldap/docker-compose.yml

@@ -16,7 +16,7 @@ services:
     env_file:
       - ./secrets/pica-openldap.secrets
     labels:
-      traefik.frontend.rule: "Host:ldap.picasoft.net"
+      traefik.http.routers.ldap.rule: Host(`ldap.picasoft.net`)
       traefik.enable: true
       tls-certs-monitor.enable: true
       tls-certs-monitor.action: "restart"

pica-plume/docker-compose.yml

@@ -11,7 +11,7 @@ volumes:
     name: plume_first_launch
 
 networks:
-  docker_default:
+  proxy:
     external: true
   plume:
     name: plume
@@ -34,12 +34,13 @@ services:
       - searchidx:/app/search_index
       - first-launch:/firstlaunch
     labels:
-      traefik.frontend.rule: "Host:blog.picasoft.net"
+      traefik.http.routers.blog.entrypoints: websecure
+      traefik.http.routers.blog.rule: Host(`blog.picasoft.net`)
+      traefik.http.services.blog.loadbalancer.server.port: 7878
       traefik.enable: true
-      traefik.port: 7878
     networks:
       - plume
-      - docker_default
+      - proxy
     depends_on:
       - blog-db
     restart: unless-stopped

pica-registry/docker-compose.yml

 version: '3.7'
 
 networks:
-  docker_default:
-    name: docker_default
+  proxy:
+    external: true
 
 volumes:
   registry:
@@ -18,12 +18,13 @@ services:
       REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
       REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
     networks:
-      - docker_default
+      - proxy
     volumes:
       - registry:/var/lib/registry
       - ./auth.secrets:/auth/htpasswd
     labels:
-      traefik.frontend.rule: Host:registry.picasoft.net
-      traefik.port: 5000
+      traefik.http.routers.registry.entrypoints: websecure
+      traefik.http.routers.registry.rule: Host(`registry.picasoft.net`)
+      traefik.http.services.registry.loadbalancer.server.port: 5000
       traefik.enable: true
     restart: unless-stopped