From 45d219ce925cb4fbed801b22c4bee3ca64acde8a Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Wed, 20 Feb 2019 15:31:20 +0900 Subject: [PATCH] Updated docker-compose to working state. Removed reliance on traefik.toml - New .env example with streamlined variable names - Assumes https by default with http-to-http redirect enabled (Remove the redirect on line 25 to disable this) - Assumes each domain(s) specified are different from one another, so that all parts can all be accessed from the same port (443). - Forcibly disabled traefik on the db so that it won't try to get a certificate for it (I don't know why it does this) - Set specific versions for Matomo (3) and Ghost (2) to avoid watchtower automatically making big upgrades Still missing: - The first time Ghost will fail to launch as MariaDB isn't ready right away. docker-compose got away with a health check. I might want to play with https://github.com/vishnubob/wait-for-it later --- .gitignore | 1 + config/acme.json | 0 config/traefik.toml | 40 ---------------------------- docker-compose.yml | 64 ++++++++++++++++++++++++++++----------------- example.env | 20 ++++++-------- 5 files changed, 49 insertions(+), 76 deletions(-) delete mode 100644 config/acme.json delete mode 100644 config/traefik.toml diff --git a/.gitignore b/.gitignore index 4c49bd7..3323b34 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .env +.DS_Store diff --git a/config/acme.json b/config/acme.json deleted file mode 100644 index e69de29..0000000 diff --git a/config/traefik.toml b/config/traefik.toml deleted file mode 100644 index a277bd1..0000000 --- a/config/traefik.toml +++ /dev/null @@ -1,40 +0,0 @@ -# Traefik will listen for traffic on both HTTP and HTTPS. -defaultEntryPoints = ["http", "https"] - -# Network traffic will be entering our Docker network on the usual web ports -# (ie, 80 and 443), where Traefik will be listening. -[entryPoints] - [entryPoints.http] - address = ":80" - - # Uncomment the following two lines to redirect HTTP to HTTPS. - #[entryPoints.http.redirect] - #entryPoint = "https" - - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - -# These options are for Traefik's integration with Docker. -[docker] -endpoint = "unix:///var/run/docker.sock" -domain = "docker.localhost" -watch = true -exposedByDefault = false - -[api] - -# These options are for Traefik's integration with Let's Encrypt. -# Your certificates are stored inside /acme.json inside the container, -# which is /root/compose/acme.json on your server. -[acme] -storage = "./config/acme.json" -onHostRule = true -entryPoint = "https" - [acme.httpChallenge] - entryPoint = "http" - -# https://docs.traefik.io/configuration/logs/ -# Comment out the next line to enable Traefik's access logs. -[accessLog] - diff --git a/docker-compose.yml b/docker-compose.yml index cacde8c..0bf5d96 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,24 +20,38 @@ services: traefik: # https://hub.docker.com/_/traefik/ image: traefik:alpine - command: --web --docker --acme.email="${ACME_EMAIL}" - restart: always + command: + - --web + - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https + - --entryPoints=Name:https Address::443 TLS + - --defaultEntryPoints=http,https + - --docker + - --docker.endpoint=unix:///var/run/docker.sock + - --docker.domain=domain.localhost + - --docker.watch=true + - --acme + - --acme.storage=/etc/traefik/acme/acme.json + - --acme.email=${ACME_EMAIL} + - --acme.OnHostRule=true + - --acme.entryPoint=https + - --acme.httpChallenge.entrypoint=http + restart: unless-stopped networks: - backend - frontend volumes: - /var/run/docker.sock:/var/run/docker.sock - - ./config/traefik.toml:/traefik.toml - - ./config/acme.json:/acme.json + # - ./config/traefik.toml:/traefik.toml + - ./config/acme:/etc/traefik/acme ports: # Map port 80 and 443 on the host to this container. - "80:80" - "443:443" #- "8000:8080" # Traefik Dashboard labels: - - "traefik.docker.network=frontend" - "traefik.enable=true" - - "traefik.frontend.rule=Host:${TRAEFIK_DOMAINS}" + - "traefik.docker.network=frontend" + - "traefik.frontend.rule=Host:${DOMAINS_TRAEFIK}" - "traefik.port=8080" - "traefik.protocol=http" # Remove next line to disable login prompt for the dashboard. @@ -51,7 +65,7 @@ services: # https://github.com/v2tec/watchtower#options # This schedule applies updates (if available) at midnight. command: --cleanup --schedule "0 0 0 * * *" - restart: always + restart: unless-stopped volumes: - /var/run/docker.sock:/var/run/docker.sock @@ -60,46 +74,49 @@ services: # Specify 10.3 as we only want watchtower to apply minor updates # (eg, 10.3.1) and not major updates (eg, 10.4). image: mariadb:10.3 - restart: always + restart: unless-stopped networks: - backend volumes: # Ensure the database persists between restarts. - vol-db:/var/lib/mysql environment: - MYSQL_ROOT_PASSWORD: ${MATOMO_DB_ROOT_PASSWORD} - MYSQL_DATABASE: ${MATOMO_DB_NAME} - MYSQL_USER: ${MATOMO_DB_USER} - MYSQL_PASSWORD: ${MATOMO_DB_PASSWORD} + MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD} + MYSQL_DATABASE: ${DB_NAME} + MYSQL_USER: ${DB_USER} + MYSQL_PASSWORD: ${DB_PASSWORD} + labels: + - "traefik.enable=false" ghost: - image: ghost:latest + image: ghost:2-alpine + restart: unless-stopped links: - db networks: - backend - frontend volumes: - # To allow you to view/edit Matomo configuration files: - - ./content:/var/lib/ghost/content:rw + - ./content:/var/lib/ghost/content #- ./logs:/var/www/html/logs labels: - "traefik.docker.network=frontend" - "traefik.enable=true" - - "traefik.frontend.rule=Host:${DOMAINS}" + - "traefik.frontend.rule=Host:${DOMAINS_BLOG}" - "traefik.port=2368" - "traefik.protocol=http" environment: database__client: mysql database__connection__host: db - database__connection__user: ${MATOMO_DB_USER} - database__connection__password: ${MATOMO_DB_PASSWORD} - database__connection__database: ${MATOMO_DB_NAME} + database__connection__database: ${DB_NAME} + database__connection__user: ${DB_USER} + database__connection__password: ${DB_PASSWORD} # Uncomment the next line to enable HSTS header. #- "traefik.frontend.headers.STSSeconds=15768000" matomo: - image: matomo:latest + image: matomo:3 + restart: unless-stopped links: - db networks: @@ -117,11 +134,10 @@ services: #- /var/lib/GeoIP/GeoLite2-Country.mmdb:/var/www/html/misc/GeoLite2-Country.mmdb #- /var/lib/GeoIP/GeoLite2-ASN.mmdb:/var/www/html/misc/GeoLite2-ASN.mmdb labels: - - "traefik.docker.network=frontend" - "traefik.enable=true" - - "traefik.frontend.rule=Host:${MATOMO_DOMAINS}" + - "traefik.docker.network=frontend" + - "traefik.frontend.rule=Host:${DOMAINS_MATOMO}" - "traefik.port=80" - - "traefik.protocol=http" # Uncomment the next line to enable HSTS header. #- "traefik.frontend.headers.STSSeconds=15768000" @@ -143,7 +159,7 @@ services: # environment: # PMA_HOST: db # PMA_ABSOLUTE_URI: /phpmyadmin/ - # MYSQL_ROOT_PASSWORD: ${MATOMO_DB_ROOT_PASSWORD} + # MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD} # labels: # - "traefik.docker.network=frontend" # - "traefik.enable=true" diff --git a/example.env b/example.env index 91cbd7a..ffb2618 100644 --- a/example.env +++ b/example.env @@ -10,19 +10,15 @@ BASIC_AUTH= # Let's Encrypt needs an email address for registration. ACME_EMAIL= -# The Traefik dashboard will be available at these domains. -# The URL is http://example.com/traefik/ -TRAEFIK_DOMAINS= - -# Your Matamo site will be available at these domains. If all domains -# have DNS records pointing to your server, they'll get SSL certs. -MATOMO_DOMAINS= +# You can comma-separate multiple domains if need be (e.g. for www.) +DOMAINS_BLOG= +DOMAINS_TRAEFIK= +DOMAINS_MATOMO= # Set a secure password for the MySQL root user. Remember this so -# you can login to phpMyAdmin (as username "root"). -MATOMO_DB_ROOT_PASSWORD= +DB_ROOT_PASSWORD= # Set the MySQL database name, user and password for Matomo. -MATOMO_DB_NAME=matomo -MATOMO_DB_USER=matomo -MATOMO_DB_PASSWORD= +DB_NAME=davejansen +DB_USER=davejansen +DB_PASSWORD=