Updated docker-compose to working state. Removed reliance on traefik.toml

- New .env example with streamlined variable names
- Assumes https by default with http-to-http redirect enabled (Remove the redirect on line 25 to disable this)
- Assumes each domain(s) specified are different from one another, so that all parts can all be accessed from the same port (443).
- Forcibly disabled traefik on the db so that it won't try to get a certificate for it (I don't know why it does this)
- Set specific versions for Matomo (3) and Ghost (2) to avoid watchtower automatically making big upgrades

Still missing:
- The first time Ghost will fail to launch as MariaDB isn't ready right away. docker-compose got away with a health check. I might want to play with https://github.com/vishnubob/wait-for-it later

.gitignore

@@ -1 +1,2 @@
 .env
+.DS_Store

config/traefik.toml

@@ -1,40 +0,0 @@
-# Traefik will listen for traffic on both HTTP and HTTPS.
-defaultEntryPoints = ["http", "https"]
-
-# Network traffic will be entering our Docker network on the usual web ports
-# (ie, 80 and 443), where Traefik will be listening.
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-  
-  # Uncomment the following two lines to redirect HTTP to HTTPS.
-  #[entryPoints.http.redirect]
-  #entryPoint = "https"
-  
-  [entryPoints.https]
-  address = ":443"
-  [entryPoints.https.tls]
-
-# These options are for Traefik's integration with Docker.
-[docker]
-endpoint = "unix:///var/run/docker.sock"
-domain = "docker.localhost"
-watch = true
-exposedByDefault = false
-
-[api]
-
-# These options are for Traefik's integration with Let's Encrypt.
-# Your certificates are stored inside /acme.json inside the container,
-# which is /root/compose/acme.json on your server.
-[acme]
-storage = "./config/acme.json"
-onHostRule = true
-entryPoint = "https"
-  [acme.httpChallenge]
-  entryPoint = "http"
-
-# https://docs.traefik.io/configuration/logs/
-# Comment out the next line to enable Traefik's access logs.
-[accessLog]
-

docker-compose.yml

@@ -20,24 +20,38 @@ services:
   traefik:
     # https://hub.docker.com/_/traefik/
     image: traefik:alpine
-    command: --web --docker --acme.email="${ACME_EMAIL}"
+    command: 
-    restart: always
+        - --web
+        - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
+        - --entryPoints=Name:https Address::443 TLS
+        - --defaultEntryPoints=http,https
+        - --docker
+        - --docker.endpoint=unix:///var/run/docker.sock
+        - --docker.domain=domain.localhost
+        - --docker.watch=true
+        - --acme
+        - --acme.storage=/etc/traefik/acme/acme.json
+        - --acme.email=${ACME_EMAIL}
+        - --acme.OnHostRule=true
+        - --acme.entryPoint=https
+        - --acme.httpChallenge.entrypoint=http
+    restart: unless-stopped
     networks:
       - backend
       - frontend
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ./config/traefik.toml:/traefik.toml
+      # - ./config/traefik.toml:/traefik.toml
-      - ./config/acme.json:/acme.json
+      - ./config/acme:/etc/traefik/acme
     ports:
       # Map port 80 and 443 on the host to this container.
       - "80:80"
       - "443:443"
       #- "8000:8080" # Traefik Dashboard
     labels:
-      - "traefik.docker.network=frontend"
       - "traefik.enable=true"
-      - "traefik.frontend.rule=Host:${TRAEFIK_DOMAINS}"
+      - "traefik.docker.network=frontend"
+      - "traefik.frontend.rule=Host:${DOMAINS_TRAEFIK}"
       - "traefik.port=8080"
       - "traefik.protocol=http"
       # Remove next line to disable login prompt for the dashboard.
@@ -51,7 +65,7 @@ services:
     # https://github.com/v2tec/watchtower#options
     # This schedule applies updates (if available) at midnight.
     command: --cleanup --schedule "0 0 0 * * *"
-    restart: always
+    restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
@@ -60,46 +74,49 @@ services:
     # Specify 10.3 as we only want watchtower to apply minor updates
     # (eg, 10.3.1) and not major updates (eg, 10.4).
     image: mariadb:10.3
-    restart: always
+    restart: unless-stopped
     networks:
       - backend
     volumes:
       # Ensure the database persists between restarts.
       - vol-db:/var/lib/mysql
     environment:
-      MYSQL_ROOT_PASSWORD: ${MATOMO_DB_ROOT_PASSWORD}
+      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
-      MYSQL_DATABASE: ${MATOMO_DB_NAME}
+      MYSQL_DATABASE: ${DB_NAME}
-      MYSQL_USER: ${MATOMO_DB_USER}
+      MYSQL_USER: ${DB_USER}
-      MYSQL_PASSWORD: ${MATOMO_DB_PASSWORD}
+      MYSQL_PASSWORD: ${DB_PASSWORD}
+    labels:
+      - "traefik.enable=false"
 
   ghost:
-    image: ghost:latest
+    image: ghost:2-alpine
+    restart: unless-stopped
     links:
       - db
     networks:
       - backend
       - frontend
     volumes:
-      # To allow you to view/edit Matomo configuration files:
+      - ./content:/var/lib/ghost/content
-      - ./content:/var/lib/ghost/content:rw
       #- ./logs:/var/www/html/logs
     labels:
       - "traefik.docker.network=frontend"
       - "traefik.enable=true"
-      - "traefik.frontend.rule=Host:${DOMAINS}"
+      - "traefik.frontend.rule=Host:${DOMAINS_BLOG}"
       - "traefik.port=2368"
       - "traefik.protocol=http"
     environment:
       database__client: mysql
       database__connection__host: db
-      database__connection__user: ${MATOMO_DB_USER}
+      database__connection__database: ${DB_NAME}
-      database__connection__password: ${MATOMO_DB_PASSWORD}
+      database__connection__user: ${DB_USER}
-      database__connection__database: ${MATOMO_DB_NAME}
+      database__connection__password: ${DB_PASSWORD}
       # Uncomment the next line to enable HSTS header.
       #- "traefik.frontend.headers.STSSeconds=15768000"
 
   matomo:
-    image: matomo:latest
+    image: matomo:3
+    restart: unless-stopped
     links:
       - db
     networks:
@@ -117,11 +134,10 @@ services:
       #- /var/lib/GeoIP/GeoLite2-Country.mmdb:/var/www/html/misc/GeoLite2-Country.mmdb
       #- /var/lib/GeoIP/GeoLite2-ASN.mmdb:/var/www/html/misc/GeoLite2-ASN.mmdb
     labels:
-      - "traefik.docker.network=frontend"
       - "traefik.enable=true"
-      - "traefik.frontend.rule=Host:${MATOMO_DOMAINS}"
+      - "traefik.docker.network=frontend"
+      - "traefik.frontend.rule=Host:${DOMAINS_MATOMO}"
       - "traefik.port=80"
-      - "traefik.protocol=http"
       # Uncomment the next line to enable HSTS header.
       #- "traefik.frontend.headers.STSSeconds=15768000"
 
@@ -143,7 +159,7 @@ services:
   #   environment:
   #     PMA_HOST: db
   #     PMA_ABSOLUTE_URI: /phpmyadmin/
-  #     MYSQL_ROOT_PASSWORD: ${MATOMO_DB_ROOT_PASSWORD}
+  #     MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
   #   labels:
   #     - "traefik.docker.network=frontend"
   #     - "traefik.enable=true"

example.env

@@ -10,19 +10,15 @@ BASIC_AUTH=
 # Let's Encrypt needs an email address for registration.
 ACME_EMAIL=
 
-# The Traefik dashboard will be available at these domains.
+# You can comma-separate multiple domains if need be (e.g. for www.)
-# The URL is http://example.com/traefik/
+DOMAINS_BLOG=
-TRAEFIK_DOMAINS=
+DOMAINS_TRAEFIK=
-
+DOMAINS_MATOMO=
-# Your Matamo site will be available at these domains. If all domains
-# have DNS records pointing to your server, they'll get SSL certs.
-MATOMO_DOMAINS=
 
 # Set a secure password for the MySQL root user. Remember this so
-# you can login to phpMyAdmin (as username "root").
+DB_ROOT_PASSWORD=
-MATOMO_DB_ROOT_PASSWORD=
 
 # Set the MySQL database name, user and password for Matomo.
-MATOMO_DB_NAME=matomo
+DB_NAME=davejansen
-MATOMO_DB_USER=matomo
+DB_USER=davejansen
-MATOMO_DB_PASSWORD=
+DB_PASSWORD=