fix: docke swarm stack

2023-12-25 10:00:11 +01:00 · 2023-12-25 10:00:11 +01:00 · f1e55131d9
parent 16af429a64
commit f1e55131d9
1 changed files with 52 additions and 90 deletions
--- a/docker-stack.yml
+++ b/docker-stack.yml
@ -1,109 +1,71 @@
---
 version: "3.7"

 services:
  traefik:
    image: traefik:v2.9.1
    networks:
-      ocis-net:
-        aliases:
-          - ${OCIS_DOMAIN:-ocis.owncloud.test}
+      - web
    command:
-      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
-      # letsencrypt configuration
-      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
-      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
-      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
-      # enable dashboard
-      - "--api.dashboard=true"
-      # define entrypoints
-      - "--entryPoints.http.address=:80"
-      - "--entryPoints.http.http.redirections.entryPoint.to=https"
-      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
-      - "--entryPoints.https.address=:443"
-      # docker provider (get configuration from container labels)
-      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
-      - "--providers.docker.exposedByDefault=false"
-      # access log
-      - "--accessLog=true"
-      - "--accessLog.format=json"
-      - "--accessLog.fields.headers.names.X-Request-Id=keep"
+      - --log.level=INFO
+      - --api.dashboard=true
+      - --api.insecure=false
+      - --providers.docker=true
+      - --providers.docker.swarmMode=true
+      - --providers.docker.exposedByDefault=false
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
+      - --certificatesresolvers.mytlschallenge.acme.email=${TRAEFIK_ACME_MAIL}
+      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
    ports:
      - "80:80"
      - "443:443"
    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "certs:/certs"
-    labels:
-      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
-      - "traefik.http.routers.traefik.entrypoints=https"
-      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
-      - "traefik.http.routers.traefik.middlewares=traefik-auth"
-      - "traefik.http.routers.traefik.tls.certresolver=http"
-      - "traefik.http.routers.traefik.service=api@internal"
-    logging:
-      driver: "local"
-    restart: always
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik_certs:/letsencrypt
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN}`)
+        - traefik.http.routers.traefik.service=api@internal
+        - traefik.http.routers.traefik.entrypoints=websecure
+        - traefik.http.routers.traefik.tls.certresolver=mytlschallenge
+      placement:
+        constraints:
+          - node.role==manager
+      restart_policy:
+        condition: on-failure

  ocis:
-    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
+    image: owncloud/ocis:${OCIS_DOCKER_TAG}
    networks:
-      ocis-net:
-    entrypoint:
-      - /bin/sh
-    # run ocis init to initialize a configuration file with random secrets
-    # it will fail on subsequent runs, because the config file already exists
-    # therefore we ignore the error and then start the ocis server
-    command: ["-c", "ocis init || true; ocis server"]
+      - web
    environment:
-      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
-      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
-      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
-      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
-      # make settings service available to oCIS Hello
+      OCIS_URL: https://${OCIS_DOMAIN}
+      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL}
+      OCIS_LOG_COLOR: ${OCIS_LOG_COLOR}
+      PROXY_TLS: "false"
      SETTINGS_GRPC_ADDR: 0.0.0.0:9191
-      # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      OCIS_INSECURE: "${INSECURE:-false}"
-      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
-      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
-      # admin user password
-      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
-      # demo users
-      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
-      # password policies
-      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+      OCIS_INSECURE: ${OCIS_INSECURE}
+      PROXY_ENABLE_BASIC_AUTH: ${PROXY_ENABLE_BASIC_AUTH}
+      IDM_ADMIN_PASSWORD: ${ADMIN_PASSWORD}
+      IDM_CREATE_DEMO_USERS: ${DEMO_USERS}
    volumes:
-      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
-      - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml
-      - ./config/ocis/web.yaml:/etc/ocis/web.yaml
-      - ocis-config:/etc/ocis
-      - ocis-data:/var/lib/ocis
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.ocis.entrypoints=https"
-      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
-      - "traefik.http.routers.ocis.tls.certresolver=http"
-      - "traefik.http.routers.ocis.service=ocis"
-      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
-    logging:
-      driver: "local"
-    restart: always
-
-  ocis-hello:
-    image: owncloud/ocis-hello:${OCIS_HELLO_DOCKER_TAG:-latest}
-    networks:
-      ocis-net:
-    environment:
-      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
-    logging:
-      driver: "local"
-    restart: always
-
-volumes:
-  certs:
-  ocis-config:
-  ocis-data:
+      - ./config/ocis:/etc/ocis
+      - ocis_data:/var/lib/ocis
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)
+        - traefik.http.routers.ocis.entrypoints=websecure
+        - traefik.http.routers.ocis.tls.certresolver=mytlschallenge
+      restart_policy:
+        condition: on-failure

 networks:
-  ocis-net:
+  web:
+    external: true
+
+volumes:
+  traefik_certs:
+  ocis_data: