fix: docke swarm stack

docker-stack.yml

@@ -1,109 +1,71 @@
----
 version: "3.7"
 
 services:
   traefik:
     image: traefik:v2.9.1
     networks:
-      ocis-net:
+      - web
-        aliases:
-          - ${OCIS_DOMAIN:-ocis.owncloud.test}
     command:
-      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
+      - --log.level=INFO
-      # letsencrypt configuration
+      - --api.dashboard=true
-      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
+      - --api.insecure=false
-      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
+      - --providers.docker=true
-      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
+      - --providers.docker.swarmMode=true
-      # enable dashboard
+      - --providers.docker.exposedByDefault=false
-      - "--api.dashboard=true"
+      - --entrypoints.web.address=:80
-      # define entrypoints
+      - --entrypoints.websecure.address=:443
-      - "--entryPoints.http.address=:80"
+      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
-      - "--entryPoints.http.http.redirections.entryPoint.to=https"
+      - --certificatesresolvers.mytlschallenge.acme.email=${TRAEFIK_ACME_MAIL}
-      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
+      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
-      - "--entryPoints.https.address=:443"
-      # docker provider (get configuration from container labels)
-      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
-      - "--providers.docker.exposedByDefault=false"
-      # access log
-      - "--accessLog=true"
-      - "--accessLog.format=json"
-      - "--accessLog.fields.headers.names.X-Request-Id=keep"
     ports:
       - "80:80"
       - "443:443"
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - "certs:/certs"
+      - traefik_certs:/letsencrypt
-    labels:
+    deploy:
-      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
+      labels:
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
+        - traefik.enable=true
-      - "traefik.http.routers.traefik.entrypoints=https"
+        - traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN}`)
-      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
+        - traefik.http.routers.traefik.service=api@internal
-      - "traefik.http.routers.traefik.middlewares=traefik-auth"
+        - traefik.http.routers.traefik.entrypoints=websecure
-      - "traefik.http.routers.traefik.tls.certresolver=http"
+        - traefik.http.routers.traefik.tls.certresolver=mytlschallenge
-      - "traefik.http.routers.traefik.service=api@internal"
+      placement:
-    logging:
+        constraints:
-      driver: "local"
+          - node.role==manager
-    restart: always
+      restart_policy:
+        condition: on-failure
 
   ocis:
-    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
+    image: owncloud/ocis:${OCIS_DOCKER_TAG}
     networks:
-      ocis-net:
+      - web
-    entrypoint:
-      - /bin/sh
-    # run ocis init to initialize a configuration file with random secrets
-    # it will fail on subsequent runs, because the config file already exists
-    # therefore we ignore the error and then start the ocis server
-    command: ["-c", "ocis init || true; ocis server"]
     environment:
-      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_URL: https://${OCIS_DOMAIN}
-      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
+      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL}
-      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
+      OCIS_LOG_COLOR: ${OCIS_LOG_COLOR}
-      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
+      PROXY_TLS: "false"
-      # make settings service available to oCIS Hello
       SETTINGS_GRPC_ADDR: 0.0.0.0:9191
-      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: ${OCIS_INSECURE}
-      OCIS_INSECURE: "${INSECURE:-false}"
+      PROXY_ENABLE_BASIC_AUTH: ${PROXY_ENABLE_BASIC_AUTH}
-      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
+      IDM_ADMIN_PASSWORD: ${ADMIN_PASSWORD}
-      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
+      IDM_CREATE_DEMO_USERS: ${DEMO_USERS}
-      # admin user password
-      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
-      # demo users
-      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
-      # password policies
-      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
     volumes:
-      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
+      - ./config/ocis:/etc/ocis
-      - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml
+      - ocis_data:/var/lib/ocis
-      - ./config/ocis/web.yaml:/etc/ocis/web.yaml
+    deploy:
-      - ocis-config:/etc/ocis
+      labels:
-      - ocis-data:/var/lib/ocis
+        - traefik.enable=true
-    labels:
+        - traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)
-      - "traefik.enable=true"
+        - traefik.http.routers.ocis.entrypoints=websecure
-      - "traefik.http.routers.ocis.entrypoints=https"
+        - traefik.http.routers.ocis.tls.certresolver=mytlschallenge
-      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
+      restart_policy:
-      - "traefik.http.routers.ocis.tls.certresolver=http"
+        condition: on-failure
-      - "traefik.http.routers.ocis.service=ocis"
-      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
-    logging:
-      driver: "local"
-    restart: always
-
-  ocis-hello:
-    image: owncloud/ocis-hello:${OCIS_HELLO_DOCKER_TAG:-latest}
-    networks:
-      ocis-net:
-    environment:
-      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
-    logging:
-      driver: "local"
-    restart: always
-
-volumes:
-  certs:
-  ocis-config:
-  ocis-data:
 
 networks:
-  ocis-net:
+  web:
+    external: true
+
+volumes:
+  traefik_certs:
+  ocis_data: