From 7be44df4cf37675ad7189aac4e4655d4141357cc Mon Sep 17 00:00:00 2001
From: Jean-Baptiste DONNETTE <jb@getlago.com>
Date: Mon, 7 Oct 2024 10:48:59 +0200
Subject: [PATCH] chore(docker-compose): update Traefik config for Let's
 Encrypt and domain templating

- Enable Let's Encrypt support with ACME resolver 'myresolver'
- Update Traefik rules to support templated DOMAIN variable
- Remove unnecessary port mappings from API and frontend services
- Secure Traefik dashboard and disable 'exposedbydefault' for improved security
---
 docker-compose.yml | 41 ++++++++++++++++++++---------------------
 env                |  6 ++++--
 2 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index a5d1bfe..4f2b496 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -54,26 +54,27 @@ services:
     container_name: traefik
     restart: unless-stopped
     command:
-      - "--api.insecure=true"
+      - "--api.insecure=false"
+      - "--api.dashboard=true"
       - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
-      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
-      - "--certificatesresolvers.selfsigned.acme.tlschallenge=true"
-      - "--certificatesresolvers.selfsigned.acme.email=your-email@example.com"
-      - "--certificatesresolvers.selfsigned.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.email=your_email@domain.tld"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:
       - "80:80"
-      - "8443:443"
+      - "443:443"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - traefik_certificates:/letsencrypt
       - traefik_config:/traefik
-
     labels:
-      - "traefik.http.routers.api.entrypoints=websecure"
-      - "traefik.http.routers.api.rule=Host(`localhost`)"
-      - "traefik.http.services.api.loadbalancer.server.port=3000"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
+      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
 
   api:
     container_name: lago-api
@@ -94,12 +95,11 @@ services:
       interval: 10s
       timeout: 60s
       retries: 5
-    ports:
-        - ${API_PORT}:3000
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.api.entrypoints=websecure"
-      - "traefik.http.routers.api.rule=Host(`localhost`)"
+      - "traefik.http.routers.api.rule=Host(`api.${DOMAIN}`)"
+      - "traefik.http.routers.api.tls.certresolver=myresolver"
       - "traefik.http.services.api.loadbalancer.server.port=3000"
     volumes:
       - lago_storage_data:/app/storage
@@ -114,19 +114,19 @@ services:
     environment:
       <<: *front-environment
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:${FRONT_PORT}"]
+      test: ["CMD", "curl", "-f", "http://localhost:80"]
       interval: 30s
       timeout: 10s
       retries: 3
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.front.entrypoints=websecure"
-      - "traefik.http.routers.front.rule=Host(`localhost`)"
+      - "traefik.http.routers.front.rule=Host(`app.${DOMAIN}`)"
+      - "traefik.http.routers.front.tls.certresolver=myresolver"
       - "traefik.http.services.front.loadbalancer.server.port=80"
     volumes:
       - lago_storage_data:/app/storage
-    ports:
-      - ${FRONT_PORT:-8080}:80
+
   db:
     image: postgres:14-alpine
     restart: unless-stopped
@@ -140,7 +140,7 @@ services:
     volumes:
       - lago_postgres_data:/data/postgres
     ports:
-      - ${POSTGRES_PORT}:${POSTGRES_PORT}
+      - "${POSTGRES_PORT}:${POSTGRES_PORT}"
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
       interval: 10s
@@ -155,7 +155,7 @@ services:
     volumes:
       - lago_redis_data:/data
     ports:
-      - ${REDIS_PORT:-6379}:${REDIS_PORT:-6379}
+      - "${REDIS_PORT:-6379}:${REDIS_PORT:-6379}"
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
       interval: 10s
@@ -207,5 +207,4 @@ services:
         condition: service_healthy
     command: ['./scripts/start.migrate.sh']
     volumes:
-      - lago_storage_data:/app/storage
-   
+      - lago_storage_data:/app/storage
\ No newline at end of file
diff --git a/env b/env
index cf81b77..5a412cb 100644
--- a/env
+++ b/env
@@ -19,12 +19,14 @@ REDIS_PASSWORD=
 API_PORT=3000
 FRONT_PORT=80
 
+
 # Lago API Configuration
-LAGO_API_URL=http://localhost:3000
+DOMAIN=yourdomain.told
+LAGO_API_URL=https://api.yourdomain.tld
+LAGO_FRONT_URL=https://app.yourdomain.tld
 SECRET_KEY_BASE=your-secret-key-base-hex-64
 RAILS_ENV=production
 LAGO_RAILS_STDOUT=true
-LAGO_FRONT_URL=http://localhost
 LAGO_PDF_URL=http://pdf:3000
 LAGO_DISABLE_SIGNUP=false
 APP_ENV=production