From 80a11fb47f1da37bbe2b9ddd156ae632792dda83 Mon Sep 17 00:00:00 2001 From: RocketQuack <202538874+Rocket-Quack@users.noreply.github.com> Date: Mon, 19 Jan 2026 19:31:55 +0100 Subject: [PATCH] chore: run pre-commit fixes --- docs/02-setup/04-env-variables.md | 8 +- docs/02-setup/05-overrides.md | 36 ++++---- docs/06-migration/02-traefik-v3-migration.md | 18 ++-- overrides/compose.https.yaml | 54 ++++++------ overrides/compose.proxy.yaml | 30 +++---- overrides/compose.traefik-ssl.yaml | 90 ++++++++++---------- overrides/compose.traefik.yaml | 80 ++++++++--------- 7 files changed, 161 insertions(+), 155 deletions(-) diff --git a/docs/02-setup/04-env-variables.md b/docs/02-setup/04-env-variables.md index c566ecd9..22a25790 100644 --- a/docs/02-setup/04-env-variables.md +++ b/docs/02-setup/04-env-variables.md @@ -45,10 +45,10 @@ Then edit `.env` and set variables according to your needs. ## HTTPS & SSL Configuration -| Variable | Purpose | Default | When to Set | -| ------------------- | ------------------------------------------------ | ------- | ---------------------------------------- | -| `LETSENCRYPT_EMAIL` | Email for Let's Encrypt certificate registration | — | Required if using HTTPS override | -| `SITES_RULE` | List of domains for SSL (Traefik rule for TLS domain routing) | — | Required if using reverse proxy override | +| Variable | Purpose | Default | When to Set | +| ------------------- | ------------------------------------------------------------- | ------- | ---------------------------------------- | +| `LETSENCRYPT_EMAIL` | Email for Let's Encrypt certificate registration | — | Required if using HTTPS override | +| `SITES_RULE` | List of domains for SSL (Traefik rule for TLS domain routing) | — | Required if using reverse proxy override | **Format for `SITES_RULE`:** diff --git a/docs/02-setup/05-overrides.md b/docs/02-setup/05-overrides.md index 156a6834..f1e274b1 100644 --- a/docs/02-setup/05-overrides.md +++ b/docs/02-setup/05-overrides.md @@ -4,24 +4,24 @@ Overrides extend the base compose.yaml with additional services or modify existi docker compose -f compose.yaml -f overrides/compose.mariadb.yaml -f overrides/compose.redis.yaml config > compose.custom.yaml ``` -| Overrider | Purpose | Additional Info | -| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -| **Database** | | | -| compose.mariadb.yaml | Adds MariaDB database service | set `DB_PASSWORD` or default Password will be used | -| compose.mariadb-secrets.yaml | Adds MariaDB with password from a secret file instead of environment variable | Set `DB_PASSWORD_SECRETS_FILE` to the path of your secret file | -| compose.mariadb-shared.yaml | Makes MariaDB available on a shared network (mariadb-network) for other services | set `DB_PASSWORD` | -| compose.postgres.yaml | Uses PostgreSQL instead of MariaDB as the database | set `DB_PASSWORD` | -| **Proxy** | | | -| compose.noproxy.yaml | Exposes the application directly on port `:8080` without a reverse proxy | | -| compose.proxy.yaml | Uses Traefik as HTTP reverse proxy on port `:80` | You can change the published port by setting `HTTP_PUBLISH_PORT` | +| Overrider | Purpose | Additional Info | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | +| **Database** | | | +| compose.mariadb.yaml | Adds MariaDB database service | set `DB_PASSWORD` or default Password will be used | +| compose.mariadb-secrets.yaml | Adds MariaDB with password from a secret file instead of environment variable | Set `DB_PASSWORD_SECRETS_FILE` to the path of your secret file | +| compose.mariadb-shared.yaml | Makes MariaDB available on a shared network (mariadb-network) for other services | set `DB_PASSWORD` | +| compose.postgres.yaml | Uses PostgreSQL instead of MariaDB as the database | set `DB_PASSWORD` | +| **Proxy** | | | +| compose.noproxy.yaml | Exposes the application directly on port `:8080` without a reverse proxy | | +| compose.proxy.yaml | Uses Traefik as HTTP reverse proxy on port `:80` | You can change the published port by setting `HTTP_PUBLISH_PORT` | | compose.https.yaml | Uses Traefik as HTTPS reverse proxy on Port `:443` with automatic HTTP-to-HTTPS redirect | `SITES_RULE` and `LETSENCRYPT_EMAIL` must be set. `HTTP_PUBLISH_PORT` and `HTTPS_PUBLISH_PORT` can be set. | -| **Redis** | | | +| **Redis** | | | | compose.redis.yaml | Adds Redis service for caching and background job queuing | | **TBD** | **The following overrides are available but lack documentation. If you use them and understand their purpose, please consider contributing to this documentation.** | -| compose.backup-cron.yaml | | | -| compose.custom-domain-ssl.yaml | | | -| compose.custom-domain.yaml | | | -| compose.multi-bench-ssl.yaml | | | -| compose.multi-bench.yaml | | | -| compose.traefik-ssl.yaml | | | -| compose.traefik.yaml | | | +| compose.backup-cron.yaml | | | +| compose.custom-domain-ssl.yaml | | | +| compose.custom-domain.yaml | | | +| compose.multi-bench-ssl.yaml | | | +| compose.multi-bench.yaml | | | +| compose.traefik-ssl.yaml | | | +| compose.traefik.yaml | | | diff --git a/docs/06-migration/02-traefik-v3-migration.md b/docs/06-migration/02-traefik-v3-migration.md index 9e4ed21f..b452779c 100644 --- a/docs/06-migration/02-traefik-v3-migration.md +++ b/docs/06-migration/02-traefik-v3-migration.md @@ -3,24 +3,27 @@ Use this guide if you already run Traefik v2 with `frappe_docker` and want to upgrade to v3. It focuses on the image upgrade and the v3 routing rule changes that affect existing setups. ### Before you start + Before migrating anything, it is always recommended to create a backup. Better safe than sorry. In particular, compose and .env should be backed up. ### Quick upgrade summary -1) Pull the updated repo -2) Update env variables especially the updated `SITES` to `SITES_RULE` -3) Regenerate the compose config and restart the stack +1. Pull the updated repo +2. Update env variables especially the updated `SITES` to `SITES_RULE` +3. Regenerate the compose config and restart the stack #### Multiple hostnames v2 allowed comma-separated host lists inside `Host(...)`. In v3 traefik uses logical OR **Before (v2):** + ``` Host(`a.example.com`,`b.example.com`) ``` **After (v3):** + ``` Host(`a.example.com`) || Host(`b.example.com`) ``` @@ -30,11 +33,13 @@ Host(`a.example.com`) || Host(`b.example.com`) All Traefik routing for HTTPS and multi-bench setups now uses `SITES_RULE`, which is a full v3 rule expression **Single site:** + ``` SITES_RULE=Host(`erp.example.com`) ``` **Multiple sites:** + ``` SITES_RULE=Host(`a.example.com`) || Host(`b.example.com`) ``` @@ -51,6 +56,7 @@ docker compose --env-file .env \ -f overrides/compose.https.yaml \ config > ~/gitops/docker-compose.yml ``` + ```sh docker compose --project-name -f ~/gitops/docker-compose.yml up -d ``` @@ -65,6 +71,6 @@ After restarting, Traefik will be used in the new supported version 3.6 and the If you need to rollback: -1) Revert Traefik image to `v2.11` -2) Restore the old `SITES` variable format and v2 rules -3) Regenerate the compose config and restart +1. Revert Traefik image to `v2.11` +2. Restore the old `SITES` variable format and v2 rules +3. Regenerate the compose config and restart diff --git a/overrides/compose.https.yaml b/overrides/compose.https.yaml index 55b453e8..c9c0f525 100644 --- a/overrides/compose.https.yaml +++ b/overrides/compose.https.yaml @@ -1,33 +1,33 @@ -services: - frontend: - labels: +services: + frontend: + labels: - traefik.enable=true - traefik.http.services.frontend.loadbalancer.server.port=8080 - traefik.http.routers.frontend-http.entrypoints=websecure - traefik.http.routers.frontend-http.tls.certresolver=main-resolver - traefik.http.routers.frontend-http.ruleSyntax=v3 - traefik.http.routers.frontend-http.rule=${SITES_RULE:?SITES_RULE not set} - - proxy: - image: traefik:v3.6 - restart: unless-stopped - command: - - --providers.docker=true - - --providers.docker.exposedbydefault=false - - --entrypoints.web.address=:80 - - --entrypoints.web.http.redirections.entrypoint.to=websecure - - --entrypoints.web.http.redirections.entrypoint.scheme=https - - --entrypoints.websecure.address=:443 - - --certificatesResolvers.main-resolver.acme.httpChallenge=true - - --certificatesResolvers.main-resolver.acme.httpChallenge.entrypoint=web - - --certificatesResolvers.main-resolver.acme.email=${LETSENCRYPT_EMAIL:?No Let's Encrypt email set} - - --certificatesResolvers.main-resolver.acme.storage=/letsencrypt/acme.json - ports: - - ${HTTP_PUBLISH_PORT:-80}:80 - - ${HTTPS_PUBLISH_PORT:-443}:443 - volumes: - - cert-data:/letsencrypt - - /var/run/docker.sock:/var/run/docker.sock:ro - -volumes: - cert-data: + + proxy: + image: traefik:v3.6 + restart: unless-stopped + command: + - --providers.docker=true + - --providers.docker.exposedbydefault=false + - --entrypoints.web.address=:80 + - --entrypoints.web.http.redirections.entrypoint.to=websecure + - --entrypoints.web.http.redirections.entrypoint.scheme=https + - --entrypoints.websecure.address=:443 + - --certificatesResolvers.main-resolver.acme.httpChallenge=true + - --certificatesResolvers.main-resolver.acme.httpChallenge.entrypoint=web + - --certificatesResolvers.main-resolver.acme.email=${LETSENCRYPT_EMAIL:?No Let's Encrypt email set} + - --certificatesResolvers.main-resolver.acme.storage=/letsencrypt/acme.json + ports: + - ${HTTP_PUBLISH_PORT:-80}:80 + - ${HTTPS_PUBLISH_PORT:-443}:443 + volumes: + - cert-data:/letsencrypt + - /var/run/docker.sock:/var/run/docker.sock:ro + +volumes: + cert-data: diff --git a/overrides/compose.proxy.yaml b/overrides/compose.proxy.yaml index b3c467c7..feada975 100644 --- a/overrides/compose.proxy.yaml +++ b/overrides/compose.proxy.yaml @@ -1,20 +1,20 @@ -services: - frontend: - labels: +services: + frontend: + labels: - traefik.enable=true - traefik.http.services.frontend.loadbalancer.server.port=8080 - traefik.http.routers.frontend-http.entrypoints=web - traefik.http.routers.frontend-http.ruleSyntax=v3 - traefik.http.routers.frontend-http.rule=HostRegexp(`^.+$`) - - proxy: - image: traefik:v3.6 - command: - - --providers.docker - - --providers.docker.exposedbydefault=false - - --entrypoints.web.address=:80 - ports: - - ${HTTP_PUBLISH_PORT:-80}:80 - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - userns_mode: host + + proxy: + image: traefik:v3.6 + command: + - --providers.docker + - --providers.docker.exposedbydefault=false + - --entrypoints.web.address=:80 + ports: + - ${HTTP_PUBLISH_PORT:-80}:80 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + userns_mode: host diff --git a/overrides/compose.traefik-ssl.yaml b/overrides/compose.traefik-ssl.yaml index 19083bf2..0bdf45fe 100644 --- a/overrides/compose.traefik-ssl.yaml +++ b/overrides/compose.traefik-ssl.yaml @@ -1,49 +1,49 @@ -services: - traefik: - labels: - # https-redirect middleware to redirect HTTP to HTTPS - # It can be reused by other stacks in other Docker Compose files - - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https - - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true - # traefik-http to use the middleware to redirect to https - - traefik.http.routers.traefik-public-http.middlewares=https-redirect +services: + traefik: + labels: + # https-redirect middleware to redirect HTTP to HTTPS + # It can be reused by other stacks in other Docker Compose files + - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true + # traefik-http to use the middleware to redirect to https + - traefik.http.routers.traefik-public-http.middlewares=https-redirect # traefik-https the actual router using HTTPS # Uses the environment variable DOMAIN - traefik.http.routers.traefik-public-https.ruleSyntax=v3 - traefik.http.routers.traefik-public-https.rule=Host(`${TRAEFIK_DOMAIN}`) - - traefik.http.routers.traefik-public-https.entrypoints=https - - traefik.http.routers.traefik-public-https.tls=true - # Use the special Traefik service api@internal with the web UI/Dashboard - - traefik.http.routers.traefik-public-https.service=api@internal - # Use the "le" (Let's Encrypt) resolver created below - - traefik.http.routers.traefik-public-https.tls.certresolver=le - # Enable HTTP Basic auth, using the middleware created above - - traefik.http.routers.traefik-public-https.middlewares=admin-auth - command: - # Enable Docker in Traefik, so that it reads labels from Docker services - - --providers.docker=true - # Do not expose all Docker services, only the ones explicitly exposed - - --providers.docker.exposedbydefault=false - # Create an entrypoint http listening on port 80 - - --entrypoints.http.address=:80 - # Create an entrypoint https listening on port 443 - - --entrypoints.https.address=:443 - # Create the certificate resolver le for Let's Encrypt, uses the environment variable EMAIL - - --certificatesresolvers.le.acme.email=${EMAIL:?No EMAIL set} - # Store the Let's Encrypt certificates in the mounted volume - - --certificatesresolvers.le.acme.storage=/certificates/acme.json - # Use the TLS Challenge for Let's Encrypt - - --certificatesresolvers.le.acme.tlschallenge=true - # Enable the access log, with HTTP requests - - --accesslog - # Enable the Traefik log, for configurations and errors - - --log - # Enable the Dashboard and API - - --api - ports: - - ${HTTPS_PUBLISH_PORT:-443}:443 - volumes: - - cert-data:/certificates - -volumes: - cert-data: + - traefik.http.routers.traefik-public-https.entrypoints=https + - traefik.http.routers.traefik-public-https.tls=true + # Use the special Traefik service api@internal with the web UI/Dashboard + - traefik.http.routers.traefik-public-https.service=api@internal + # Use the "le" (Let's Encrypt) resolver created below + - traefik.http.routers.traefik-public-https.tls.certresolver=le + # Enable HTTP Basic auth, using the middleware created above + - traefik.http.routers.traefik-public-https.middlewares=admin-auth + command: + # Enable Docker in Traefik, so that it reads labels from Docker services + - --providers.docker=true + # Do not expose all Docker services, only the ones explicitly exposed + - --providers.docker.exposedbydefault=false + # Create an entrypoint http listening on port 80 + - --entrypoints.http.address=:80 + # Create an entrypoint https listening on port 443 + - --entrypoints.https.address=:443 + # Create the certificate resolver le for Let's Encrypt, uses the environment variable EMAIL + - --certificatesresolvers.le.acme.email=${EMAIL:?No EMAIL set} + # Store the Let's Encrypt certificates in the mounted volume + - --certificatesresolvers.le.acme.storage=/certificates/acme.json + # Use the TLS Challenge for Let's Encrypt + - --certificatesresolvers.le.acme.tlschallenge=true + # Enable the access log, with HTTP requests + - --accesslog + # Enable the Traefik log, for configurations and errors + - --log + # Enable the Dashboard and API + - --api + ports: + - ${HTTPS_PUBLISH_PORT:-443}:443 + volumes: + - cert-data:/certificates + +volumes: + cert-data: diff --git a/overrides/compose.traefik.yaml b/overrides/compose.traefik.yaml index 01ad3c5f..15885363 100644 --- a/overrides/compose.traefik.yaml +++ b/overrides/compose.traefik.yaml @@ -1,46 +1,46 @@ -services: - traefik: - image: "traefik:v3.6" - restart: unless-stopped - labels: - # Enable Traefik for this service, to make it available in the public network - - traefik.enable=true - # Use the traefik-public network (declared below) - - traefik.docker.network=traefik-public +services: + traefik: + image: "traefik:v3.6" + restart: unless-stopped + labels: + # Enable Traefik for this service, to make it available in the public network + - traefik.enable=true + # Use the traefik-public network (declared below) + - traefik.docker.network=traefik-public # admin-auth middleware with HTTP Basic auth # Using the environment variables USERNAME and HASHED_PASSWORD - traefik.http.middlewares.admin-auth.basicauth.users=admin:${HASHED_PASSWORD:?No HASHED_PASSWORD set} # Uses the environment variable TRAEFIK_DOMAIN - traefik.http.routers.traefik-public-http.ruleSyntax=v3 - traefik.http.routers.traefik-public-http.rule=Host(`${TRAEFIK_DOMAIN:?No TRAEFIK_DOMAIN set}`) - - traefik.http.routers.traefik-public-http.entrypoints=http - # Use the special Traefik service api@internal with the web UI/Dashboard - - traefik.http.routers.traefik-public-http.service=api@internal - # Enable HTTP Basic auth, using the middleware created above - - traefik.http.routers.traefik-public-http.middlewares=admin-auth - # Define the port inside of the Docker service to use - - traefik.http.services.traefik-public.loadbalancer.server.port=8080 - command: - # Enable Docker in Traefik, so that it reads labels from Docker services - - --providers.docker=true - # Do not expose all Docker services, only the ones explicitly exposed - - --providers.docker.exposedbydefault=false - # Create an entrypoint http listening on port 80 - - --entrypoints.http.address=:80 - # Enable the access log, with HTTP requests - - --accesslog - # Enable the Traefik log, for configurations and errors - - --log - # Enable the Dashboard and API - - --api - ports: - - ${HTTP_PUBLISH_PORT:-80}:80 - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - networks: - - traefik-public - -networks: - traefik-public: - name: traefik-public - external: false + - traefik.http.routers.traefik-public-http.entrypoints=http + # Use the special Traefik service api@internal with the web UI/Dashboard + - traefik.http.routers.traefik-public-http.service=api@internal + # Enable HTTP Basic auth, using the middleware created above + - traefik.http.routers.traefik-public-http.middlewares=admin-auth + # Define the port inside of the Docker service to use + - traefik.http.services.traefik-public.loadbalancer.server.port=8080 + command: + # Enable Docker in Traefik, so that it reads labels from Docker services + - --providers.docker=true + # Do not expose all Docker services, only the ones explicitly exposed + - --providers.docker.exposedbydefault=false + # Create an entrypoint http listening on port 80 + - --entrypoints.http.address=:80 + # Enable the access log, with HTTP requests + - --accesslog + # Enable the Traefik log, for configurations and errors + - --log + # Enable the Dashboard and API + - --api + ports: + - ${HTTP_PUBLISH_PORT:-80}:80 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - traefik-public + +networks: + traefik-public: + name: traefik-public + external: false