From f2ef25a60e88ceb316c141fb01b4535339494099 Mon Sep 17 00:00:00 2001 From: Paul Sanders Date: Fri, 27 Dec 2024 11:09:25 -0500 Subject: [PATCH] Add traefik --- backend/app/core/config.py | 5 ++- docker-compose.override.yml | 86 +++++++++++++++++++++++++++++++++++++ docker-compose.traefik.yml | 77 +++++++++++++++++++++++++++++++++ docker-compose.yml | 46 +++++++++++++++++--- justfile | 1 + 5 files changed, 207 insertions(+), 8 deletions(-) create mode 100644 docker-compose.override.yml create mode 100644 docker-compose.traefik.yml diff --git a/backend/app/core/config.py b/backend/app/core/config.py index 91f0b5f..60ceb37 100644 --- a/backend/app/core/config.py +++ b/backend/app/core/config.py @@ -2,6 +2,7 @@ from pathlib import Path from typing import Annotated, Any, Final, Literal, Self +from dotenv import find_dotenv, load_dotenv from pydantic import ( AnyUrl, BeforeValidator, @@ -13,6 +14,8 @@ ) from pydantic_settings import BaseSettings, SettingsConfigDict +load_dotenv(find_dotenv(".env")) + def _parse_cors(v: Any) -> list[str] | str: if isinstance(v, str) and not v.startswith("["): @@ -23,7 +26,7 @@ def _parse_cors(v: Any) -> list[str] | str: class Settings(BaseSettings): - model_config = SettingsConfigDict(env_file=".env", env_file_encoding="utf-8") + model_config = SettingsConfigDict(env_file_encoding="utf-8", extra="ignore") API_V1_PREFIX: str = "/api/v1" TITLE: Final = "SCAN" diff --git a/docker-compose.override.yml b/docker-compose.override.yml new file mode 100644 index 0000000..e0c267a --- /dev/null +++ b/docker-compose.override.yml @@ -0,0 +1,86 @@ +services: + proxy: + image: traefik:3 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + ports: + - "80:80" + - "8090:8080" + # Duplicate the command from docker-compose.yml to add --api.insecure=true + command: + # Enable Docker in Traefik, so that it reads labels from Docker services + - --providers.docker + # Add a constraint to only use services with the label for this stack + - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`) + # Do not expose all Docker services, only the ones explicitly exposed + - --providers.docker.exposedbydefault=false + # Create an entrypoint "http" listening on port 80 + - --entrypoints.http.address=:80 + # Enable the access log, with HTTP requests + - --accesslog + # Enable the Traefik log, for configurations and errors + - --log + # Enable debug logging for local development + - --log.level=DEBUG + # Enable the Dashboard and API + - --api + # Enable the Dashboard and API in insecure mode for local development + - --api.insecure=true + labels: + # Enable Traefik for this service, to make it available in the public network + - traefik.enable=true + - traefik.constraint-label=traefik-public + networks: + - traefik-public + - default + + backend: + image: backend:dev + restart: no + ports: + - "8000:8000" + networks: + - traefik-public + - default + build: + context: ./backend + container_name: backend + depends_on: + - db + - valkey + env_file: + - .env + environment: + - POSTGRES_HOST=db + + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + + # HTTP entry point and rule + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.rule=Host(`api.${DOMAIN?Variable not set}`) + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.entrypoints=http + + # Remove reference to HTTPS and its middlewares + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.middlewares= + + # Clear HTTPS-specific labels + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.rule= + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.entrypoints= + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.tls.certresolver= + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.middlewares= + + db: + restart: "no" + ports: + - "5432:5432" + + valkey: + restart: "no" + ports: + - 6379:6379 + +networks: + traefik-public: + # For local dev, don't expect an external Traefik network + external: false diff --git a/docker-compose.traefik.yml b/docker-compose.traefik.yml new file mode 100644 index 0000000..55a3dad --- /dev/null +++ b/docker-compose.traefik.yml @@ -0,0 +1,77 @@ +services: + traefik: + image: traefik:3 + ports: + # Listen on port 80, default for HTTP, necessary to redirect to HTTPS + - 80:80 + # Listen on port 443, default for HTTPS + - 443:443 + restart: always + labels: + # Enable Traefik for this service, to make it available in the public network + - traefik.enable=true + # Use the traefik-public network (declared below) + - traefik.docker.network=traefik-public + # Define the port inside of the Docker service to use + - traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080 + # Make Traefik use this domain (from an environment variable) in HTTP + - traefik.http.routers.traefik-dashboard-http.entrypoints=http + - traefik.http.routers.traefik-dashboard-http.rule=Host(`traefik.${DOMAIN?Variable not set}`) + # traefik-https the actual router using HTTPS + - traefik.http.routers.traefik-dashboard-https.entrypoints=https + - traefik.http.routers.traefik-dashboard-https.rule=Host(`traefik.${DOMAIN?Variable not set}`) + - traefik.http.routers.traefik-dashboard-https.tls=true + # Use the "le" (Let's Encrypt) resolver created below + - traefik.http.routers.traefik-dashboard-https.tls.certresolver=le + # Use the special Traefik service api@internal with the web UI/Dashboard + - traefik.http.routers.traefik-dashboard-https.service=api@internal + # https-redirect middleware to redirect HTTP to HTTPS + - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true + # traefik-http set up only to use the middleware to redirect to https + - traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect + # admin-auth middleware with HTTP Basic auth + # Using the environment variables USERNAME and HASHED_PASSWORD + - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set} + # Enable HTTP Basic auth, using the middleware created above + - traefik.http.routers.traefik-dashboard-https.middlewares=admin-auth + volumes: + # Add Docker as a mounted volume, so that Traefik can read the labels of other services + - /var/run/docker.sock:/var/run/docker.sock:ro + # Mount the volume to store the certificates + - traefik-public-certificates:/certificates + command: + # Enable Docker in Traefik, so that it reads labels from Docker services + - --providers.docker + # Do not expose all Docker services, only the ones explicitly exposed + - --providers.docker.exposedbydefault=false + # Create an entrypoint "http" listening on port 80 + - --entrypoints.http.address=:80 + # Create an entrypoint "https" listening on port 443 + - --entrypoints.https.address=:443 + # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL + - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set} + # Store the Let's Encrypt certificates in the mounted volume + - --certificatesresolvers.le.acme.storage=/certificates/acme.json + # Use the TLS Challenge for Let's Encrypt + - --certificatesresolvers.le.acme.tlschallenge=true + # Enable the access log, with HTTP requests + - --accesslog + # Enable the Traefik log, for configurations and errors + - --log + # Enable the Dashboard and API + - --api + networks: + # Use the public network created to be shared between Traefik and + # any other service that needs to be publicly available with HTTPS + - traefik-public + +volumes: + # Create a volume to store the certificates, even if the container is recreated + traefik-public-certificates: + +networks: + # Use the previously created public network "traefik-public", shared with other + # services that need to be publicly available via this Traefik + traefik-public: + external: true diff --git a/docker-compose.yml b/docker-compose.yml index e4d0aa3..8a47675 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,33 +1,62 @@ services: backend: image: backend:dev + restart: always + networks: + - traefik-public + - default build: context: ./backend container_name: backend depends_on: - db - valkey - ports: - - "8000:8000" env_file: - - backend/.env + - .env environment: - POSTGRES_HOST=db + - VALKEY_HOST=valkey + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + + - traefik.http.services.${STACK_NAME?Variable not set}-backend.loadbalancer.server.port=8000 + + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.rule=Host(`api.${DOMAIN?Variable not set}`) + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.entrypoints=http + + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.rule=Host(`api.${DOMAIN?Variable not set}`) + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.entrypoints=https + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.tls=true + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.tls.certresolver=le + + # Enable redirection for HTTP and HTTPS + - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.middlewares=https-redirect + db: image: postgres:17-alpine + restart: always + healthcheck: + test: ["CMD-SHELL", "pg_isready -U $POSTGRES_USER -d $POSTGRES_DB"] + interval: 10s + retries: 5 + start_period: 30s + timeout: 10s expose: - 5432 ports: - 5432:5432 environment: - POSTGRES_USER: "postgres" - POSTGRES_PASSWORD: "test_password" - POSTGRES_DB: "scan" + POSTGRES_USER: postgres + POSTGRES_PASSWORD: test_password + POSTGRES_DB: scan volumes: - db-data:/var/lib/postgresql/data valkey: image: valkey/valkey:8-alpine + restart: always expose: - 6379 ports: @@ -38,4 +67,7 @@ volumes: db-data: networks: - scan-network: + traefik-public: + name: traefik-public + # Allow setting it to false for testing + external: true diff --git a/justfile b/justfile index 7bdf56c..47b66d4 100644 --- a/justfile +++ b/justfile @@ -48,6 +48,7 @@ uv sync --frozen --all-extras @backend-server: + docker compose down backend && \ cd backend && \ uv run uvicorn app.main:app --host 127.0.0.1 --port 8000 --reload