Changes by cal: Migrate to traefik, update matrix

5 changed files with 50 additions and 47 deletions
--- a/docker-containers/gitea/docker-compose.yml
+++ b/docker-containers/gitea/docker-compose.yml
@ -30,26 +30,12 @@ services:
      - GITEA__openid__ENABLE_OPENID_SIGNUP=true
      - GITEA__service__DISABLE_REGISTRATION=false
      - GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
-      - GITEA__service__REGISTER_EMAIL_CONFIRM=false
-      - GITEA__service__ENABLE_CAPTCHA=false
-      - GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
      - VIRTUAL_HOST=git.cttue.de
      - VIRTUAL_PORT=3000
      - LETSENCRYPT_HOST=git.cttue.de
    restart: always
-    labels:
-      - traefik.enable=true
-      - traefik.docker.network=traefik
-      - traefik.http.routers.git.entrypoints=web-secure
-      - traefik.http.routers.git.service=git
-      - traefik.http.routers.git.rule=Host(`git.cttue.de`)
-      - traefik.http.routers.git.tls=true
-      - traefik.http.routers.git.tls.certResolver=default
-      - traefik.http.routers.git.tls.domains[0]=cttue.de
-      - traefik.http.routers.git.tls.domains[0].sans=git.cttue.de
-      - traefik.http.services.git.loadbalancer.server.port=3000
    networks:
-      - traefik
+      - cttue_web_services
      - gitea
    ports:
      - 127.0.0.1:2222:22
@ -61,6 +47,6 @@ services:


 networks:
+  cttue_web_services:
+    external: true
  gitea:
-  traefik:
-    external: true
--- a/docker-containers/keycloak/docker-compose.yml
+++ b/docker-containers/keycloak/docker-compose.yml
@ -49,4 +49,4 @@ services:
 networks:
  local-keycloak:
  traefik:
-   external: true
+   external: true
--- a/docker-containers/nextcloud/docker-compose.yml
+++ b/docker-containers/nextcloud/docker-compose.yml
@ -54,4 +54,5 @@ networks:
  # Internal network for communication with MySQL
  backend:
  traefik:
-    external: true
+    external: true
+
--- a/docker-containers/pad/docker-compose.yml
+++ b/docker-containers/pad/docker-compose.yml
@ -40,21 +40,33 @@ services:
      - VIRTUAL_PORT=3000
      - LETSENCRYPT_HOST=pad.cttue.de
    labels:
-      - traefik.enable=true
-      - traefik.docker.network=traefik
-      - traefik.http.routers.pad.entrypoints=web-secure
-      - traefik.http.routers.pad.service=pad
-      - traefik.http.routers.pad.rule=Host(`pad.cttue.de`)
-      - traefik.http.routers.pad.tls=true
-      - traefik.http.routers.pad.tls.certResolver=default
-      - traefik.http.routers.pad.tls.domains[0]=pad.cttue.de
-      - traefik.http.routers.pad.tls.domains[0].sans=test.pad.cttue.de
-      - traefik.http.services.pad.loadbalancer.server.port=3000
+      - "traefik.enable=true"
+
+      # Router for HTTP (redirects to HTTPS)
+      - "traefik.http.routers.pad.rule=Host(`pad.cttue.de`)"
+      - "traefik.http.routers.pad.entrypoints=web"
+      - "traefik.http.routers.pad.middlewares=redirect-to-https"
+
+      # Router for HTTPS
+      - "traefik.http.routers.pad-secure.rule=Host(`pad.cttue.de`)"
+      - "traefik.http.routers.pad-secure.entrypoints=websecure"
+      - "traefik.http.routers.pad-secure.tls.certresolver=http"
+
+      # Define service and backend port (matching old upstream: port 3000)
+      - "traefik.http.services.pad.loadbalancer.server.port=3000"
+
+      # Redirect middleware (HTTP -> HTTPS)
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # Security Headers (Optional, mimics your Nginx security settings)
+      - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
+      - "traefik.docker.network=cttue_web_services"
    volumes:
      - ./uploads:/hedgedoc/public/uploads
    networks:
      cttue_web_services:
-      traefik:
    restart: always
    depends_on:
      - database
@ -62,5 +74,3 @@ services:
 networks:
  cttue_web_services:
    external: true
-  traefik:
-    external: true
--- a/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml
+++ b/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml
@ -15,8 +15,8 @@ matrix_server_fqn_element: "element.cttue.de"
 matrix_homeserver_implementation: synapse

 # docker already installed
-matrix_docker_installation_enabled: true
-
+#matrix_docker_installation_enabled: true # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_playbook_docker_installation_enabled: true
 # A secret used as a base, for generating various other secrets.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iUET5UXgG3ku8IPbVsDvxKICQ"
@ -25,25 +25,25 @@ matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iU
 #
 # The playbook creates additional Postgres users and databases (one for each enabled service)
 # using this superuser account.
-matrix_postgres_connection_password: "SIHm7TtFF1ntGxKu"
+postgres_connection_password: "SIHm7TtFF1ntGxKu"

 #################### jwilder/nginx-proxy related ###################

 # Disable generation and retrieval of SSL certs
-matrix_ssl_retrieval_method: none
+# matrix_ssl_retrieval_method: none # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Configure Nginx to only use plain HTTP
-matrix_nginx_proxy_https_enabled: false
+# matrix_nginx_proxy_https_enabled: false # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Don't bind any HTTP or federation port to the host
-matrix_nginx_proxy_container_http_host_bind_port: ""
-matrix_nginx_proxy_container_federation_host_bind_port: ""
+# matrix_nginx_proxy_container_http_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+# matrix_nginx_proxy_container_federation_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
-matrix_nginx_proxy_trust_forwarded_proto: true
+# matrix_nginx_proxy_trust_forwarded_proto: true # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Trust and use the other reverse proxy's `X-Forwarded-For` header.
-matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for"
+# matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for" # this one was changed during the upgrade - 30. Jan 2025 - Cal

 # Disable Coturn because it needs SSL certs
 # (Clients can, though exposing IP address, use Matrix.org TURN)
@ -68,13 +68,16 @@ matrix_coturn_tls_cert_path: "/certs/fullchain.pem"
 matrix_coturn_tls_key_path: "/certs/key.pem"

 # All containers need to be on the same Docker network as nginx-proxy
-matrix_docker_network: "cttue_web_services"
-matrix_coturn_docker_network: "cttue_web_services"
+#matrix_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_homeserver_container_network: "cttue_web_services"
+# matrix_coturn_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_coturn_container_network: "cttue_web_services"

-matrix_nginx_proxy_container_extra_arguments:
-  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
-  - '-e "VIRTUAL_PORT=8080"'
-  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+# this one was changed during the upgrade - 30. Jan 2025 - Cal
+# matrix_nginx_proxy_container_extra_arguments:
+#  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+#  - '-e "VIRTUAL_PORT=8080"'
+#  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'

 # change federation to 443
 matrix_synapse_http_listener_resource_names: ["client", "federation"]
@ -115,3 +118,6 @@ matrix_synapse_configuration_extension_yaml: |
          email_template: "{% raw %}{{ user.email }}{% endraw %}"


+# config for traefik
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+traefik_config_certificatesResolvers_acme_email: pascal@cttue.de