From 89f15064e2bd1384eed13504e4d4340d0e3eccab Mon Sep 17 00:00:00 2001
From: Marco von Rosenberg <codingmarco@gmail.com>
Date: Thu, 16 Oct 2025 06:56:09 +0000
Subject: [PATCH] Changes by cal: Migrate to traefik, update matrix

---
 docker-containers/keycloak/docker-compose.yml | 23 +++++++-----
 .../nextcloud/docker-compose.yml              | 14 ++++++++
 docker-containers/pad/docker-compose.yml      | 24 +++++++++++++
 .../host_vars/matrix.cttue.de/vars.yml        | 36 +++++++++++--------
 4 files changed, 73 insertions(+), 24 deletions(-)

diff --git a/docker-containers/keycloak/docker-compose.yml b/docker-containers/keycloak/docker-compose.yml
index e96c594..041a8a8 100644
--- a/docker-containers/keycloak/docker-compose.yml
+++ b/docker-containers/keycloak/docker-compose.yml
@@ -29,19 +29,24 @@ services:
       - KC_HOSTNAME=auth.cttue.de
       - KC_HOSTNAME_STRICT_HTTPS=false
       - KC_PROXY=edge
-      - KC_HTTP_ENABLED=true
-      - KC_HOSTNAME_STRICT=false
       - KC_FEATURES=account2,account-api
-      - VIRTUAL_HOST=auth.cttue.de
       - VIRTUAL_PORT=8080
-      - LETSENCRYPT_HOST=auth.cttue.de
     restart: always
     networks:
       - local-keycloak
-      - cttue_web_services
-
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik
+      - traefik.http.routers.keycloak.entrypoints=web-secure
+      - traefik.http.routers.keycloak.service=keycloak
+      - traefik.http.routers.keycloak.rule=Host(`auth.cttue.de`)
+      - traefik.http.routers.keycloak.tls=true
+      - traefik.http.routers.keycloak.tls.certResolver=default
+      - traefik.http.routers.keycloak.tls.domains[0]=cttue.de
+      - traefik.http.routers.keycloak.tls.domains[0].sans=auth.cttue.de
+      - traefik.http.services.keycloak.loadbalancer.server.port=8080
 networks:
-  cttue_web_services:
-    external: true
   local-keycloak:
-
+  traefik:
+   external: true
diff --git a/docker-containers/nextcloud/docker-compose.yml b/docker-containers/nextcloud/docker-compose.yml
index 228f07a..2861564 100644
--- a/docker-containers/nextcloud/docker-compose.yml
+++ b/docker-containers/nextcloud/docker-compose.yml
@@ -30,9 +30,21 @@ services:
       - LETSENCRYPT_HOST=cloud.cttue.de
     volumes:
       - ./nextcloud-data:/var/www/html:z
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik
+      - traefik.http.routers.cloud.entrypoints=web-secure
+      - traefik.http.routers.cloud.service=cloud
+      - traefik.http.routers.cloud.rule=Host(`cloud.cttue.de`)
+      - traefik.http.routers.cloud.tls=true
+      - traefik.http.routers.cloud.tls.certResolver=default
+      - traefik.http.routers.cloud.tls.domains[0]=cttue.de
+      - traefik.http.routers.cloud.tls.domains[0].sans=cloud.cttue.de
+      - traefik.http.services.cloud.loadbalancer.server.port=80
     networks:
       cttue_web_services:
       backend:
+      traefik:
     depends_on:
       - nc_db
 
@@ -41,4 +53,6 @@ networks:
     external: true
   # Internal network for communication with MySQL
   backend:
+  traefik:
+    external: true
 
diff --git a/docker-containers/pad/docker-compose.yml b/docker-containers/pad/docker-compose.yml
index 37a0231..b178bc9 100644
--- a/docker-containers/pad/docker-compose.yml
+++ b/docker-containers/pad/docker-compose.yml
@@ -39,6 +39,30 @@ services:
       - VIRTUAL_HOST=pad.cttue.de
       - VIRTUAL_PORT=3000
       - LETSENCRYPT_HOST=pad.cttue.de
+    labels:
+      - "traefik.enable=true"
+
+      # Router for HTTP (redirects to HTTPS)
+      - "traefik.http.routers.pad.rule=Host(`pad.cttue.de`)"
+      - "traefik.http.routers.pad.entrypoints=web"
+      - "traefik.http.routers.pad.middlewares=redirect-to-https"
+
+      # Router for HTTPS
+      - "traefik.http.routers.pad-secure.rule=Host(`pad.cttue.de`)"
+      - "traefik.http.routers.pad-secure.entrypoints=websecure"
+      - "traefik.http.routers.pad-secure.tls.certresolver=http"
+
+      # Define service and backend port (matching old upstream: port 3000)
+      - "traefik.http.services.pad.loadbalancer.server.port=3000"
+
+      # Redirect middleware (HTTP -> HTTPS)
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # Security Headers (Optional, mimics your Nginx security settings)
+      - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
+      - "traefik.docker.network=cttue_web_services"
     volumes:
       - ./uploads:/hedgedoc/public/uploads
     networks:
diff --git a/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml b/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml
index 3b3e6fb..71884ff 100755
--- a/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml
+++ b/matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml
@@ -15,8 +15,8 @@ matrix_server_fqn_element: "element.cttue.de"
 matrix_homeserver_implementation: synapse
 
 # docker already installed
-matrix_docker_installation_enabled: true
-
+#matrix_docker_installation_enabled: true # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_playbook_docker_installation_enabled: true
 # A secret used as a base, for generating various other secrets.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iUET5UXgG3ku8IPbVsDvxKICQ"
@@ -25,25 +25,25 @@ matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iU
 #
 # The playbook creates additional Postgres users and databases (one for each enabled service)
 # using this superuser account.
-matrix_postgres_connection_password: "SIHm7TtFF1ntGxKu"
+postgres_connection_password: "SIHm7TtFF1ntGxKu"
 
 #################### jwilder/nginx-proxy related ###################
 
 # Disable generation and retrieval of SSL certs
-matrix_ssl_retrieval_method: none
+# matrix_ssl_retrieval_method: none # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Configure Nginx to only use plain HTTP
-matrix_nginx_proxy_https_enabled: false
+# matrix_nginx_proxy_https_enabled: false # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Don't bind any HTTP or federation port to the host
-matrix_nginx_proxy_container_http_host_bind_port: ""
-matrix_nginx_proxy_container_federation_host_bind_port: ""
+# matrix_nginx_proxy_container_http_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+# matrix_nginx_proxy_container_federation_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
-matrix_nginx_proxy_trust_forwarded_proto: true
+# matrix_nginx_proxy_trust_forwarded_proto: true # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Trust and use the other reverse proxy's `X-Forwarded-For` header.
-matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for"
+# matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for" # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Disable Coturn because it needs SSL certs
 # (Clients can, though exposing IP address, use Matrix.org TURN)
@@ -68,13 +68,16 @@ matrix_coturn_tls_cert_path: "/certs/fullchain.pem"
 matrix_coturn_tls_key_path: "/certs/key.pem"
 
 # All containers need to be on the same Docker network as nginx-proxy
-matrix_docker_network: "cttue_web_services"
-matrix_coturn_docker_network: "cttue_web_services"
+#matrix_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_homeserver_container_network: "cttue_web_services"
+# matrix_coturn_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+matrix_coturn_container_network: "cttue_web_services"
 
-matrix_nginx_proxy_container_extra_arguments:
-  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
-  - '-e "VIRTUAL_PORT=8080"'
-  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+# this one was changed during the upgrade - 30. Jan 2025 - Cal
+# matrix_nginx_proxy_container_extra_arguments:
+#  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+#  - '-e "VIRTUAL_PORT=8080"'
+#  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
 
 # change federation to 443
 matrix_synapse_http_listener_resource_names: ["client", "federation"]
@@ -115,3 +118,6 @@ matrix_synapse_configuration_extension_yaml: |
           email_template: "{% raw %}{{ user.email }}{% endraw %}"
 
 
+# config for traefik
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+traefik_config_certificatesResolvers_acme_email: pascal@cttue.de