-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdocker-compose.yml
94 lines (86 loc) · 3.13 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
---
version: "3.9"
services:
traefik:
image: traefik:2.10.4
ports:
- 80:80
- 443:443
networks:
- traefik-public
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik_letsencrypt:/letsencrypt/
command:
# general traefik configs
- '--log.level=INFO'
- '--global.sendAnonymousUsage=false'
# docker configs
- '--providers.docker=true'
- '--providers.docker.swarmMode=true'
- '--providers.docker.watch=true'
- '--providers.docker.endpoint=unix:///var/run/docker.sock'
- '--providers.docker.exposedbydefault=false'
- '--providers.docker.network=traefik-public'
# http configs
- '--entrypoints.http.address=:80'
- '--entrypoints.http.http.redirections.entryPoint.to=https'
- '--entrypoints.http.http.redirections.entryPoint.scheme=https'
- '--entrypoints.http.http.redirections.entrypoint.permanent=true'
# https configs
- '--entrypoints.https.address=:443'
- '--certificatesResolvers.letsencrypt.acme=true'
- '--certificatesResolvers.letsencrypt.acme.email=${LETS_ENCRYPT_EMAIL:?}'
- '--certificatesResolvers.letsencrypt.acme.httpChallenge=true'
- '--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http'
- '--certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
deploy:
restart_policy:
condition: on-failure
app: &app_config
image: scidsg/frontpage:${CONTAINER_VERSION:?}
networks:
- traefik-public
environment:
FLASK_APP: frontpage:app
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 15s
order: start-first
restart_policy:
condition: on-failure
labels:
traefik.enable: "true"
# standard routing
traefik.http.routers.app.rule: Host(`${FRONTPAGE_DOMAIN:?}`)
traefik.http.routers.app.entrypoints: https
traefik.http.routers.app.tls: 'true'
traefik.http.routers.app.tls.certresolver: letsencrypt
traefik.http.services.app.loadbalancer.server.port: "8080"
# security headers
traefik.http.middlewares.app-secure-headers.headers.stsseconds: "63072000"
traefik.http.middlewares.app-secure-headers.headers.stsincludesubdomains: "true"
traefik.http.middlewares.app-secure-headers.headers.stspreload: "true"
traefik.http.middlewares.app-secure-headers.headers.framedeny: "true"
traefik.http.middlewares.app-secure-headers.headers.contenttypenosniff: "true"
traefik.http.middlewares.app-secure-headers.headers.contentsecuritypolicy: default-src 'self'
traefik.http.middlewares.app-secure-headers.headers.referrerpolicy: "no-referrer"
# enable middlewares
traefik.http.routers.app.middlewares: "app-secure-headers@docker"
migration:
<<: *app_config
deploy:
replicas: 1
restart_policy:
condition: on-failure
labels:
traefik.enable: "false"
command: ["flask", "db", "upgrade"]
networks:
traefik-public:
name: traefik-public
driver: overlay
volumes:
traefik_letsencrypt: {}