From 1913d891f50b5e199f1349a092edd47d0d469a0b Mon Sep 17 00:00:00 2001
From: 3wc <3wc@doesthisthing.work>
Date: Sun, 31 Oct 2021 00:10:52 +0200
Subject: [PATCH] =?UTF-8?q?=EF=BD=83=EF=BD=88=EF=BD=81=EF=BD=8F=EF=BD=93?=
 =?UTF-8?q?=20=EF=BD=8D=EF=BD=8F=EF=BD=84=EF=BD=85?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 compose.yml | 126 ++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 102 insertions(+), 24 deletions(-)

diff --git a/compose.yml b/compose.yml
index f7c2ba2..76681aa 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,42 +1,120 @@
 ---
 version: "3.8"
 
+x-environment:
+  &default-env
+    - SNIKKET_DOMAIN=${DOMAIN}
+    - SNIKKET_ADMIN_EMAIL
+    - SNIKKET_CERTFILE=/certs/$DOMAIN/certificate.crt
+    - SNIKKET_KEYFILE=/certs/$DOMAIN/privatekey.key
+
 services:
   snikket_proxy:
-    container_name: snikket-proxy
-    image: snikket/snikket-web-proxy:beta
-    env_file: snikket.conf
-    network_mode: host
+    image: thecoopcloud/snikket-web-proxy:latest
+    networks:
+      - proxy
+      - backend
+    environment: *default-env
     volumes:
       - snikket_data:/snikket
-      - acme_challenges:/var/www/html/.well-known/acme-challenge
-    restart: "unless-stopped"
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.routers.${STACK_NAME}.tls=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        # 3wc: this rule works for routing, but not for generating certificates
+        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
+        #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
 
-  snikket_certs:
-    container_name: snikket-certs
-    image: snikket/snikket-cert-manager:beta
-    env_file: snikket.conf
-    volumes:
-      - snikket_data:/snikket
-      - acme_challenges:/var/www/.well-known/acme-challenge
-    restart: "unless-stopped"
+  # snikket_certs:
+  #   image: snikket/snikket-cert-manager:beta
+  #   environment: *default-env
+  #   volumes:
+  #     - snikket_data:/snikket
+  #   networks:
+  #     - backend
 
   snikket_portal:
-    container_name: snikket-portal
     image: snikket/snikket-web-portal:beta
-    network_mode: host
-    env_file: snikket.conf
-    restart: "unless-stopped"
+    environment: *default-env
+    networks:
+      - backend
 
   snikket_server:
-    container_name: snikket
-    image: snikket/snikket-server:beta
-    network_mode: host
+    image: thecoopcloud/snikket-server:latest
     volumes:
       - snikket_data:/snikket
-    env_file: snikket.conf
-    restart: "unless-stopped"
+      - certs:/certs
+    environment: *default-env
+    networks:
+      - backend
+    ports:
+      - target: 5222
+        published: 5222
+        mode: host
+      - target: 5269
+        published: 5269
+        mode: host
+      - target: 5000
+        published: 5000
+        mode: host
+      - target: 3478
+        published: 3478
+        mode: host
+      - target: 3479
+        published: 3479
+        mode: host
+      - target: 5439
+        published: 5439
+        mode: host
+      - target: 5350
+        published: 5350
+        mode: host"
+      - target: 49152
+        published: 49152
+        protocol: udp
+        mode: host
+      - target: 49153
+        published: 49153
+        protocol: udp
+        mode: host
+
+  certdumper:
+    image: ldez/traefik-certs-dumper:v2.7.4
+    entrypoint: sh -c '
+      apk add jq
+      ; while ! [ -e /traefik/production-acme.json ]
+        || ! [ `jq ".production.Certificates | length" /traefik/production-acme.json` != 0 ]; do
+          sleep 1
+      ; done
+      && traefik-certs-dumper file --watch --source /traefik/production-acme.json
+        --dest /output --domain-subdir=true --version v2'
+    environment:
+      # Make sure this is the same as the main=-domain in traefik.toml
+      - DOMAIN=$DOMAIN
+    volumes:
+      # Folder, which contains the acme.json
+      - "traefik_letsencrypt:/traefik"
+      # Folder, where cert.pem and key.pem will be written
+      - "certs:/output"
+    # Doesn't work anyway :/
+    # configs:
+    #   - source: certdumper_post
+    #     target: /usr/bin/certdumper_post.sh
+    #     mode: 0555
 
 volumes:
-  acme_challenges:
   snikket_data:
+  certs:
+  traefik_letsencrypt:
+    name: "${TRAEFIK_SERVICE:-traefik_letsencrypt}"
+    external: true
+
+networks:
+  proxy:
+    external: true
+  backend: