--- version: "3.8" x-environment: &default-env - SNIKKET_DOMAIN=${DOMAIN} - SNIKKET_ADMIN_EMAIL - SNIKKET_CERTFILE=/certs/$DOMAIN/certificate.crt - SNIKKET_KEYFILE=/certs/$DOMAIN/privatekey.key - SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_HOST=${STACK_NAME}_snikket_portal - SNIKKET_TWEAK_INTERNAL_HTTP_HOST=${STACK_NAME}_snikket_server - SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_INTERFACE=0.0.0.0 - SNIKKET_TWEAK_INTERNAL_HTTP_INTERFACE=0.0.0.0 - SNIKKET_WEB_PROSODY_ENDPOINT=http://${STACK_NAME}_snikket_server:5280 # https://github.com/snikket-im/snikket-server/blob/master/docs/advanced/firewall.md#how-many-ports-does-the-turn-service-need - SNIKKET_TWEAK_TURNSERVER_MIN_PORT=49152 - SNIKKET_TWEAK_TURNSERVER_MAX_PORT=49153 services: snikket_proxy: image: thecoopcloud/snikket-web-proxy:latest networks: - proxy - backend environment: *default-env volumes: - snikket_data:/snikket depends_on: - snikket_portal - snikket_server deploy: labels: - "traefik.enable=true" - "traefik.docker.network=proxy" - "traefik.http.routers.${STACK_NAME}.tls=true" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `groups.${DOMAIN}`, `share.${DOMAIN}`${EXTRA_DOMAINS})" # 3wc: this rule works for routing, but not for generating certificates # see https://git.autonomic.zone/coop-cloud/planning/issues/14 #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}" - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=groups.${DOMAIN},share.${DOMAIN}" # snikket_certs: # image: snikket/snikket-cert-manager:beta # environment: *default-env # volumes: # - snikket_data:/snikket # networks: # - backend snikket_portal: image: snikket/snikket-web-portal:beta environment: *default-env networks: - backend snikket_server: image: thecoopcloud/snikket-server:latest volumes: - snikket_data:/snikket - certs:/certs environment: *default-env networks: - backend ports: # Client App Connections (Client to Server) (XMPP-c2s) - target: 5222 published: 5222 mode: host - target: 5223 published: 5223 mode: host # Federation With Other Snikket Servers (Server to Server) (XMPP-s2s) - target: 5269 published: 5269 mode: host # File Transfer Proxy (proxy65) - target: 5000 published: 5000 mode: host # Audio/Video Data Proxy Negotiation and IP discovery (STUN/TURN) - target: 3478 published: 3478 mode: host - target: 3479 published: 3479 mode: host # Audio/Video Data Proxy Negotiations and IP Discovery over TLS (STUN/TURN over TLS) - target: 5439 published: 5439 mode: host - target: 5350 published: 5350 mode: host # Audio/Video Data Proxy (Turn Data, see below) - target: 49152 published: 49152 protocol: udp mode: host - target: 49153 published: 49153 protocol: udp mode: host certdumper: image: ldez/traefik-certs-dumper:v2.7.4 entrypoint: sh -c ' apk add jq ; while ! [ -e /traefik/production-acme.json ] || ! [ `jq ".production.Certificates | length" /traefik/production-acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --watch --source /traefik/production-acme.json --dest /output --domain-subdir=true --version v2' environment: # Make sure this is the same as the main=-domain in traefik.toml - DOMAIN=$DOMAIN volumes: # Folder, which contains the acme.json - "traefik_letsencrypt:/traefik" # Folder, where cert.pem and key.pem will be written - "certs:/output" # Doesn't work anyway :/ # configs: # - source: certdumper_post # target: /usr/bin/certdumper_post.sh # mode: 0555 volumes: snikket_data: certs: traefik_letsencrypt: name: "${TRAEFIK_SERVICE:-traefik_letsencrypt}" external: true networks: proxy: external: true backend: