From e74ca433bddf8d3dbf7a66c17fb0bd2bb9fc6083 Mon Sep 17 00:00:00 2001
From: David Beniamine <david.beniamine@tetras-libre.fr>
Date: Tue, 8 Nov 2022 12:37:37 +0100
Subject: [PATCH] Production mode for all services

Closes #16
---
 .env.template            | 11 +++++++++--
 README.md                | 16 +++++++++++++---
 devserver.yml => dev.yml |  4 ++++
 docker-compose.yml       |  2 --
 traefik.yml              | 18 ++++++++++++++++++
 5 files changed, 44 insertions(+), 7 deletions(-)
 rename devserver.yml => dev.yml (89%)
 create mode 100644 traefik.yml

diff --git a/.env.template b/.env.template
index 120aad3..475f031 100644
--- a/.env.template
+++ b/.env.template
@@ -1,5 +1,10 @@
-# docker-compose components replace by devserver.yml to run the dev server (default is prod) or append ':devserver.yml' to run both
-COMPOSE_FILE=docker-compose.yml
+# COMPOSE_FILE :
+#   + docker-compose.yml = production service, no port exposed
+#   + docker-compose.yml:dev.yml = production service + devserver, front services ports are exposed
+#   + docker-compose.yml:traefik.yml = production services + traefik mapping (see README)
+COMPOSE_FILE=docker-compose.yml:dev.yml
+#COMPOSE_FILE=docker-compose.yml
+#COMPOSE_FILE=docker-compose.yml:traefik.yml
 # prod server host port
 PORT=8080
 # prod container restart policy
@@ -14,3 +19,5 @@ HTTP_FOLDER=./www
 # hosts allowed to access ressources from $HTTP_FOLDER
 # * to allow all, http://localhost:$DEV_PORT to allow only devserver
 CORS_ALLOWED_HOSTS=http://localhost:$DEV_PORT
+NAME=IIIF
+HOST=IIIF.tetras-lab.io
diff --git a/README.md b/README.md
index 155805f..0b30510 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,25 @@
 ## Mirador Video Annotation POC
 
-Copy `.env.template` to `.env` and change variables to suit your need (you can skip the edit step)  
 
-Run `docker-compose up -d`, which will serve a mirador instance at `http://localhost:$PORT` (default port is 8080).
+### Install
+
+Copy `.env.template` to `.env` and change variables to suit your need.
+
 
 The `$HTTP_FOLDER` (`./www` by default) directory will be accessible via HTTP at `http://localhost:$PORT/data` and can be used to store manifests and theirs ressources and see them in Mirador.  
 
 If sources files are modified, run `docker-compose up -d --build` to update Mirador  
 
+#### Traefik
+
+We provide a `traefik.yml` file to use behind [traefik](https://traefik.io/https://traefik.io/) this file does the following assumptions :
+
++ A traefik container exists and is running in an external docker network called `traefik`
++ Traefik has a tls resolver called `myresolver`
++ Traefik has a middleware called `hardening@docker` that adds the usual security headers
+
 
-#### Use the development server
+#### Developpement
 
 Follow the previous instructions if you want to access ressources from `$HTTP_FOLDER` via HTTP in the devserver.  
 
diff --git a/devserver.yml b/dev.yml
similarity index 89%
rename from devserver.yml
rename to dev.yml
index 5aded5d..b84bb5e 100644
--- a/devserver.yml
+++ b/dev.yml
@@ -14,3 +14,7 @@ services:
       - DEV_PORT
     volumes:
       - ./:/opt
+
+  httpd:
+    ports:
+      - $PORT:80
diff --git a/docker-compose.yml b/docker-compose.yml
index 31ae053..458e242 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,8 +3,6 @@ services:
   httpd:
     build: .
     restart: $RESTART
-    ports:
-      - $PORT:80
     environment:
       - CORS_ALLOWED_HOSTS
       - WEBPACK_MODE=production
diff --git a/traefik.yml b/traefik.yml
new file mode 100644
index 0000000..6bc1958
--- /dev/null
+++ b/traefik.yml
@@ -0,0 +1,18 @@
+version: "3.9"
+services:
+  httpd:
+    networks:
+      - default
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.${NAME}.rule=Host(`${HOST}`)"
+      - "traefik.http.routers.${NAME}.tls.certresolver=myresolver"
+      - "traefik.http.routers.${NAME}.entrypoints=web,websecure"
+      - "traefik.http.routers.${NAME}.middlewares=hardening@docker"
+
+
+networks:
+  traefik:
+    external: true
-- 
GitLab