From 9089cdde9215c84a769fa8a2da3f3345c2a4d8cd Mon Sep 17 00:00:00 2001 From: harkon Date: Mon, 1 Dec 2025 18:39:19 +0200 Subject: [PATCH] feat: consolidate traefik config and use production domain --- infra/base/infrastructure.yaml | 18 ++++++--- infra/base/services.yaml | 57 ++++++++++++++------------- infra/base/traefik/config/traefik.yml | 6 ++- 3 files changed, 45 insertions(+), 36 deletions(-) diff --git a/infra/base/infrastructure.yaml b/infra/base/infrastructure.yaml index ed8a54d..f00e9c5 100644 --- a/infra/base/infrastructure.yaml +++ b/infra/base/infrastructure.yaml @@ -32,18 +32,24 @@ services: - frontend - backend ports: - - 80:80 - - 443:443 - - 8080:8080 + - "8090:80" + - "8444:443" + - "8091:8080" # Dashboard + env_file: + - ./.provider.env volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - - ./traefik/config/:/etc/traefik/:ro + - ./traefik/config/traefik.yml:/etc/traefik/traefik.yml:ro + - ./traefik/config/traefik-dynamic.yml:/etc/traefik/conf.d/01-base.yml:ro + - ../compose/traefik/traefik-dynamic.local.yml:/etc/traefik/conf.d/02-local.yml:ro + - ./certs/:/var/traefik/certs/:rw labels: - "traefik.enable=true" - - "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`)" + - "traefik.constraint-label=app" + - "traefik.http.routers.dashboard.rule=Host(`traefik.app.harkon.co.uk`)" - "traefik.http.routers.dashboard.entrypoints=websecure" - "traefik.http.routers.dashboard.tls=true" - - "traefik.http.routers.dashboard.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.dashboard.tls.certresolver=godaddy" - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.middlewares=authentik-forwardauth@file" diff --git a/infra/base/services.yaml b/infra/base/services.yaml index f3fd52d..f5ac2cf 100644 --- a/infra/base/services.yaml +++ b/infra/base/services.yaml @@ -37,10 +37,11 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-ingestion.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/ingestion`)" + - "traefik.constraint-label=app" + - "traefik.http.routers.svc-ingestion.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/ingestion`)" - "traefik.http.routers.svc-ingestion.entrypoints=websecure" - "traefik.http.routers.svc-ingestion.tls=true" - - "traefik.http.routers.svc-ingestion.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-ingestion.tls.certresolver=godaddy" - "traefik.http.routers.svc-ingestion.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-ingestion.loadbalancer.server.port=8000" @@ -70,10 +71,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-extract.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/extract`)" + - "traefik.http.routers.svc-extract.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/extract`)" - "traefik.http.routers.svc-extract.entrypoints=websecure" - "traefik.http.routers.svc-extract.tls=true" - - "traefik.http.routers.svc-extract.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-extract.tls.certresolver=godaddy" - "traefik.http.routers.svc-extract.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-extract.loadbalancer.server.port=8000" @@ -97,10 +98,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-kg.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/kg`)" + - "traefik.http.routers.svc-kg.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/kg`)" - "traefik.http.routers.svc-kg.entrypoints=websecure" - "traefik.http.routers.svc-kg.tls=true" - - "traefik.http.routers.svc-kg.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-kg.tls.certresolver=godaddy" - "traefik.http.routers.svc-kg.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-kg.loadbalancer.server.port=8000" @@ -127,10 +128,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-rag-retriever.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/rag`)" + - "traefik.http.routers.svc-rag-retriever.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/rag`)" - "traefik.http.routers.svc-rag-retriever.entrypoints=websecure" - "traefik.http.routers.svc-rag-retriever.tls=true" - - "traefik.http.routers.svc-rag-retriever.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-rag-retriever.tls.certresolver=godaddy" - "traefik.http.routers.svc-rag-retriever.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-rag-retriever.loadbalancer.server.port=8000" @@ -160,10 +161,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-forms.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/forms`)" + - "traefik.http.routers.svc-forms.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/forms`)" - "traefik.http.routers.svc-forms.entrypoints=websecure" - "traefik.http.routers.svc-forms.tls=true" - - "traefik.http.routers.svc-forms.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-forms.tls.certresolver=godaddy" - "traefik.http.routers.svc-forms.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-forms.loadbalancer.server.port=8000" @@ -194,10 +195,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-hmrc.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/hmrc`)" + - "traefik.http.routers.svc-hmrc.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/hmrc`)" - "traefik.http.routers.svc-hmrc.entrypoints=websecure" - "traefik.http.routers.svc-hmrc.tls=true" - - "traefik.http.routers.svc-hmrc.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-hmrc.tls.certresolver=godaddy" - "traefik.http.routers.svc-hmrc.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-hmrc.loadbalancer.server.port=8000" @@ -227,10 +228,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-ocr.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/ocr`)" + - "traefik.http.routers.svc-ocr.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/ocr`)" - "traefik.http.routers.svc-ocr.entrypoints=websecure" - "traefik.http.routers.svc-ocr.tls=true" - - "traefik.http.routers.svc-ocr.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-ocr.tls.certresolver=godaddy" - "traefik.http.routers.svc-ocr.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-ocr.loadbalancer.server.port=8000" @@ -260,10 +261,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-rag-indexer.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/rag-indexer`)" + - "traefik.http.routers.svc-rag-indexer.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/rag-indexer`)" - "traefik.http.routers.svc-rag-indexer.entrypoints=websecure" - "traefik.http.routers.svc-rag-indexer.tls=true" - - "traefik.http.routers.svc-rag-indexer.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-rag-indexer.tls.certresolver=godaddy" - "traefik.http.routers.svc-rag-indexer.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-rag-indexer.loadbalancer.server.port=8000" @@ -293,10 +294,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-reason.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/reason`)" + - "traefik.http.routers.svc-reason.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/reason`)" - "traefik.http.routers.svc-reason.entrypoints=websecure" - "traefik.http.routers.svc-reason.tls=true" - - "traefik.http.routers.svc-reason.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-reason.tls.certresolver=godaddy" - "traefik.http.routers.svc-reason.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-reason.loadbalancer.server.port=8000" @@ -326,10 +327,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-rpa.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/rpa`)" + - "traefik.http.routers.svc-rpa.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/rpa`)" - "traefik.http.routers.svc-rpa.entrypoints=websecure" - "traefik.http.routers.svc-rpa.tls=true" - - "traefik.http.routers.svc-rpa.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-rpa.tls.certresolver=godaddy" - "traefik.http.routers.svc-rpa.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-rpa.loadbalancer.server.port=8000" @@ -359,10 +360,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-normalize-map.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/normalize-map`)" + - "traefik.http.routers.svc-normalize-map.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/normalize-map`)" - "traefik.http.routers.svc-normalize-map.entrypoints=websecure" - "traefik.http.routers.svc-normalize-map.tls=true" - - "traefik.http.routers.svc-normalize-map.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-normalize-map.tls.certresolver=godaddy" - "traefik.http.routers.svc-normalize-map.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-normalize-map.loadbalancer.server.port=8000" @@ -392,10 +393,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-coverage.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/coverage`)" + - "traefik.http.routers.svc-coverage.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/coverage`)" - "traefik.http.routers.svc-coverage.entrypoints=websecure" - "traefik.http.routers.svc-coverage.tls=true" - - "traefik.http.routers.svc-coverage.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-coverage.tls.certresolver=godaddy" - "traefik.http.routers.svc-coverage.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-coverage.loadbalancer.server.port=8000" @@ -425,10 +426,10 @@ services: - NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP} labels: - "traefik.enable=true" - - "traefik.http.routers.svc-firm-connectors.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/firm-connectors`)" + - "traefik.http.routers.svc-firm-connectors.rule=Host(`api.app.harkon.co.uk`) && PathPrefix(`/firm-connectors`)" - "traefik.http.routers.svc-firm-connectors.entrypoints=websecure" - "traefik.http.routers.svc-firm-connectors.tls=true" - - "traefik.http.routers.svc-firm-connectors.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.svc-firm-connectors.tls.certresolver=godaddy" - "traefik.http.routers.svc-firm-connectors.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-firm-connectors.loadbalancer.server.port=8000" @@ -445,9 +446,9 @@ services: - API_BASE_URL=https://api.${DOMAIN} labels: - "traefik.enable=true" - - "traefik.http.routers.ui-review.rule=Host(`app.${DOMAIN}`)" + - "traefik.http.routers.ui-review.rule=Host(`app.app.harkon.co.uk`)" - "traefik.http.routers.ui-review.entrypoints=websecure" - "traefik.http.routers.ui-review.tls=true" - - "traefik.http.routers.ui-review.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + - "traefik.http.routers.ui-review.tls.certresolver=godaddy" - "traefik.http.routers.ui-review.middlewares=authentik-forwardauth@file" - "traefik.http.services.ui-review.loadbalancer.server.port=3030" diff --git a/infra/base/traefik/config/traefik.yml b/infra/base/traefik/config/traefik.yml index ac85764..bc21828 100644 --- a/infra/base/traefik/config/traefik.yml +++ b/infra/base/traefik/config/traefik.yml @@ -9,14 +9,16 @@ entryPoints: readTimeout: 30m api: dashboard: true + insecure: true providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false - network: "apa-frontend" + network: "apa-backend" + constraints: "Label(`traefik.constraint-label`, `app`)" file: - filename: "/etc/traefik/traefik-dynamic.yml" + directory: "/etc/traefik/conf.d" watch: true # -- Configure your CertificateResolver here...