fix: DockerSecretsResolver - don't normalize absolute paths like /var/www/html/...

2025-11-24 21:28:25 +01:00
parent 4eb7134853
commit 77abc65cd7
1327 changed files with 91915 additions and 9909 deletions
--- a/deployment/infrastructure/traefik/README.md
+++ b/deployment/infrastructure/traefik/README.md
@@ -0,0 +1,79 @@
+# Traefik Stack
+
+Reverse Proxy mit automatischer SSL-Zertifikat-Verwaltung via Let's Encrypt.
+
+## Features
+
+- Traefik v3.0 als Reverse Proxy
+- Automatische SSL-Zertifikate via Let's Encrypt
+- Docker Provider für automatische Service-Erkennung
+- Dashboard mit BasicAuth-Schutz
+- HTTP zu HTTPS Redirect
+- Erhöhte Timeouts für langsame Backends
+
+## Voraussetzungen
+
+- Docker und Docker Compose installiert
+- Ports 80, 443 und 2222 verfügbar
+- DNS-Einträge für Domains konfiguriert
+
+## Setup
+
+### 1. Secrets erstellen
+
+```bash
+# ACME E-Mail für Let's Encrypt
+echo "your-email@example.com" > secrets/acme_email.txt
+chmod 600 secrets/acme_email.txt
+```
+
+### 2. Stack deployen
+
+```bash
+docker compose up -d
+```
+
+### 3. Verifikation
+
+```bash
+# Container-Status prüfen
+docker compose ps
+
+# Logs anzeigen
+docker compose logs -f
+
+# Dashboard erreichbar unter: https://traefik.michaelschiemer.de
+```
+
+## Networks
+
+**traefik-public:**
+- Wird von diesem Stack erstellt
+- Wird von anderen Stacks (Gitea, Application) genutzt
+- Für externe Zugriffe
+
+## Volumes
+
+- `traefik-certs` - SSL-Zertifikate (persistent)
+- `traefik-logs` - Traefik-Logs
+
+## Troubleshooting
+
+### SSL-Zertifikate werden nicht erstellt
+
+1. Prüfe, ob Port 80 erreichbar ist (für ACME Challenge)
+2. Prüfe DNS-Einträge
+3. Prüfe Logs: `docker compose logs traefik`
+
+### Service wird nicht erkannt
+
+1. Prüfe, ob Service im `traefik-public` Network ist
+2. Prüfe Traefik Labels im Service
+3. Prüfe Logs: `docker compose logs traefik`
+
+### Dashboard nicht erreichbar
+
+1. Prüfe DNS-Eintrag für `traefik.michaelschiemer.de`
+2. Prüfe BasicAuth-Konfiguration
+3. Prüfe Logs: `docker compose logs traefik`
+
--- a/deployment/infrastructure/traefik/docker-compose.yml
+++ b/deployment/infrastructure/traefik/docker-compose.yml
@@ -0,0 +1,71 @@
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    ports:
+      - "80:80"
+      - "443:443"
+      - "2222:2222"  # Gitea SSH
+    networks:
+      - traefik-public
+    environment:
+      - TZ=Europe/Berlin
+    entrypoint: /entrypoint-custom.sh
+    volumes:
+      # Docker socket for service discovery
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      # SSL certificates
+      - traefik-certs:/letsencrypt
+      # Logs
+      - traefik-logs:/logs
+      # Custom entrypoint script
+      - ./entrypoint.sh:/entrypoint-custom.sh:ro
+    secrets:
+      - acme_email
+    labels:
+      # Enable Traefik for itself
+      - "traefik.enable=true"
+      
+      # Dashboard - BasicAuth protected
+      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.michaelschiemer.de`)"
+      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dashboard.tls=true"
+      - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik-dashboard.service=api@internal"
+      - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth"
+      
+      # BasicAuth for dashboard (password: admin)
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$Of2wG3O5$$y8X1vEoIp9vpvx64mIalk/"
+      
+      # Global HTTP to HTTPS redirect (excludes ACME challenge)
+      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`) && !PathPrefix(`/.well-known/acme-challenge`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+      - "traefik.http.routers.http-catchall.priority=1"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+networks:
+  traefik-public:
+    external: true
+    name: traefik-public
+
+volumes:
+  traefik-certs:
+    name: traefik-certs
+  traefik-logs:
+    name: traefik-logs
+
+secrets:
+  acme_email:
+    file: ./secrets/acme_email.txt
+
--- a/deployment/infrastructure/traefik/entrypoint.sh
+++ b/deployment/infrastructure/traefik/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+set -e
+
+# Read ACME email from secret file
+if [ -f /run/secrets/acme_email ]; then
+  ACME_EMAIL=$(cat /run/secrets/acme_email | tr -d '\n\r')
+else
+  echo "ERROR: ACME email secret not found at /run/secrets/acme_email" >&2
+  exit 1
+fi
+
+# Execute Traefik with the email from secret
+exec /entrypoint.sh \
+  --providers.docker=true \
+  --providers.docker.exposedbydefault=false \
+  --providers.docker.network=traefik-public \
+  --providers.docker.endpoint=unix:///var/run/docker.sock \
+  --entrypoints.web.address=:80 \
+  --entrypoints.websecure.address=:443 \
+  --certificatesresolvers.letsencrypt.acme.email="${ACME_EMAIL}" \
+  --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json \
+  --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web \
+  --entrypoints.websecure.transport.respondingTimeouts.readTimeout=300s \
+  --entrypoints.websecure.transport.respondingTimeouts.writeTimeout=300s \
+  --entrypoints.websecure.transport.respondingTimeouts.idleTimeout=360s \
+  --api.dashboard=true \
+  --api.insecure=false \
+  --log.level=INFO \
+  --accesslog=true \
+  "$@"
+