From 34174d22feed2c7332978660a78b5a14e1476e94 Mon Sep 17 00:00:00 2001
From: Oliver Davies <oliver@oliverdavies.dev>
Date: Thu, 9 May 2024 22:34:46 +0100
Subject: [PATCH] Add HTTPS/SSL support

This commit adds HTTPS and SSL support via `mkcert` to projects using
the Traefik proxy.

This does require changing the URLs from `*.localhost` to
`*.docker.localhost`, but this is something that can easily be done by
updating the template files in Build Configs.

Based on https://github.com/Heziode/traefik-v2-https-ssl-localhost.
---
 .gitignore                          |  1 +
 certs/.keep                         |  0
 docker-compose.yaml => compose.yaml |  8 ++++++--
 config/dynamic.yml                  | 15 ++++++++++++++
 config/static.yml                   | 32 +++++++++++++++++++++++++++++
 5 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 certs/.keep
 rename docker-compose.yaml => compose.yaml (62%)
 create mode 100644 config/dynamic.yml
 create mode 100644 config/static.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9c1397a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/certs/*.pem
diff --git a/certs/.keep b/certs/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/docker-compose.yaml b/compose.yaml
similarity index 62%
rename from docker-compose.yaml
rename to compose.yaml
index e581ee0..0d270f3 100644
--- a/docker-compose.yaml
+++ b/compose.yaml
@@ -2,17 +2,21 @@ services:
   reverse-proxy:
     image: "traefik:v2.5"
     ports:
+      - "443:443"
       - "80:80"
-      - "8080:8080"
     restart: unless-stopped
     volumes:
       - "./traefik.yml:/etc/traefik/traefik.yml"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - ./certs:/etc/certs:ro
+      - ./config/dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./config/static.yml:/etc/traefik/traefik.yml:ro
+    security_opt:
+      - no-new-privileges:true
     labels:
       - "traefik.enable=false"
     networks:
       - traefik_proxy
-
 networks:
   traefik_proxy:
     external: true
diff --git a/config/dynamic.yml b/config/dynamic.yml
new file mode 100644
index 0000000..e500d93
--- /dev/null
+++ b/config/dynamic.yml
@@ -0,0 +1,15 @@
+http:
+  routers:
+    traefik:
+      rule: "Host(`traefik.docker.localhost`)"
+      service: "api@internal"
+      tls:
+        domains:
+          - main: "docker.localhost"
+            sans:
+              - "*.docker.localhost"
+
+tls:
+  certificates:
+    - certFile: "/etc/certs/local-cert.pem"
+      keyFile: "/etc/certs/local-key.pem"
diff --git a/config/static.yml b/config/static.yml
new file mode 100644
index 0000000..8b50141
--- /dev/null
+++ b/config/static.yml
@@ -0,0 +1,32 @@
+global:
+  sendAnonymousUsage: false
+
+api:
+  dashboard: true
+  insecure: true
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true
+
+log:
+  level: INFO
+  format: common
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+
+  https:
+    address: ":443"