refactor infra for Traefik + Cloudflare Tunnel deploy#2
Open
whereisanzi wants to merge 1 commit into
Open
Conversation
Replaces the in-cluster Caddy with Traefik labels so the production stack can sit behind a single global reverse-proxy fronted by Cloudflare Tunnel. docker-compose.yml: - Remove the caddy service and its volumes - Add Traefik labels on web and api (Host(CALUNGA_HOST), api on /v1 and /health) - Declare two networks: calunga_internal (project-local) and edge_proxy (external) - Connect web and api to both networks; db/redis/dagster stay internal only - Bind all published ports to 127.0.0.1 so nothing leaks to the LAN - Drop ALL capabilities and apply no-new-privileges on every service - Apply memory limits via deploy.resources - Mount ./scripts read-only Caddyfile: deleted (Traefik replaces it). .env.example: refreshed and documents every env consumed by the stack, including the hardening knobs introduced in the previous PR (APP_ENV, JWT_SECRET strength gate, magic-link limits, token quotas, message-size caps, Sentry DSNs) plus CALUNGA_HOST for Traefik routing. The edge_proxy network must be created once on the host (`docker network create edge_proxy`) before starting the stack; in production the /srv/edge stack provisions it.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the in-cluster Caddy with Traefik labels so the production stack can sit behind a single global reverse-proxy fronted by Cloudflare Tunnel. No more ports exposed to the LAN; container privileges dropped.
Depends on (but does not strictly require) #1 —
.env.exampledocuments env vars introduced in that PR.docker-compose.yml
caddyservice and its volumeswebandapi:apimatchesHost(CALUNGA_HOST) && (PathPrefix(/v1) || Path(/health))webmatchesHost(CALUNGA_HOST)(catch-all, lower priority)www.CALUNGA_HOSTcalunga_internal(bridge, project-local) andedge_proxy(external, created by the /srv/edge stack)webandapijoin both networks;db,redis,dagster-*stay oncalunga_internal127.0.0.1— nothing leaks to the LAN, Traefik reaches services via the container networkcap_drop: [ALL]andsecurity_opt: [no-new-privileges:true]on every service;deploy.resources.limits.memoryper service;./scriptsmounted read-onlyCaddyfile
Deleted. Traefik replaces it; routing now lives in Compose labels.
.env.example
Refreshed and documents every env consumed by the stack, including hardening knobs added in #1 (
APP_ENV, magic-link limits, token quotas, message-size caps, Sentry DSNs) plusCALUNGA_HOSTfor Traefik routing.Host prerequisite
The external
edge_proxynetwork must exist beforedocker compose up:In production this is created by the
/srv/edgestack (next PR). In development it is just an empty bridge that Traefik never attaches to (Traefik isn't running locally).Test plan
python -c "import yaml; yaml.safe_load(open('docker-compose.yml'))"— syntax OKdocker network create edge_proxy && docker compose up -d— stack starts cleanlycurl http://localhost:8000/health— 200 (via host port bind)docker compose exec api curl -fsS http://localhost:8000/health— 200 (internal)nmap -p 5432,6379 192.168.x.xfrom another LAN host — no banner (db/redis bound to loopback)