Add traefik config files

https://github.com/chatmail/relay/pull/614#discussion_r2269887232

.gitignore

@@ -170,3 +170,4 @@ chatmail.zone
 /custom/
 docker-compose.yaml
 .env
+/traefik/data/

docker/docker-compose-traefik.yaml

@@ -69,6 +69,22 @@ services:
       - traefik.http.routers.chatmail-relay.tls=true
       - traefik.http.routers.chatmail-relay.tls.certresolver=letsEncrypt
 
+  traefik_init:
+    image: alpine:latest
+    restart: on-failure
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+    working_dir: /app
+    entrypoint: sh -c '
+      touch acme.json &&
+      sudo chown 0:0 ./acme.json &&
+      sudo chmod 600 ./acme.json'
+    volumes:
+      - ./traefik/data:/app
+
   traefik:
     image: traefik:v3.3
     container_name: traefik
@@ -79,17 +95,20 @@ services:
         max-size: "10m"
         max-file: "3"
     command:
-      - --configFile=/config.yaml
+      - "--configFile=/config.yaml"
+      - "--certificatesresolvers.letsEncrypt.acme.email=${ACME_EMAIL:-my.email@gmail.com}"
     # ports:
     #   - "80:80"
     #   - "443:443"
+    network_mode: host
+    depends_on:
+      traefik_init:
+        condition: service_completed_successfully
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ./data/traefik/config.yaml:/config.yaml
-      - ./data/traefik/acme.json:/acme.json
-      - ./data/traefik/dynamic-configs:/dynamic/conf
-
-    network_mode: host
+      - ./traefik/config.yaml:/config.yaml
+      - ./traefik/data/acme.json:/acme.json
+      - ./traefik/dynamic-configs:/dynamic/conf
     
   traefik-certs-dumper:
     image: ldez/traefik-certs-dumper:v2.10.0
@@ -112,6 +131,6 @@ services:
     environment:
       CERTS_DIR: /data/letsencrypt/certs
     volumes:
-      - ./data/traefik/letsencrypt:/data/letsencrypt
-      - ./data/traefik/acme.json:/data/acme.json
-      - ./data/traefik/post-hook.sh:/post-hook.sh
+      - ./traefik/data/letsencrypt:/data/letsencrypt
+      - ./traefik/data/acme.json:/data/acme.json
+      - ./traefik/post-hook.sh:/post-hook.sh

docker/example.env

@@ -1,4 +1,5 @@
 MAIL_DOMAIN="chat.example.com"
+ACME_EMAIL="my.email@gmail.com"
 
-PATH_TO_SSL_HOST="/opt/traefik/data/letsencrypt/certs/${MAIL_DOMAIN}"
+PATH_TO_SSL_HOST="./traefik/data/letsencrypt/certs/${MAIL_DOMAIN}"
 PATH_TO_SSL_CONTAINER="/var/lib/acme/live/${MAIL_DOMAIN}"

docker/files/entrypoint.sh

@@ -4,10 +4,12 @@ set -eo pipefail
 if [ "${USE_FOREIGN_CERT_MANAGER,,}" == "true" ]; then
     if [ ! -f "$PATH_TO_SSL_CONTAINER/fullchain" ]; then
         echo "Error: file '$PATH_TO_SSL_CONTAINER/fullchain' does not exist. Exiting..." > /dev/stderr
+        sleep 2
         exit 1
     fi
     if [ ! -f "$PATH_TO_SSL_CONTAINER/privkey" ]; then
         echo "Error: file '$PATH_TO_SSL_CONTAINER/privkey' does not exist. Exiting..." > /dev/stderr
+        sleep 2
         exit 1
     fi
 fi

docs/DOCKER_INSTALLATION_EN.md

@@ -88,105 +88,6 @@ Mandatory variables for deployment via Docker:
 docker compose build chatmail
 ```
 
-<details>
-<summary>Additional steps for configuring with traefik</summary>
-
-> [!note]
-> If you are using the default installation without traefik – skip these steps and go to step 7 (running docker compose).
-
-Before starting traefik, configuration files must be prepared; otherwise, it will not start correctly.
-
-First, run these commands in the console, replacing their values with the correct ones:
-
-```shell
-export YOUR_EMAIL=your_email@gmail.com
-mkdir -p "./data/traefik"
-cd "./data/traefik"
-```
-
-1. Create a traefik configuration file:
-
-```shell
-cat > config.yaml << EOF
-log:
-  level: TRACE
-
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          permanent: true
-  websecure:
-    address: ":443"
-
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-  file:
-    directory: /dynamic/conf
-    watch: true
-
-serverstransport:
-  insecureskipverify: true
-
-certificatesResolvers:
-  letsEncrypt:
-    acme:
-      email: $YOUR_EMAIL
-      storage: /acme.json
-      caServer: "https://acme-v02.api.letsencrypt.org/directory"
-      tlschallenge: true
-      httpChallenge:
-        entryPoint: web
-EOF
-```
-
-2. Create a post-hook script:
-
-```shell
-cat > post-hook.sh << 'EOF'
-CERTS_DIR=${CERTS_DIR:-"/data/letsencrypt/certs"}
-
-for dir in "$CERTS_DIR"/*/; do
-    cd "$dir"
-    if [ -f "certificate.crt" ]; then
-        ln -sf certificate.crt fullchain
-    fi
-    if [ -f "privatekey.key" ]; then
-        ln -sf privatekey.key privkey
-    fi
-    cd -
-done
-EOF
-```
-
-3. Create the `acme.json` file:
-
-```shell
-touch acme.json
-sudo chown 0:0 ./acme.json # required
-sudo chmod 600 ./acme.json # required
-```
-
-4. Create insecure config:
-
-```shell
-mkdir dynamic-configs
-cat > ./dynamic-configs/insecure.yaml << 'EOF'
-http:
-  serversTransports:
-    insecure:
-      insecureSkipVerify: true
-EOF
-cd ../..
-```
-
-</details>
-
 7. Start docker compose and wait for the installation to finish:
 
 ```shell

docs/DOCKER_INSTALLATION_RU.md

@@ -78,101 +78,6 @@ sudo sysctl --system
 docker compose build chatmail
 ```
 
-<details>
-
-<summary>Дополнительные шаги для конфигурации работы с traefik</summary>
-
-> [!note]
-> Если вы используете default установку, без использования traefik - пропустите эти шаги и переходите к шагу 7 (запуск docker compose)
-
-Перед запуском traefik необходимо подготовить файлы конфигурации, иначе он запустится некорректно.
-
-Сначала выполните эти команды в консоли, заменив значения в них на корректные.
-```shell
-export YOUR_EMAIL=your_email@gmail.com
-mkdir -p "./data/traefik"
-cd "./data/traefik"
-```
-
-1. Создать файл конфигурации traefik
-```shell
-cat > config.yaml << EOF
-log:
-  level: TRACE
-
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          permanent: true
-  websecure:
-    address: ":443"
-
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-  file:
-    directory: /dynamic/conf
-    watch: true
-
-serverstransport:
-  insecureskipverify: true
-
-certificatesResolvers:
-  letsEncrypt:
-    acme:
-      email: $YOUR_EMAIL
-      storage: /acme.json
-      caServer: "https://acme-v02.api.letsencrypt.org/directory"
-      tlschallenge: true
-      httpChallenge:
-        entryPoint: web
-EOF
-```
-
-2. Создать post-hook скрипт
-```shell
-cat > post-hook.sh << 'EOF'
-CERTS_DIR=${CERTS_DIR:-"/data/letsencrypt/certs"}
-
-for dir in "$CERTS_DIR"/*/; do
-    cd "$dir"
-    if [ -f "certificate.crt" ]; then
-        ln -sf certificate.crt fullchain
-    fi
-    if [ -f "privatekey.key" ]; then
-        ln -sf privatekey.key privkey
-    fi
-    cd -
-done
-EOF
-```
-
-3. Создать `acme.json` файл
-```shell
-touch acme.json
-sudo chown 0:0 ./acme.json # это обязательно
-sudo chmod 600 ./acme.json # это обязательно
-```
-
-4. Создать insecure config
-```shell
-mkdir dynamic-configs
-cat > ./dynamic-configs/insecure.yaml << 'EOF'
-http:
-  serversTransports:
-    insecure:
-      insecureSkipVerify: true
-EOF
-cd ../..
-```
-
-</details>
-
 7. Запустить docker compose и дождаться завершения установки
 ```shell
 docker compose up -d # запуск сервиса

traefik/config.yaml

@@ -0,0 +1,33 @@
+log:
+  level: TRACE
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          permanent: true
+  websecure:
+    address: ":443"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    directory: /dynamic/conf
+    watch: true
+
+serverstransport:
+  insecureskipverify: true
+
+certificatesResolvers:
+  letsEncrypt:
+    acme:
+      storage: /acme.json
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      tlschallenge: true
+      httpChallenge:
+        entryPoint: web

traefik/dynamic-configs/insecure.yaml

@@ -0,0 +1,4 @@
+http:
+  serversTransports:
+    insecure:
+      insecureSkipVerify: true

traefik/post-hook.sh

@@ -0,0 +1,12 @@
+CERTS_DIR=${CERTS_DIR:-"/data/letsencrypt/certs"}
+
+for dir in "$CERTS_DIR"/*/; do
+    cd "$dir"
+    if [ -f "certificate.crt" ]; then
+        ln -sf certificate.crt fullchain
+    fi
+    if [ -f "privatekey.key" ]; then
+        ln -sf privatekey.key privkey
+    fi
+    cd -
+done