reset

.gitignore

@@ -0,0 +1,3 @@
+mattermost/mattermost-docker/
+.env
+*.secrets

README.md

@@ -0,0 +1,12 @@
+# Docker
+
+Dockerfiles and Docker-compose for [GNOUS](https://www.gnous.fr) services
+
+## How to launch the services
+
+1. Copy `.env.example` as `.env` in the service directory and set the variables as you need
+2. Copy the `*.secrets.example` as `*.secrets` in the `secrets/` directory of the service directory and set the variable as you need
+3. Uncomment the `env_file` configuration option when needed
+4. Launch the services
+
+Depending on the service, you might need to have a few more things to do.

apaches/.env.example

@@ -0,0 +1,4 @@
+DATA_PATH=
+CN=
+SAN1=
+TRAVAUXCN=

apaches/Dockerfile

@@ -0,0 +1,11 @@
+from php:7.4.18-apache
+
+RUN a2enmod remoteip
+RUN echo "RemoteIPHeader X-Forwarded-For" > /etc/apache2/conf-available/remoteip.conf
+RUN a2enconf remoteip
+RUN sed -i -r 's/^ServerTokens .*/ServerTokens Prod/g' /etc/apache2/conf-available/security.conf
+RUN sed -i -r 's/^ServerSignature .*/ServerSignature Off/g' /etc/apache2/conf-available/security.conf
+RUN sed -i -E 's/^LogFormat "%h(.*)/LogFormat "%a\1/g' /etc/apache2/apache2.conf
+RUN echo "expose_php = Off" > /usr/local/etc/php/conf.d/php_version.ini
+
+CMD ["apache2-foreground"]

apaches/docker-compose.yml

@@ -0,0 +1,39 @@
+version: "3.8"
+
+services:
+  apache:
+      build: .
+      image: my_apache:7.4.18
+      container_name: apache
+      networks:
+        - proxy
+      expose:
+        - "80"
+      restart: unless-stopped
+      env_file: ./secrets/apache.secrets
+      volumes:
+        - /usr/lib/locale/:/usr/lib/locale/
+        - /etc/localtime:/etc/localtime:ro
+        - ${DATA_PATH}/public-html:/var/www/html/
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.middlewares.apache-redirect-websecure.redirectscheme.scheme=https"
+        - "traefik.http.routers.apache-http.middlewares=apache-redirect-websecure"
+        - "traefik.http.routers.apache-http.rule=Host(`${CN}`, `${SAN1}`)"
+        - "traefik.http.routers.apache-http.entrypoints=web"
+        - "traefik.http.routers.apache-https.rule=Host(`${CN}`, `${SAN1}`)"
+        - "traefik.http.routers.apache-https.entrypoints=websecure"
+        - "traefik.http.routers.apache-https.middlewares=apache-redirectregex"
+        - "traefik.http.routers.apache-https.tls=true"
+        - "traefik.http.routers.apache-https.tls.certresolver=myhttpchallenge"
+        - "traefik.http.middlewares.apache-redirectregex.redirectregex.regex=^https://${SAN1}/(.*)"
+        - "traefik.http.middlewares.apache-redirectregex.redirectregex.replacement=https://${CN}/$${1}"
+#        - "traefik.http.middlewares.apache-travaux.redirectregex.regex=^https://${TRAVAUXCN}/"
+#        - "traefik.http.middlewares.apache-travaux.redirectregex.replacement=https://${CN}/travaux.php"
+#        - "traefik.http.routers.apache-https.middlewares=apache-redirectregex,apache-travaux"
+        - "co.elastic.logs/module=apache"
+        - "co.elastic.logs/fileset=access"
+                        
+networks:
+  proxy:
+    external: true

apaches/secrets/apache.secrets.example

@@ -0,0 +1 @@
+MM_TOKEN=

apaches/testing/.env.example

@@ -0,0 +1,3 @@
+DATA_PATH=
+CN=
+SAN1=

apaches/testing/docker-compose.yml

@@ -0,0 +1,34 @@
+version: "3.8"
+
+services:
+  apache-test:
+      build: ..
+      image: my_apache:7.4.18
+      container_name: apache-test
+      networks:
+        - proxy
+      expose:
+        - "80"
+      restart: unless-stopped
+      env_file: ./secrets/apache-test.secrets
+      volumes:
+        - /usr/lib/locale/:/usr/lib/locale/
+        - /etc/localtime:/etc/localtime:ro
+        - ${DATA_PATH}/public-html:/var/www/html/
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.middlewares.apache-redirect-websecure.redirectscheme.scheme=https"
+        - "traefik.http.routers.apache-test-http.middlewares=apache-redirect-websecure"
+        - "traefik.http.routers.apache-test-http.rule=Host(`${CN}`, `${SAN1}`)"
+        - "traefik.http.routers.apache-test-http.entrypoints=web"
+        - "traefik.http.routers.apache-test-https.rule=Host(`${CN}`, `${SAN1}`)"
+        - "traefik.http.routers.apache-test-https.entrypoints=websecure"
+        - "traefik.http.routers.apache-test-https.middlewares=apache-test-redirectregex"
+        - "traefik.http.routers.apache-test-https.tls=true"
+        - "traefik.http.routers.apache-test-https.tls.certresolver=myhttpchallenge"
+        - "traefik.http.middlewares.apache-test-redirectregex.redirectregex.regex=^https://${SAN1}/(.*)"
+        - "traefik.http.middlewares.apache-test-redirectregex.redirectregex.replacement=https://${CN}/$${1}"
+                        
+networks:
+  proxy:
+    external: true

apaches/testing/secrets/apache-test.secrets.example

@@ -0,0 +1 @@
+MM_TOKEN=

elastic/.env.example

@@ -0,0 +1,2 @@
+DATA_PATH=
+CN=

elastic/docker-compose.yml

@@ -0,0 +1,53 @@
+version: "3.8"
+
+services:
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.12.0
+    hostname: ${CN}
+    restart: unless-stopped
+    environment:
+      - node.name=es01
+      - discovery.type=single-node
+#      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - ${DATA_PATH}/es/es01/data:/usr/share/elasticsearch/data
+      - ${DATA_PATH}/es/es01/snapshots:/usr/share/elasticsearch/snapshots
+      - ${DATA_PATH}/es/es01/config:/usr/share/elasticsearch/config
+    ports:
+      - 9200:9200
+    labels:
+      - "co.elastic.logs/module=elasticsearch"
+
+  kibana:
+    image: docker.elastic.co/kibana/kibana:7.12.0
+    restart: unless-stopped
+    networks:
+      - proxy
+      - default
+    links:
+      - "elasticsearch:${CN}"
+    expose:
+      - 5601
+    volumes:
+      - ${DATA_PATH}/kb/config:/usr/share/kibana/config
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.middlewares.kb-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.kb-http.middlewares=kb-redirect-websecure"
+      - "traefik.http.routers.kb-http.rule=Host(`${CN}`)"
+      - "traefik.http.routers.kb-http.entrypoints=web"
+      - "traefik.http.routers.kb-https.rule=Host(`${CN}`)"
+      - "traefik.http.routers.kb-https.entrypoints=websecure"
+      - "traefik.http.routers.kb-https.tls=true"
+      - "traefik.http.routers.kb-https.tls.certresolver=myhttpchallenge"
+      - "co.elastic.logs/module=kibana"
+
+networks:
+  proxy:
+    external: true

gitea/.env.example

@@ -0,0 +1,3 @@
+DATA_PATH=
+CN=
+SSH_PORT=

gitea/docker-compose.yml

@@ -0,0 +1,49 @@
+version: "3.8"
+
+services:
+  app:
+    image: gitea/gitea:1.14.1-rootless
+    depends_on:
+      - db
+    expose:
+      - "3000"
+    ports:
+      - "${SSH_PORT}:22"
+    restart: unless-stopped
+    networks:
+      - proxy
+      - default
+    volumes:
+      - /etc/timezone/:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - ${DATA_PATH}/app/data:/var/lib/gitea
+      - ${DATA_PATH}/app/config:/etc/gitea
+#    env_file: secrets/app.secrets
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.services.gitea-web-svc.loadbalancer.server.port=3000"
+      - "traefik.http.routers.git-https.service=gitea-web-svc"
+      - "traefik.http.middlewares.git-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.git-http.middlewares=git-redirect-websecure"
+      - "traefik.http.routers.git-http.rule=Host(`${CN}`)"
+      - "traefik.http.routers.git-http.entrypoints=web"
+      - "traefik.http.routers.git-https.rule=Host(`${CN}`)"
+      - "traefik.http.routers.git-https.entrypoints=websecure"
+      - "traefik.http.routers.git-https.tls=true"
+      - "traefik.http.routers.git-https.tls.certresolver=myhttpchallenge"
+
+  db:
+    image: postgres:13
+#    env_file: ./secrets/db.secrets
+    restart: unless-stopped
+    volumes:
+      - ${DATA_PATH}/db/data:/var/lib/postgresql/data
+      - ${DATA_PATH}/db/.pgpass:/root/.pgpass
+
+networks:
+  proxy:
+    external: true

gitea/secrets/app.secrets.example

@@ -0,0 +1,6 @@
+GITEA__database__DB_TYPE=
+GITEA__database__DB_HOST=
+GITEA__database__DB_NAME=
+GITEA__database__DB_USER=
+GITEA__database__DB_PASSWD=
+

gitea/secrets/db.secrets.example

@@ -0,0 +1,3 @@
+POSTGRES_USER=
+POSTGRES_DB=
+POSTGRES_PASSWORD=

gitlab/.env.example

@@ -0,0 +1,3 @@
+DATA_PATH=
+CN=
+SSH_PORT=

gitlab/docker-compose.yml

@@ -0,0 +1,37 @@
+version: "3.8"
+
+services:
+  app:
+    image: gitlab/gitlab-ce:13.10.2-ce.0
+    restart: "no"
+    hostname: "${CN}"
+    environment:
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url "https://${CN}"
+        # Add any other gitlab.rb configuration here, each on its own line
+        nginx['listen_https'] = false
+        nginx['listen_port'] = 80
+    networks:
+      - proxy
+    ports:
+      - "${SSH_PORT}:22"
+    volumes:
+      - ${DATA_PATH}/config:/etc/gitlab
+      - ${DATA_PATH}/logs:/var/log/gitlab
+      - ${DATA_PATH}/data:/var/opt/gitlab
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitlab-https.service=app"
+      - "traefik.http.services.app.loadbalancer.server.port=80"
+      - "traefik.http.middlewares.gitlab-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.gitlab-http.middlewares=gitlab-redirect-websecure"
+      - "traefik.http.routers.gitlab-http.rule=Host(`${CN}`)"
+      - "traefik.http.routers.gitlab-http.entrypoints=web"
+      - "traefik.http.routers.gitlab-https.rule=Host(`${CN}`)"
+      - "traefik.http.routers.gitlab-https.entrypoints=websecure"
+      - "traefik.http.routers.gitlab-https.tls=true"
+      - "traefik.http.routers.gitlab-https.tls.certresolver=myhttpchallenge"
+
+networks:
+  proxy:
+    external: true

mattermost/.env.example

@@ -0,0 +1,2 @@
+DATA_PATH=
+CN=

mattermost/docker-compose.yml

@@ -0,0 +1,51 @@
+version: "3.8"
+
+services:
+  db:
+    build: ./mattermost-docker/db
+    image: mm_db:5.33.2
+    read_only: true
+    restart: unless-stopped
+    volumes:
+      - ${DATA_PATH}/db/var/lib/postgresql/data:/var/lib/postgresql/data
+      - ${DATA_PATH}/db/.pgpass:/root/.pgpass
+      - /etc/localtime:/etc/localtime:ro
+#    env_file: secrets/db.secrets
+
+  app:
+    build:
+      context: ./mattermost-docker/app
+      args:
+        - edition=team
+    image: mm_app:5.33.2
+    depends_on:
+      - db
+    restart: unless-stopped
+    networks:
+      - default
+      - proxy
+    volumes:
+      - ${DATA_PATH}/app/mattermost/config:/mattermost/config:rw
+      - ${DATA_PATH}/app/mattermost/data:/mattermost/data:rw
+      - ${DATA_PATH}/app/mattermost/logs:/mattermost/logs:rw
+      - ${DATA_PATH}/app/mattermost/plugins:/mattermost/plugins:rw
+      - ${DATA_PATH}/app/mattermost/client-plugins:/mattermost/client/plugins:rw
+      - /etc/localtime:/etc/localtime:ro
+#    env_file: secrets/app.secrets
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.services.mm-web-svc.loadbalancer.server.port=8000"
+      - "traefik.http.routers.mm-https.service=mm-web-svc"
+      - "traefik.http.middlewares.mm-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.mm-http.middlewares=mm-redirect-websecure"
+      - "traefik.http.routers.mm-http.rule=Host(`${CN}`)"
+      - "traefik.http.routers.mm-http.entrypoints=web"
+      - "traefik.http.routers.mm-https.rule=Host(`${CN}`)"
+      - "traefik.http.routers.mm-https.entrypoints=websecure"
+      - "traefik.http.routers.mm-https.tls=true"
+      - "traefik.http.routers.mm-https.tls.certresolver=myhttpchallenge"
+
+networks:
+  proxy:
+    external: true

mattermost/secrets/app.secrets.example

@@ -0,0 +1,3 @@
+MM_USERNAME=
+MM_PASSWORD=
+MM_DBNAME=

mattermost/secrets/db.secrets.example

@@ -0,0 +1,3 @@
+POSTGRES_USER=
+POSTGRES_PASSWORD=
+POSTGRES_DB=

nextcloud/.env.example

@@ -0,0 +1,4 @@
+DATA_PATH=
+NCCN=
+OOCN=
+SAN1=

nextcloud/docker-compose.yml

@@ -0,0 +1,79 @@
+version: "3.8"
+
+services:
+  documentserver:
+    image: onlyoffice/documentserver:6.1.0.83
+    networks:
+      - proxy
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.ds-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.ds-http.middlewares=ds-redirect-websecure"
+      - "traefik.http.routers.ds-http.rule=Host(`${OOCN}`)"
+      - "traefik.http.routers.ds-http.entrypoints=web"
+      - "traefik.http.routers.ds-https.rule=Host(`${OOCN}`)"
+      - "traefik.http.routers.ds-https.entrypoints=websecure"
+      - "traefik.http.routers.ds-https.tls=true"
+      - "traefik.http.routers.ds-https.tls.certresolver=myhttpchallenge"
+      - "traefik.http.middlewares.ds-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.ds-https.middlewares=ds-header"
+
+  redis:
+    image: redis:6.2.1
+    command: ["sh", "-c", "redis-server --requirepass $${REDIS_HOST_PASSWORD}"]
+    restart: unless-stopped
+    env_file: secrets/redis.secrets
+    volumes:
+      - ${DATA_PATH}/redis:/var/lib/redis
+
+  db:
+    image: mariadb:10.5.4
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    restart: unless-stopped
+    volumes:
+      - ${DATA_PATH}/my.cnf:/etc/mysql/my.cnf:ro
+      - ${DATA_PATH}/db:/var/lib/mysql
+#    env_file: secrets/db.secrets
+
+  app:
+    image: nextcloud:19.0.10
+    depends_on:
+      - db
+      - redis
+    networks:
+      - proxy
+      - default
+    expose:
+      - "80"
+    links:
+      - db
+    volumes:
+      - ${DATA_PATH}/app/html:/var/www/html
+    restart: unless-stopped
+#    env_file: secrets/app.secrets
+    environment:
+      - APACHE_DISABLE_REWRITE_IP=1
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.middlewares.nc-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.nc-http.middlewares=nc-redirect-websecure"
+      - "traefik.http.routers.nc-http.rule=Host(`${NCCN}`,`${SAN1}`)"
+      - "traefik.http.routers.nc-http.entrypoints=web"
+      - "traefik.http.routers.nc-https.rule=Host(`${NCCN}`,`${SAN1}`)"
+      - "traefik.http.routers.nc-https.entrypoints=websecure"
+      - "traefik.http.routers.nc-https.tls=true"
+      - "traefik.http.routers.nc-https.tls.certresolver=myhttpchallenge"
+      - "traefik.http.middlewares.nc-redirectregex.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nc-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav/"
+      - "traefik.http.middlewares.nc-redirectregex.redirectregex.permanent=true"
+      - "traefik.http.routers.nc-https.middlewares=nc-redirectregex"
+      - "traefik.http.routers.nc-https.middlewares=nc-Header"
+      - "traefik.http.middlewares.nc-Header.headers.stsSeconds=15552000"
+      - "co.elastic.logs/module=apache"
+      - "co.elastic.logs/fileset=access"
+
+networks:
+  proxy:
+    external: true

nextcloud/secrets/app.secrets.example

@@ -0,0 +1,4 @@
+MYSQL_HOST=db
+MYSQL_PASSWORD=
+MYSQL_DATABASE=
+MYSQL_USER=

nextcloud/secrets/db.secrets.example

@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD=
+MYSQL_PASSWORD=
+MYSQL_DATABASE=
+MYSQL_USER=

nextcloud/secrets/redis.secrets.example

@@ -0,0 +1 @@
+REDIS_HOST_PASSWORD=

roundcube/.env.example

@@ -0,0 +1,3 @@
+DATA_PATH=
+CN=
+MAIL_SERVER=

roundcube/Dockerfile

@@ -0,0 +1,30 @@
+FROM roundcube/roundcubemail:1.4.11-apache
+
+RUN set -ex; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        git \
+    ; \
+    \
+    curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/bin --filename=composer; \
+    mv /usr/src/roundcubemail/composer.json-dist /usr/src/roundcubemail/composer.json; \
+    \
+    composer \
+        --working-dir=/usr/src/roundcubemail/ \
+        --prefer-dist --prefer-stable \
+        --no-update --no-interaction \
+        --optimize-autoloader --apcu-autoloader \
+        require \
+            roundcube/carddav \
+    ; \
+    composer \
+        --working-dir=/usr/src/roundcubemail/ \
+        --prefer-dist --no-dev \
+        --no-interaction \
+        --optimize-autoloader --apcu-autoloader \
+        update;
+
+RUN mkdir -p /etc/enigma/gnupg \
+ && chown www-data:www-data /etc/enigma/gnupg \
+ && cp /usr/src/roundcubemail/plugins/enigma/config.inc.php.dist /usr/src/roundcubemail/plugins/enigma/config.inc.php \
+ && echo "\$config['enigma_pgp_homedir'] = '/etc/enigma/gnupg';" >> /usr/src/roundcubemail/plugins/enigma/config.inc.php

roundcube/docker-compose.yml

@@ -0,0 +1,43 @@
+version: "3.8"
+
+services:
+  app:
+    build: .
+    image: my_roundcube:1.4.11
+    restart: unless-stopped
+    depends_on:
+      - db
+    volumes:
+      - ${DATA_PATH}/app:/var/www/html
+      - ${DATA_PATH}/enigma:/etc/enigma/gnupg
+#    env_file: secrets/app.secrets
+    environment:
+      - ROUNDCUBEMAIL_SKIN=elastic
+      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://${MAIL_SERVER}
+      - ROUNDCUBEMAIL_SMTP_SERVER=tls://${MAIL_SERVER}
+      - ROUNDCUBEMAIL_PLUGINS=archive, zipdownload, enigma, carddav
+    networks:
+      - default
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.middlewares.rc-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.rc-http.middlewares=rc-redirect-websecure"
+      - "traefik.http.routers.rc-http.rule=Host(`${CN}`)"
+      - "traefik.http.routers.rc-http.entrypoints=web"
+      - "traefik.http.routers.rc-https.rule=Host(`${CN}`)"
+      - "traefik.http.routers.rc-https.entrypoints=websecure"
+      - "traefik.http.routers.rc-https.tls=true"
+      - "traefik.http.routers.rc-https.tls.certresolver=myhttpchallenge"
+
+  db:
+    image: mariadb:10.5
+    restart: unless-stopped
+    volumes:
+      - ${DATA_PATH}/db:/var/lib/mysql
+#    env_file: secrets/db.secrets
+
+networks:
+  proxy:
+    external: true

roundcube/secrets/app.secrets.example

@@ -0,0 +1,5 @@
+ROUNDCUBEMAIL_DB_TYPE=
+ROUNDCUBEMAIL_DB_NAME=
+ROUNDCUBEMAIL_DB_HOST=
+ROUNDCUBEMAIL_DB_USER=
+ROUNDCUBEMAIL_DB_PASSWORD=

roundcube/secrets/db.secrets.example

@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD=
+MYSQL_PASSWORD=
+MYSQL_DATABASE=
+MYSQL_USER=

traefik/.env.example

@@ -0,0 +1,2 @@
+DATA_PATH=
+EMAIL=

traefik/docker-compose.yml

@@ -0,0 +1,33 @@
+version: "3.8"
+
+services:
+  traefik:
+    image: traefik:v2.3.4
+    command:
+      - "--log.level=ERROR"
+#      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
+      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.myhttpchallenge.acme.email=${EMAIL}"
+      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
+      - "--accesslog=true"
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+#      - 8080:8080
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ${DATA_PATH}:/letsencrypt
+    container_name: traefik
+    labels:
+      - "co.elastic.logs/module=traefik"
+      - "co.elastic.logs/fileset=access"
+
+networks:
+  default:
+    name: proxy

wordpress-valpo/.env.example

@@ -0,0 +1,2 @@
+DATA_PATH=
+CN=

wordpress-valpo/docker-compose.yml

@@ -0,0 +1,40 @@
+version: "3.8"
+
+services:
+  db:
+    image: mysql:5.7
+#    env_file: secrets/db.secrets
+    volumes:
+      - ${DATA_PATH}/db_data:/var/lib/mysql
+    restart: "no"
+
+  app:
+    depends_on:
+      - db
+    image: wordpress:5.6.2
+    env_file: secrets/app.secrets
+    volumes:
+      - ${DATA_PATH}/_data:/var/www/html
+    networks:
+      - proxy
+      - default
+    expose:
+      - "80"
+    restart: "no"
+    environment:
+      WORDPRESS_DB_HOST: db:3306
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.middlewares.wp-redirect-websecure.redirectscheme.scheme=https"
+      - "traefik.http.routers.wp-http.middlewares=wp-redirect-websecure"
+      - "traefik.http.routers.wp-http.rule=Host(`${CN}`)"
+      - "traefik.http.routers.wp-http.entrypoints=web"
+      - "traefik.http.routers.wp-https.rule=Host(`${CN}`)"
+      - "traefik.http.routers.wp-https.entrypoints=websecure"
+      - "traefik.http.routers.wp-https.tls=true"
+      - "traefik.http.routers.wp-https.tls.certresolver=myhttpchallenge"
+
+networks:
+  proxy:
+    external: true

wordpress-valpo/secrets/app.secrets.example

@@ -0,0 +1,3 @@
+WORDPRESS_DB_USER=
+WORDPRESS_DB_PASSWORD=
+WORDPRESS_DB_NAME=

wordpress-valpo/secrets/db.secrets.example

@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD=
+MYSQL_DATABASE=
+MYSQL_PASSWORD=
+MYSQL_USER=