Docker: Improve cloud-init setup

docker/examples/cloud-init/certs/ca.conf

@@ -0,0 +1,13 @@
+[req]
+default_bits = 4096
+default_md = sha256
+distinguished_name = dn
+prompt = no
+
+[dn]
+C = DE
+ST = Berlin
+L = Berlin
+O = Default CA
+emailAddress = hello@example.com
+CN = example.com

docker/examples/cloud-init/certs/cert.conf

@@ -0,0 +1,8 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.example.com
+DNS.2 = example.com

docker/examples/cloud-init/certs/config.yml

@@ -0,0 +1,9 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: "/certs/cert.crt"
+        keyFile: "/certs/cert.key"
+  certificates:
+    - certFile: "/certs/cert.crt"
+      keyFile: "/certs/cert.key"

docker/examples/cloud-init/certs/openssl.conf

@@ -0,0 +1,25 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+x509_extensions = v3_req
+distinguished_name = dn
+
+[dn]
+C = DE
+ST = Berlin
+L = Berlin
+O = PhotoPrism
+OU = Self-Signed
+emailAddress = hello@example.com
+CN = example.com
+
+[v3_req]
+subjectAltName = @alt_names
+
+[SAN]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.example.com
+DNS.2 = example.com

docker/examples/cloud-init/docker-compose.yml

@@ -39,8 +39,19 @@ services:
     security_opt:
       - seccomp:unconfined
       - apparmor:unconfined
-    ports:
+    # ports:
-      - "2342:2342" # [local port]:[container port]
+    #  - "2342:2342" # [local port]:[container port]
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.photoprism.loadbalancer.server.port=2342"
+      - "traefik.http.routers.photoprism.entrypoints=websecure"
+      - "traefik.http.routers.photoprism.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.photoprism.tls=true"
+      - "traefik.http.routers.photoprism.tls.domains[0].main=example.com"
+      - "traefik.http.routers.photoprism.tls.domains[0].sans=*.example.com"
+      # Uncomment if your server has a public host name for HTTPS:
+      # - "traefik.http.routers.photoprism.rule=Host(`photos.example.com`)"
+      # - "traefik.http.routers.photoprism.tls.certresolver=myresolver"
     environment:
       PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # PLEASE CHANGE: Your initial admin password (min 4 characters)
       PHOTOPRISM_ORIGINALS_LIMIT: 5000               # File size limit for originals in MB (increase for high-res video)
@@ -73,6 +84,22 @@ services:
       - "./storage:/photoprism/storage"
       - "./backup:/var/lib/photoprism"
 
+  traefik:
+    image: traefik:v2.4
+    container_name: traefik
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+    expose:
+      - "80"
+      - "443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "./traefik/:/data/"
+      - "./traefik.yaml:/etc/traefik/traefik.yaml"
+      - "./certs/:/certs/"
+
   mariadb:
     image: mariadb:10.5
     container_name: mariadb

docker/examples/cloud-init/setup.sh

@@ -36,7 +36,8 @@ apt-get update
 apt-get -qq dist-upgrade
 
 # install dependencies
-apt-get -qq install -y --no-install-recommends apt-transport-https ca-certificates curl software-properties-common
+apt-get -qq install -y --no-install-recommends apt-transport-https ca-certificates \
+        curl software-properties-common openssl
 
 # install docker if needed
 if ! command -v docker &> /dev/null
@@ -59,11 +60,35 @@ fi
 
 # create user
 useradd photoprism -u 1000 -G docker -o -m -d /photoprism || echo "User 'photoprism' already exists. Proceeding."
-mkdir -p /photoprism/originals /photoprism/import /photoprism/storage /photoprism/backup /photoprism/database
+mkdir -p /photoprism/originals /photoprism/import /photoprism/storage /photoprism/backup \
+      /photoprism/database /photoprism/traefik /photoprism/certs
+
+# download ssl config
+curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/ca.conf > /photoprism/certs/ca.conf
+curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/cert.conf > /photoprism/certs/cert.conf
+curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/config.yml > /photoprism/certs/config.yml
+curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/openssl.conf > /photoprism/certs/openssl.conf
+
+# create ca
+openssl genrsa -out /photoprism/certs/ca.key 4096
+openssl req -x509 -new -nodes -key /photoprism/certs/ca.key -sha256 -days 365 \
+        -out /photoprism/certs/ca.pem -config /photoprism/certs/ca.conf
+openssl x509 -outform der -in /photoprism/certs/ca.pem -out /photoprism/certs/ca.crt
+
+# create certs
+openssl genrsa -out /photoprism/certs/cert.key 4096
+openssl req -new -config /photoprism/certs/openssl.conf -key /photoprism/certs/cert.key \
+        -out /photoprism/certs/cert.csr
+openssl x509 -req -in /photoprism/certs/cert.csr -CA /photoprism/certs/ca.pem \
+        -CAkey /photoprism/certs/ca.key -CAcreateserial \
+        -out /photoprism/certs/cert.crt -days 365 -sha256 -extfile /photoprism/certs/cert.conf
+openssl pkcs12 -export -in /photoprism/certs/cert.crt -inkey /photoprism/certs/cert.key \
+        -out /photoprism/certs/cert.pfx -passout pass:
 
 # download service config
-curl -fsSL https://dl.photoprism.org/docker/cloud-init/docker-compose.yml> /photoprism/docker-compose.yml
+curl -fsSL https://dl.photoprism.org/docker/cloud-init/docker-compose.yml > /photoprism/docker-compose.yml
 curl -fsSL https://dl.photoprism.org/docker/cloud-init/jobs.ini > /photoprism/jobs.ini
+curl -fsSL https://dl.photoprism.org/docker/cloud-init/traefik.yaml > /photoprism/traefik.yaml
 chown -Rf photoprism:photoprism /photoprism
 
 # start services using docker-compose

docker/examples/cloud-init/traefik.yaml

@@ -0,0 +1,39 @@
+# Uncomment to enable debug mode:
+# log:
+#  level: DEBUG
+
+serversTransport:
+  insecureSkipVerify: true
+  rootCAs:
+    - "/certs/ca.crt"
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+
+certificatesResolvers:
+  myresolver:
+    acme:
+      email: info@example.com
+      storage: /data/letsencrypt.json
+      httpChallenge:
+        entryPoint: web
+
+providers:
+  file:
+    filename: "/certs/config.yml"
+    watch: true
+  docker:
+    exposedByDefault: false
+    watch: true
+
+api:
+  insecure: false
+  dashboard: false