Remove Traefik from deploy package (use existing nginx)

- Remove Traefik service and related labels - Expose ports to localhost only (3000, 8000, 3001) - Update README with nginx proxy configuration examples - Remove ACME_EMAIL and Traefik auth from .env.example Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 11:18:55 +01:00 · 2026-01-26 11:18:55 +01:00 · 8cabe7d362
parent 3187f5babb
commit 8cabe7d362
3 changed files with 129 additions and 119 deletions
--- a/deploy/.env.example
+++ b/deploy/.env.example
@ -14,9 +14,6 @@
 # Your domain name (without https://)
 DOMAIN=portal.monacousa.org

-# Email for Let's Encrypt SSL certificates
-ACME_EMAIL=admin@monacousa.org
-
 # ============================================
 # DATABASE CONFIGURATION
 # ============================================
@ -97,17 +94,6 @@ ADDITIONAL_REDIRECT_URLS=
 # Database schemas exposed via REST API
 PGRST_DB_SCHEMAS=public,storage,graphql_public

-# ============================================
-# SECURITY - DASHBOARD ACCESS (Optional)
-# ============================================
-# Basic auth for Traefik dashboard (format: user:password-hash)
-# Generate with: htpasswd -nB admin
-# Example: admin:$apr1$xyz...
-TRAEFIK_DASHBOARD_AUTH=
-
-# Basic auth for Supabase Studio (format: user:password-hash)
-# Generate with: htpasswd -nB admin
-STUDIO_AUTH=

 # ============================================
 # NOTES
--- a/deploy/README.md
+++ b/deploy/README.md
@ -7,8 +7,8 @@ This is a standalone deployment package for the Monaco USA Portal. No source cod
 - Linux server (Ubuntu 22.04+ recommended)
 - Docker Engine 24.0+
 - Docker Compose v2.20+
+- Nginx installed and configured for SSL
 - Domain name with DNS pointing to your server
- Ports 80 and 443 open

 ## Quick Start

@ -21,7 +21,7 @@ mkdir -p /opt/monacousa
 cd /opt/monacousa

 # Download files from your deployment source
-# Example: scp, git clone, or direct download
+# Example: copy from Gitea, scp, etc.
 ```

 You need these files:
@ -43,7 +43,6 @@ nano .env

 At minimum, configure:
 - `DOMAIN` - Your domain name (e.g., `portal.monacousa.org`)
- `ACME_EMAIL` - Email for SSL certificates
 - SMTP settings (optional but recommended for emails)

 ### 3. Run setup script
@ -67,7 +66,85 @@ The setup script will:
 docker compose up -d
 ```

-### 5. Verify deployment
+### 5. Configure Nginx
+
+Add proxy configuration for your domain. Example:
+
+```nginx
+# Portal - main site
+server {
+    listen 443 ssl http2;
+    server_name portal.monacousa.org;
+
+    ssl_certificate /path/to/cert.pem;
+    ssl_certificate_key /path/to/key.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+}
+
+# API - Supabase services
+server {
+    listen 443 ssl http2;
+    server_name api.portal.monacousa.org;
+
+    ssl_certificate /path/to/cert.pem;
+    ssl_certificate_key /path/to/key.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+}
+
+# Studio - Supabase dashboard (optional)
+server {
+    listen 443 ssl http2;
+    server_name studio.portal.monacousa.org;
+
+    ssl_certificate /path/to/cert.pem;
+    ssl_certificate_key /path/to/key.pem;
+
+    # Add basic auth for security
+    auth_basic "Supabase Studio";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+}
+```
+
+Reload nginx:
+```bash
+nginx -t && systemctl reload nginx
+```
+
+### 6. Verify deployment

 ```bash
 # Check all containers are running
@ -80,24 +157,24 @@ docker compose logs db
 docker compose logs -f
 ```

-### 6. Access the portal
+### 7. Access the portal

-Open `https://your-domain.com` in your browser. On first visit, you'll be redirected to `/setup` to create the initial admin account.
+Open `https://portal.monacousa.org` in your browser. On first visit, you'll be redirected to `/setup` to create the initial admin account.

 ## Architecture

 ```
 Internet
    │
-    ├─► :80/:443 ──► Traefik (SSL/Reverse Proxy)
-    │                    │
-    │                    ├─► portal.domain.com ──► Portal (SvelteKit)
-    │                    ├─► api.domain.com ──► Kong ──► Auth/REST/Storage
-    │                    └─► studio.domain.com ──► Studio (Dashboard)
+    └─► Nginx (SSL/Reverse Proxy)
            │
-Internal Network
+            ├─► portal.domain.com:443 ──► localhost:3000 ──► Portal (SvelteKit)
+            ├─► api.domain.com:443 ──► localhost:8000 ──► Kong ──► Auth/REST/Storage
+            └─► studio.domain.com:443 ──► localhost:3001 ──► Studio (Dashboard)
+
+Internal Docker Network
    │
-    ├─► Kong API Gateway
+    ├─► Kong API Gateway (port 8000)
    │       ├─► Auth (GoTrue)
    │       ├─► REST (PostgREST)
    │       ├─► Storage API
@ -106,6 +183,16 @@ Internal Network
    └─► PostgreSQL Database
 ```

+## Exposed Ports
+
+| Service | Port | Purpose |
+|---------|------|---------|
+| Portal | 127.0.0.1:3000 | Main web application |
+| Kong | 127.0.0.1:8000 | Supabase API gateway |
+| Studio | 127.0.0.1:3001 | Supabase dashboard (optional) |
+
+All ports are bound to localhost only for security. Use nginx to expose them.
+
 ## Files Description

 | File | Purpose |
@ -193,17 +280,7 @@ docker compose up -d
 docker compose logs

 # Check if ports are in use
-netstat -tlnp | grep -E ':(80|443)'
-```
-
-### SSL certificate issues
-
-```bash
-# Check Traefik logs
-docker compose logs traefik
-
-# Verify DNS is pointing to server
-dig +short your-domain.com
+netstat -tlnp | grep -E ':(3000|3001|8000)'
 ```

 ### Database connection errors
@ -238,6 +315,15 @@ docker compose logs portal
 docker compose exec portal wget -qO- http://kong:8000/rest/v1/ || echo "Kong not reachable"
 ```

+### Nginx 502 Bad Gateway
+
+Check if the Docker containers are running:
+```bash
+docker compose ps
+curl http://127.0.0.1:3000  # Should return HTML
+curl http://127.0.0.1:8000  # Should return JSON
+```
+
 ## Security Recommendations

 1. **Secure your .env file**
@ -245,32 +331,23 @@ docker compose exec portal wget -qO- http://kong:8000/rest/v1/ || echo "Kong not
   chmod 600 .env
   ```

-2. **Enable dashboard authentication**
+2. **Protect Supabase Studio with auth**
   ```bash
-   # Generate password hash
-   htpasswd -nB admin
-   # Add to .env as STUDIO_AUTH and TRAEFIK_DASHBOARD_AUTH
+   # Generate password file for nginx
+   htpasswd -c /etc/nginx/.htpasswd admin
   ```

-3. **Set up firewall**
-   ```bash
-   ufw allow 80/tcp
-   ufw allow 443/tcp
-   ufw allow 22/tcp
-   ufw enable
-   ```
-
-4. **Regular updates**
+3. **Regular updates**
   - Keep Docker and host OS updated
   - Regularly pull latest portal images

-5. **Monitor logs**
+4. **Monitor logs**
   - Set up log rotation (configured in docker-compose.yml)
-   - Consider centralized logging (ELK, Loki, etc.)
+   - Consider centralized logging

 ## Support

 For issues and questions:
 - Check logs: `docker compose logs -f`
- GitHub issues: [Project Repository]
+- GitHub/Gitea issues
 - Email: support@monacousa.org
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@ -8,51 +8,14 @@
 #   2. Copy .env.example to .env and configure
 #   3. Run ./setup.sh to generate secrets and kong.yml
 #   4. Run: docker compose up -d
+#   5. Configure your nginx to proxy to the exposed ports
 #
-# Prerequisites:
-#   - Docker and Docker Compose installed
-#   - Domain DNS pointing to server IP
-#   - Ports 80 and 443 open
+# Exposed Ports (configure nginx to proxy to these):
+#   - Portal: localhost:3000
+#   - Kong API: localhost:8000
+#   - Studio: localhost:3001 (optional)

 services:
-  # ============================================
-  # Traefik Reverse Proxy (SSL/HTTPS)
-  # ============================================
-  traefik:
-    image: traefik:v3.0
-    container_name: monacousa-traefik
-    restart: unless-stopped
-    command:
-      - "--api.dashboard=true"
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
-      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
-      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
-      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
-      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
-      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
-      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
-      - "--log.level=INFO"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - traefik-certs:/letsencrypt
-    networks:
-      - monacousa-network
-    labels:
-      # Traefik dashboard (optional - remove in production if not needed)
-      - "traefik.enable=true"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
-      - "traefik.http.routers.traefik.entrypoints=websecure"
-      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.routers.traefik.middlewares=traefik-auth"
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_AUTH:-}"
-
  # ============================================
  # PostgreSQL Database
  # ============================================
@ -95,6 +58,8 @@ services:
    image: supabase/studio:20241202-71e5240
    container_name: monacousa-studio
    restart: unless-stopped
+    ports:
+      - "127.0.0.1:3001:3000"
    environment:
      STUDIO_PG_META_URL: http://meta:8080
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
@ -109,14 +74,6 @@ services:
        condition: service_healthy
    networks:
      - monacousa-network
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.studio.rule=Host(`studio.${DOMAIN}`)"
-      - "traefik.http.routers.studio.entrypoints=websecure"
-      - "traefik.http.routers.studio.tls.certresolver=letsencrypt"
-      - "traefik.http.services.studio.loadbalancer.server.port=3000"
-      - "traefik.http.routers.studio.middlewares=studio-auth"
-      - "traefik.http.middlewares.studio-auth.basicauth.users=${STUDIO_AUTH:-}"
    logging:
      driver: "json-file"
      options:
@ -130,6 +87,8 @@ services:
    image: kong:2.8.1
    container_name: monacousa-kong
    restart: unless-stopped
+    ports:
+      - "127.0.0.1:8000:8000"
    environment:
      KONG_DATABASE: "off"
      KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
@ -144,12 +103,6 @@ services:
        condition: service_healthy
    networks:
      - monacousa-network
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.kong.rule=Host(`api.${DOMAIN}`)"
-      - "traefik.http.routers.kong.entrypoints=websecure"
-      - "traefik.http.routers.kong.tls.certresolver=letsencrypt"
-      - "traefik.http.services.kong.loadbalancer.server.port=8000"
    logging:
      driver: "json-file"
      options:
@ -385,6 +338,8 @@ services:
    image: ${PORTAL_IMAGE:-code.letsbe.solutions/letsbe/monacousa-portal:latest}
    container_name: monacousa-portal
    restart: unless-stopped
+    ports:
+      - "127.0.0.1:3000:3000"
    environment:
      PUBLIC_SUPABASE_URL: https://api.${DOMAIN}
      PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
@ -400,12 +355,6 @@ services:
        condition: service_healthy
    networks:
      - monacousa-network
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.portal.rule=Host(`${DOMAIN}`)"
-      - "traefik.http.routers.portal.entrypoints=websecure"
-      - "traefik.http.routers.portal.tls.certresolver=letsencrypt"
-      - "traefik.http.services.portal.loadbalancer.server.port=3000"
    deploy:
      resources:
        limits:
@ -433,5 +382,3 @@ volumes:
    driver: local
  storage-data:
    driver: local
-  traefik-certs:
-    driver: local