Device Farmer / OpenSTF docker-compose deployment with TLS using treaefik

stf_docker-compose.yaml

services:
    rethinkdb:
        container_name: rethinkdb
        image: rethinkdb:2.4.2
        restart: unless-stopped
        volumes:
            - "rethinkdb-data:/data"
        ports:
            - 8080:8080
            #- ${APP_CLIENT_PORT}:28015
        command: "rethinkdb --bind all --cache-size 2048"
        networks:
            - frontend # your traefik network

    adb:
        container_name: adb
        image: devicefarmer/adb:latest
        restart: unless-stopped
        volumes:
            - "/dev/bus/usb:/dev/bus/usb"
        privileged: true
        networks:
            - frontend # your traefik network
    stf:
        container_name: stf
        image: devicefarmer/stf
        ports:
            #- "7100:7100"
            #- "7110:7110"
            - "7400-7500:7400-7500"
        environment:
            - TZ='Europe/Berlin'
            - RETHINKDB_PORT_28015_TCP=tcp://rethinkdb:28015
            - STF_ADMIN_EMAIL=pg330-admin@example.de
            - STF_ADMIN_NAME=pg330-admin
            - STF_AUTH_OAUTH2_OAUTH_AUTHORIZATION_URL=https://gitlab.example.de/oauth/authorize
            - STF_AUTH_OAUTH2_OAUTH_TOKEN_URL=https://gitlab.example.de/oauth/token
            - STF_AUTH_OAUTH2_OAUTH_USERINFO_URL=https://gitlab.example.de/oauth/userinfo
            - STF_AUTH_OAUTH2_OAUTH_CLIENT_ID=1dff203b5867a7a5d74d9cc7ec7785ac1b8df5fe037af94cbde3661278ce76de
            - STF_AUTH_OAUTH2_OAUTH_CLIENT_SECRET=gloas-2b67a8c1ec1eb273c21888d0e2824d971e9138b865d22fe8d6e4fc56f44ea623
            #- STF_AUTH_OAUTH2_OAUTH_CALLBACK_URL=http://stf.dev.example.de:7100/auth/oauth/callback
            - STF_AUTH_OAUTH2_OAUTH_CALLBACK_URL=https://stf.dev.example.de/auth/oauth/callback
            - STF_AUTH_OAUTH2_OAUTH_SCOPE=openid email
            - STF_LOCAL_AUTH_TYPE=oauth2
            - STF_LOCAL_AUTH_URL=https://stf.dev.example.de/auth/oauth/
            - STF_LOCAL_APP_URL=https://stf.dev.example.de/
            - STF_LOCAL_WEBSOCKET_URL=wss://stf.dev.example.de/
            - STF_LOCAL_SCREEN_WS_URL_PATTERN=wss://stf.dev.example.de/wss/$${publicPort}/
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.stf.rule=Host(`stf.dev.example.de`)"
            - "traefik.http.routers.stf.entrypoints=websecure"
            - "traefik.http.services.stf.loadbalancer.server.port=7100"
            - "traefik.http.routers.stf.service=stf"
            - "traefik.http.routers.stf-wss.rule=Host(`stf.dev.example.de`) && PathPrefix(`/socket.io`) "
            - "traefik.http.routers.stf-wss.entrypoints=websecure"
            - "traefik.http.routers.stf-wss.service=stf-wss"
            - "traefik.http.services.stf-wss.loadbalancer.server.port=7110"
        restart: unless-stopped
        extra_hosts:
            - "host.docker.internal:host-gateway"
        command: stf local --adb-host adb --public-ip stf.dev.example.de --provider-min-port 7400 --provider-max-port 7499 --no-cleanup --no-screen-reset
        networks:
            - frontend # your traefik network
volumes:
    rethinkdb-data: {}

networks:
    frontend:
        external: true

traefik-dyn.yml

http:
  routers:
    traefik-https:
      entrypoints:
        - websecure
      service: api@internal
      rule: "Host(`stf.dev.example.de`) && PathPrefix(`/traefik-api`)"

    {{range $i, $e := until 99 }}
    router-ws-{{ $e }}:
      entrypoints:
        - websecure
      rule: "Host(`stf.dev.example.de`) && PathPrefix(`/wss/74{{printf "%02d" $e }}/`)"
      service: stf-wss-{{ $e }}
    {{end}}

  services:
    {{range $i, $e := until 99 }}
    stf-wss-{{ $e }}:
      loadBalancer:
        servers:
          - url: "http://stf:74{{printf "%02d" $e }}"
    {{end}}

traefik.yml

api:
  dashboard: true
  insecure: true
  debug: false
log:
  level: INFO
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letencrypt
        domains:
          - main: "stf.dev.eample.de"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: frontend
  file:
    filename: /traefik-dyn.yml
certificatesResolvers:
  letencrypt:
    acme:
      email: pg330-admin@example.de
      storage: /certs/acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
        #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: httpreq
        delayBeforeCheck: 10

traefik_docker-compose.yaml

services:
  traefik:
    image: traefik
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - TZ=Europe/Amsterdam
      # define the secrets in .env file
      - HTTPREQ_ENDPOINT=${HTTPREQ_ENDPOINT}
      - HTTPREQ_USERNAME=${HTTPREQ_USERNAME}
      - HTTPREQ_PASSWORD=${HTTPREQ_PASSWORD}
    networks:
      - frontend
    ports:
      - 80:80 # HTTP entryPoints
      - 443:443 # HTTPS entryPoints
      - 8088:8080 # Dashbaord WebGui
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./traefik-dyn.yml:/traefik-dyn.yml:ro
      - ./certs/:/certs/

volumes:
  traefik:
    name: traefik

networks:
  frontend:
    name: frontend