Add traefik with tls to startup script (#3343)

## Description:

We are migrating to traefik and away from CF tunnels due to reliability
issues. This PR sets up traefik with tls configured.

## Please complete the following:

- [x] I have added screenshots for all UI updates
- [x] I process any text displayed to the user through translateText()
and I've added it to the en.json file
- [x] I have added relevant tests to the test directory
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced

## Please put your Discord username so you can be contacted if a bug or
regression is found:

evan

setup.sh

@@ -7,10 +7,32 @@ echo "====================================================="
 echo "🚀 STARTING SERVER SETUP"
 echo "====================================================="
 
+# Load environment variables from .env.setup if present
+ENV_FILE="$(dirname "$0")/.env.setup"
+if [ -f "$ENV_FILE" ]; then
+    echo "📂 Loading environment from $ENV_FILE"
+    set -a
+    # shellcheck source=/dev/null
+    source "$ENV_FILE"
+    set +a
+else
+    echo "ℹ️  No .env.setup file found"
+    exit 1
+fi
+
 # Verify required environment variables
 if [ -z "$OTEL_EXPORTER_OTLP_ENDPOINT" ] || [ -z "$OTEL_AUTH_HEADER" ]; then
     echo "❌ ERROR: Required environment variables are not set!"
-    echo "Please set OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_AUTH_HEADER"
+    echo "Please set OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_AUTH_HEADER in .env.setup"
+    exit 1
+fi
+
+# CF_ORIGIN_CERT and CF_ORIGIN_KEY: Cloudflare Origin Certificate and private key.
+# Generate at: Cloudflare dashboard → SSL/TLS → Origin Server → Create Certificate
+if [ -z "$CF_ORIGIN_CERT" ] || [ -z "$CF_ORIGIN_KEY" ]; then
+    echo "❌ ERROR: CF_ORIGIN_CERT and CF_ORIGIN_KEY are not set!"
+    echo "Generate an origin certificate at: Cloudflare → SSL/TLS → Origin Server → Create Certificate"
+    echo "Then add CF_ORIGIN_CERT and CF_ORIGIN_KEY to .env.setup"
     exit 1
 fi
 
@@ -82,6 +104,96 @@ fi
 chown -R openfront:openfront /home/openfront
 echo "Set proper ownership for openfront's home directory"
 
+# Set up Traefik reverse proxy
+echo "🔀 Setting up Traefik..."
+
+# Create the shared Docker network used by Traefik and app containers
+if docker network ls --format '{{.Name}}' | grep -q '^web$'; then
+    echo "Docker network 'web' already exists"
+else
+    docker network create web
+    echo "Created Docker network 'web'"
+fi
+
+TRAEFIK_CONFIG_DIR="/home/openfront/traefik"
+TRAEFIK_CERTS_DIR="$TRAEFIK_CONFIG_DIR/certs"
+mkdir -p "$TRAEFIK_CERTS_DIR"
+
+# Write Cloudflare origin certificate and key (passed as env vars)
+echo "$CF_ORIGIN_CERT" > "$TRAEFIK_CERTS_DIR/origin.crt"
+echo "$CF_ORIGIN_KEY" > "$TRAEFIK_CERTS_DIR/origin.key"
+chmod 600 "$TRAEFIK_CERTS_DIR/origin.crt" "$TRAEFIK_CERTS_DIR/origin.key"
+
+# No [api] block — dashboard is disabled for production.
+# To access it for debugging, SSH tunnel: ssh -L 8080:localhost:8080 user@server
+cat > "$TRAEFIK_CONFIG_DIR/traefik.toml" << 'EOF'
+[log]
+  level = "INFO"
+
+[entryPoints]
+  [entryPoints.websecure]
+    address = ":443"
+
+[providers]
+  [providers.docker]
+    endpoint = "unix:///var/run/docker.sock"
+    exposedByDefault = false   # Only route containers with traefik.enable=true
+    network = "web"
+    watch = true
+  [providers.file]
+    filename = "/etc/traefik/tls.toml"
+    watch = true
+EOF
+
+# Static TLS configuration referencing the Cloudflare origin cert
+cat > "$TRAEFIK_CONFIG_DIR/tls.toml" << 'EOF'
+[[tls.certificates]]
+  certFile = "/certs/origin.crt"
+  keyFile  = "/certs/origin.key"
+
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+EOF
+
+cat > "$TRAEFIK_CONFIG_DIR/compose.yaml" << 'EOF'
+networks:
+  web:
+    # External so blue/green containers can join independently.
+    external: true
+
+services:
+  traefik:
+    image: traefik:v3.6
+    container_name: traefik
+    restart: unless-stopped
+    ports:
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /home/openfront/traefik/traefik.toml:/etc/traefik/traefik.toml:ro
+      - /home/openfront/traefik/tls.toml:/etc/traefik/tls.toml:ro
+      - /home/openfront/traefik/certs:/certs:ro
+    networks:
+      - web
+EOF
+
+# Give openfront ownership of config files but keep certs owned by root.
+# Traefik runs as root inside its container so it can read them, but the
+# openfront app user cannot access the TLS private key.
+chown -R openfront:openfront "$TRAEFIK_CONFIG_DIR"
+chown root:root "$TRAEFIK_CERTS_DIR" "$TRAEFIK_CERTS_DIR/origin.crt" "$TRAEFIK_CERTS_DIR/origin.key"
+
+docker compose -f "$TRAEFIK_CONFIG_DIR/compose.yaml" pull
+docker compose -f "$TRAEFIK_CONFIG_DIR/compose.yaml" up -d
+
+if docker ps | grep -q traefik; then
+    echo "✅ Traefik started successfully!"
+else
+    echo "❌ Failed to start Traefik. Check logs with: docker logs traefik"
+    exit 1
+fi
+
 # Create directory for OpenTelemetry configuration
 echo "📊 Setting up Node Exporter and OpenTelemetry Collector..."
 OTEL_CONFIG_DIR="/home/openfront/otel"
@@ -176,6 +288,7 @@ echo "🎉 SETUP COMPLETE!"
 echo "====================================================="
 echo "The openfront user has been set up and has Docker permissions."
 echo "UDP buffer sizes have been configured for optimal QUIC/WebSocket performance."
+echo "Traefik reverse proxy is running (HTTP :80, HTTPS :443 with Cloudflare origin cert)."
 echo "Node Exporter is collecting system metrics."
 echo "OpenTelemetry Collector is forwarding metrics to your endpoint."
 echo ""

update.sh

@@ -73,7 +73,8 @@ docker run -d \
     --network web \
     --label "traefik.enable=true" \
     --label "traefik.http.routers.${CONTAINER_NAME}.rule=Host(\`${SUBDOMAIN}.${DOMAIN}\`)" \
-    --label "traefik.http.routers.${CONTAINER_NAME}.entrypoints=web" \
+    --label "traefik.http.routers.${CONTAINER_NAME}.entrypoints=websecure" \
+    --label "traefik.http.routers.${CONTAINER_NAME}.tls=true" \
     --label "traefik.http.services.${CONTAINER_NAME}.loadbalancer.server.port=80" \
     "${GHCR_IMAGE}"