traefik

deploy.sh

@@ -28,9 +28,9 @@ if [ "$1" != "prod" ] && [ "$1" != "staging" ]; then
 fi
 
 # Validate second argument (host)
-if [ "$2" != "falk1" ] && [ "$2" != "nbg1" ] && [ "$2" != "staging" ] && [ "$2" != "masters" ]; then
-    echo "Error: Second argument must be either 'falk1', 'nbg1', 'staging', or 'masters'"
-    echo "Usage: $0 [prod|staging] [falk1|nbg1|staging|masters] [version_tag] [subdomain]"
+if [ "$2" != "falk1" ] && [ "$2" != "falk2" ] && [ "$2" != "nbg1" ] && [ "$2" != "staging" ] && [ "$2" != "masters" ]; then
+    echo "Error: Second argument must be either 'falk1', 'falk2', 'nbg1', 'staging', or 'masters'"
+    echo "Usage: $0 [prod|staging] [falk1|falk2|nbg1|staging|masters] [version_tag] [subdomain]"
     exit 1
 fi
 
@@ -75,6 +75,9 @@ elif [ "$HOST" == "nbg1" ]; then
 elif [ "$HOST" == "masters" ]; then
     print_header "DEPLOYING TO MASTERS HOST"
     SERVER_HOST=$SERVER_HOST_MASTERS
+elif [ "$HOST" == "falk2" ]; then
+    print_header "DEPLOYING TO FALK2 HOST"
+    SERVER_HOST=$SERVER_HOST_FALK2
 else
     print_header "DEPLOYING TO FALK1 HOST"
     SERVER_HOST=$SERVER_HOST_FALK1

setup.sh

@@ -7,10 +7,31 @@ echo "====================================================="
 echo "🚀 STARTING SERVER SETUP"
 echo "====================================================="
 
+# Load environment variables from .env.setup if present
+ENV_FILE="$(dirname "$0")/.env.setup"
+if [ -f "$ENV_FILE" ]; then
+    echo "📂 Loading environment from $ENV_FILE"
+    set -a
+    # shellcheck source=/dev/null
+    source "$ENV_FILE"
+    set +a
+else
+    echo "ℹ️  No .env.setup file found, using environment variables"
+fi
+
 # Verify required environment variables
 if [ -z "$OTEL_EXPORTER_OTLP_ENDPOINT" ] || [ -z "$OTEL_AUTH_HEADER" ]; then
     echo "❌ ERROR: Required environment variables are not set!"
-    echo "Please set OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_AUTH_HEADER"
+    echo "Please set OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_AUTH_HEADER in .env.setup or the environment"
+    exit 1
+fi
+
+# CF_ORIGIN_CERT and CF_ORIGIN_KEY: Cloudflare Origin Certificate and private key.
+# Generate at: Cloudflare dashboard → SSL/TLS → Origin Server → Create Certificate
+if [ -z "$CF_ORIGIN_CERT" ] || [ -z "$CF_ORIGIN_KEY" ]; then
+    echo "❌ ERROR: CF_ORIGIN_CERT and CF_ORIGIN_KEY are not set!"
+    echo "Generate an origin certificate at: Cloudflare → SSL/TLS → Origin Server → Create Certificate"
+    echo "Then add CF_ORIGIN_CERT and CF_ORIGIN_KEY to .env.setup"
     exit 1
 fi
 
@@ -94,7 +115,13 @@ else
 fi
 
 TRAEFIK_CONFIG_DIR="/home/openfront/traefik"
-mkdir -p "$TRAEFIK_CONFIG_DIR"
+TRAEFIK_CERTS_DIR="$TRAEFIK_CONFIG_DIR/certs"
+mkdir -p "$TRAEFIK_CERTS_DIR"
+
+# Write Cloudflare origin certificate and key (passed as env vars)
+echo "$CF_ORIGIN_CERT" > "$TRAEFIK_CERTS_DIR/origin.crt"
+echo "$CF_ORIGIN_KEY" > "$TRAEFIK_CERTS_DIR/origin.key"
+chmod 600 "$TRAEFIK_CERTS_DIR/origin.crt" "$TRAEFIK_CERTS_DIR/origin.key"
 
 # No [api] block — dashboard is disabled for production.
 # To access it for debugging, SSH tunnel: ssh -L 8080:localhost:8080 user@server
@@ -105,6 +132,8 @@ cat > "$TRAEFIK_CONFIG_DIR/traefik.toml" << 'EOF'
 [entryPoints]
   [entryPoints.web]
     address = ":80"
+  [entryPoints.websecure]
+    address = ":443"
 
 [providers]
   [providers.docker]
@@ -112,6 +141,20 @@ cat > "$TRAEFIK_CONFIG_DIR/traefik.toml" << 'EOF'
     exposedByDefault = false   # Only route containers with traefik.enable=true
     network = "web"
     watch = true
+  [providers.file]
+    filename = "/etc/traefik/tls.toml"
+    watch = true
+EOF
+
+# Static TLS configuration referencing the Cloudflare origin cert
+cat > "$TRAEFIK_CONFIG_DIR/tls.toml" << 'EOF'
+[[tls.certificates]]
+  certFile = "/certs/origin.crt"
+  keyFile  = "/certs/origin.key"
+
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
 EOF
 
 cat > "$TRAEFIK_CONFIG_DIR/compose.yaml" << 'EOF'
@@ -122,14 +165,17 @@ networks:
 
 services:
   traefik:
-    image: traefik:v3.4
+    image: traefik:v3.6
     container_name: traefik
     restart: unless-stopped
     ports:
       - "80:80"
+      - "443:443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /home/openfront/traefik/traefik.toml:/etc/traefik/traefik.toml:ro
+      - /home/openfront/traefik/tls.toml:/etc/traefik/tls.toml:ro
+      - /home/openfront/traefik/certs:/certs:ro
     networks:
       - web
 EOF
@@ -240,7 +286,7 @@ echo "🎉 SETUP COMPLETE!"
 echo "====================================================="
 echo "The openfront user has been set up and has Docker permissions."
 echo "UDP buffer sizes have been configured for optimal QUIC/WebSocket performance."
-echo "Traefik reverse proxy is running (HTTP :80)."
+echo "Traefik reverse proxy is running (HTTP :80, HTTPS :443 with Cloudflare origin cert)."
 echo "Node Exporter is collecting system metrics."
 echo "OpenTelemetry Collector is forwarding metrics to your endpoint."
 echo ""

update.sh

@@ -73,7 +73,8 @@ docker run -d \
     --network web \
     --label "traefik.enable=true" \
     --label "traefik.http.routers.${CONTAINER_NAME}.rule=Host(\`${SUBDOMAIN}.${DOMAIN}\`)" \
-    --label "traefik.http.routers.${CONTAINER_NAME}.entrypoints=web" \
+    --label "traefik.http.routers.${CONTAINER_NAME}.entrypoints=websecure" \
+    --label "traefik.http.routers.${CONTAINER_NAME}.tls=true" \
     --label "traefik.http.services.${CONTAINER_NAME}.loadbalancer.server.port=80" \
     "${GHCR_IMAGE}"