From af68dd2130d1942da6bf710be21b08dbf2dfa671 Mon Sep 17 00:00:00 2001
From: David Slusser <dbslusser@gmail.com>
Date: Thu, 31 Jul 2025 20:21:51 -0700
Subject: [PATCH 1/2] addind docker compose file for traefik

---
 src/docker/docker-compose.yaml  | 24 +++++++++++---
 src/docker/local-compose.yaml   | 29 +++++++++++++++++
 src/docker/traefik-compose.yaml | 57 +++++++++++++++++++++++++++++++++
 3 files changed, 106 insertions(+), 4 deletions(-)
 create mode 100644 src/docker/local-compose.yaml
 create mode 100644 src/docker/traefik-compose.yaml

diff --git a/src/docker/docker-compose.yaml b/src/docker/docker-compose.yaml
index 8c05292..0f8611d 100644
--- a/src/docker/docker-compose.yaml
+++ b/src/docker/docker-compose.yaml
@@ -1,17 +1,31 @@
-version: '3.9'
+networks:
+  web:
+    external: true
 
 services:
   django:
-    image: ghcr.io/spokanetech/spokanepythonweb:latest
     container_name: django
+    image: ghcr.io/spokanetech/spokanepythonweb:latest
     build:
       context: ../..
       dockerfile: src/docker/Dockerfile
     env_file:
       - ../envs/.env.docker-compose
-    command: ./entrypoint.sh
+    command: "./entrypoint.sh"
     ports:
-      - "8000:8000"
+      - "8000:8000"    
+    labels:
+      - "traefik.enable=true"
+
+      # Router for HTTPS
+      - "traefik.http.routers.django.rule=Host(`davidslusser.website`) || Host(`www.davidslusser.website`)"
+      - "traefik.http.routers.django.entrypoints=websecure"
+      - "traefik.http.routers.django.tls.certresolver=myresolver"
+
+      # Service settings
+      - "traefik.http.services.django.loadbalancer.server.port=8000"
+    networks:
+      - web
     depends_on:
       - db
     restart: unless-stopped
@@ -25,6 +39,8 @@ services:
       - "5432:5432"
     env_file:
       - ../envs/.env.docker-compose
+    networks:
+      - web
     restart: unless-stopped
 
 volumes:
diff --git a/src/docker/local-compose.yaml b/src/docker/local-compose.yaml
new file mode 100644
index 0000000..180ecf3
--- /dev/null
+++ b/src/docker/local-compose.yaml
@@ -0,0 +1,29 @@
+services:
+  django:
+    image: ghcr.io/spokanetech/spokanepythonweb:latest
+    container_name: django
+    build:
+      context: ../..
+      dockerfile: src/docker/Dockerfile
+    env_file:
+      - ../envs/.env.docker-compose
+    command: ./entrypoint.sh
+    ports:
+      - "8000:8000"
+    depends_on:
+      - db
+    restart: unless-stopped
+
+  db:
+    image: postgres:17
+    container_name: postgres
+    volumes:
+      - spokanepython_postgres:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+    env_file:
+      - ../envs/.env.docker-compose
+    restart: unless-stopped
+
+volumes:
+  spokanepython_postgres:
diff --git a/src/docker/traefik-compose.yaml b/src/docker/traefik-compose.yaml
new file mode 100644
index 0000000..7fe91f7
--- /dev/null
+++ b/src/docker/traefik-compose.yaml
@@ -0,0 +1,57 @@
+version: '3.9'
+
+networks:
+  web:
+    external: true
+
+services:
+  traefik:
+    image: traefik:v3.0
+    container_name: traefik
+    env_file:
+      - src/docker/.env.traefik
+    command:
+      - "--api.dashboard=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+
+      # Entry points
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+
+      # Redirect HTTP to HTTPS
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+
+      # Let's Encrypt
+      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.email=admin@davidslusser.website"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "letsencrypt:/letsencrypt"
+
+    networks:
+      - web
+    restart: unless-stopped
+
+    labels:
+      - "traefik.enable=true"
+
+      # Dashboard route
+      - "traefik.http.routers.traefik.rule=Host(`traefik.davidslusser.website`)"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
+      # Auth middleware for dashboard
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASH_AUTH}"
+      - "traefik.http.routers.traefik.middlewares=traefik-auth"
+
+volumes:
+  letsencrypt:

From 907e97cc8ff07e306cb74958bdfc93d4bf66ac87 Mon Sep 17 00:00:00 2001
From: David Slusser <dbslusser@gmail.com>
Date: Sat, 2 Aug 2025 13:17:11 -0700
Subject: [PATCH 2/2] adding cfrs and htmx settings; updating docker compose
 files

---
 src/django_project/core/settings.py | 11 +++++++++++
 src/docker/docker-compose.yaml      |  2 --
 src/docker/traefik-compose.yaml     |  9 +++------
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/django_project/core/settings.py b/src/django_project/core/settings.py
index 7e46033..6236cf4 100644
--- a/src/django_project/core/settings.py
+++ b/src/django_project/core/settings.py
@@ -85,6 +85,17 @@
     ]
 
 
+SECURE_HSTS_SECONDS = 0
+SECURE_SSL_REDIRECT: bool = env.bool("SECURE_SSL_REDIRECT", False)
+SESSION_COOKIE_SECURE: bool = env.bool("SESSION_COOKIE_SECURE", True)
+CSRF_COOKIE_SECURE: bool = env.bool("CSRF_COOKIE_SECURE", True)
+CSRF_TRUSTED_ORIGINS: list[str] = [f"https://{host}" for host in ALLOWED_HOSTS]
+
+# Required for HTTP behind Traefik
+SECURE_PROXY_SSL_HEADER: tuple = ("HTTP_X_FORWARDED_PROTO", "http")
+USE_X_FORWARDED_HOST: bool = env.bool("USE_X_FORWARDED_HOST", True)
+
+
 ROOT_URLCONF = "core.urls"
 
 TEMPLATES = [
diff --git a/src/docker/docker-compose.yaml b/src/docker/docker-compose.yaml
index 0f8611d..1880182 100644
--- a/src/docker/docker-compose.yaml
+++ b/src/docker/docker-compose.yaml
@@ -12,8 +12,6 @@ services:
     env_file:
       - ../envs/.env.docker-compose
     command: "./entrypoint.sh"
-    ports:
-      - "8000:8000"    
     labels:
       - "traefik.enable=true"
 
diff --git a/src/docker/traefik-compose.yaml b/src/docker/traefik-compose.yaml
index 7fe91f7..c38b4bb 100644
--- a/src/docker/traefik-compose.yaml
+++ b/src/docker/traefik-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.9'
-
 networks:
   web:
     external: true
@@ -8,8 +6,6 @@ services:
   traefik:
     image: traefik:v3.0
     container_name: traefik
-    env_file:
-      - src/docker/.env.traefik
     command:
       - "--api.dashboard=true"
       - "--providers.docker=true"
@@ -24,14 +20,15 @@ services:
       - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
 
       # Let's Encrypt
-      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
       - "--certificatesresolvers.myresolver.acme.email=admin@davidslusser.website"
       - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
 
     ports:
       - "80:80"
       - "443:443"
-      - "8080:8080"
+      - "8000:8000"
 
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"