Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 2 additions & 40 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -250,9 +250,7 @@ services:
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.services.${STACK_NAME?Variable not set}-texmf-proxy.loadbalancer.server.port=8771
# Served challenge-free (no Anubis), like the API: the in-browser engine's
# synchronous XHR can't solve an HTML interstitial. CORS is restricted to
# the site origin by TEXMF_PROXY_ALLOW_ORIGIN above.
# CORS is restricted to the site origin by TEXMF_PROXY_ALLOW_ORIGIN above.
- traefik.http.routers.${STACK_NAME?Variable not set}-texmf-proxy-http.rule=Host(`texmf.${DOMAIN?Variable not set}`)
- traefik.http.routers.${STACK_NAME?Variable not set}-texmf-proxy-http.entrypoints=http
- traefik.http.routers.${STACK_NAME?Variable not set}-texmf-proxy-http.middlewares=https-redirect
Expand Down Expand Up @@ -290,46 +288,10 @@ services:
- traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.entrypoints=https
- traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.tls=true
- traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.tls.certresolver=le
# Serve the frontend through the Anubis proof-of-work bot wall, which
# runs as an inline reverse proxy (challenges browsers, lets verified
# good bots through, forwards cleared traffic to this container). Both
# public routers point at the anubis service rather than the frontend
# directly. Only the frontend is gated: the API (api.) stays
# challenge-free so the SPA's XHR calls and programmatic clients (calkit
# CLI, DVC, git) are unaffected, since Anubis serves an HTML interstitial
# those can't solve.
- traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.service=${STACK_NAME?Variable not set}-anubis
- traefik.http.routers.${STACK_NAME?Variable not set}-frontend-http.service=${STACK_NAME?Variable not set}-anubis
# Enable www redirection for HTTP and HTTPS
- traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.middlewares=${STACK_NAME?Variable not set}-www-redirect
- traefik.http.routers.${STACK_NAME?Variable not set}-frontend-http.middlewares=https-redirect,${STACK_NAME?Variable not set}-www-redirect

anubis:
image: ghcr.io/techarohq/anubis:v1.25.0
restart: always
networks:
- traefik-public
- default
depends_on:
- frontend
environment:
# Inline reverse-proxy mode: Anubis challenges browsers and forwards
# cleared requests to the frontend container. Serving the challenge on
# the frontend's own host avoids the cross-domain post-challenge
# redirect failure of forwardauth mode ("Redirect domain not allowed",
# Anubis issue #970), and needs no dedicated anubis.${DOMAIN} record.
- BIND=:8080
- TARGET=http://frontend:80
# Scope the clearance cookie to the apex so it covers www and apex alike.
- COOKIE_DOMAIN=${DOMAIN?Variable not set}
labels:
# traefik.enable + a service definition registers the anubis upstream so
# the frontend routers above can target it. Anubis has no router of its
# own; it is only reached via those routers.
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.services.${STACK_NAME?Variable not set}-anubis.loadbalancer.server.port=8080

minio:
image: minio/minio:RELEASE.2025-05-24T17-08-30Z
command: server /data --console-address ":9001"
Expand Down