From 65b0d48f9d31e00f3ecdf7690d3d08a6eee95fe1 Mon Sep 17 00:00:00 2001
From: domverse <domverse@domverse-berlin.eu>
Date: Sat, 28 Feb 2026 12:07:31 +0100
Subject: [PATCH] feat: add Traefik + Authentik integration to docker-compose
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Route https://flights.domverse-berlin.eu via Traefik on the domverse network
- Protect with Authentik (authentik@docker ForwardAuth middleware)
- Remove host port bindings (80, 8000) — Traefik handles all ingress
- Frontend joins both default compose network (nginx→backend) and domverse (Traefik)
- Backend stays internal-only, no external exposure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 flight-comparator/docker-compose.yml | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/flight-comparator/docker-compose.yml b/flight-comparator/docker-compose.yml
index 7af4a1a..8a95688 100644
--- a/flight-comparator/docker-compose.yml
+++ b/flight-comparator/docker-compose.yml
@@ -7,12 +7,11 @@ services:
       dockerfile: Dockerfile.backend
     container_name: flight-radar-backend
     restart: unless-stopped
-    ports:
-      - "8000:8000"
     environment:
       - DATABASE_PATH=/app/data/cache.db
     volumes:
       - flight-radar-data:/app/data
+    # No ports exposed — only reachable by the frontend via the default compose network
 
   frontend:
     build:
@@ -20,11 +19,24 @@ services:
       dockerfile: Dockerfile.frontend
     container_name: flight-radar-frontend
     restart: unless-stopped
-    ports:
-      - "80:80"
     depends_on:
       - backend
+    networks:
+      - default   # shares default compose network with backend (nginx → http://backend:8000)
+      - domverse  # Traefik discovers the container on this network
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.flight-radar.rule=Host(`flights.domverse-berlin.eu`)"
+      - "traefik.http.routers.flight-radar.entrypoints=https"
+      - "traefik.http.routers.flight-radar.tls.certresolver=http"
+      - "traefik.http.routers.flight-radar.middlewares=authentik@docker"
+      - "traefik.http.services.flight-radar.loadbalancer.server.port=80"
 
 volumes:
   flight-radar-data:
     driver: local
+
+networks:
+  default: {}   # explicit declaration required when any service has a custom networks block
+  domverse:
+    external: true