📝 Update deployment files and docs (fastapi#660)

Author: tiangolo

.env

@@ -38,11 +38,6 @@ SENTRY_DSN=
 # Flower
 FLOWER_BASIC_AUTH=
 
-# Traefik
-TRAEFIK_PUBLIC_NETWORK=traefik-public
-TRAEFIK_TAG=traefik
-TRAEFIK_PUBLIC_TAG=traefik-public
-
 # Configure these with your own Docker registry images
 DOCKER_IMAGE_BACKEND=backend
 DOCKER_IMAGE_CELERYWORKER=celery

backend/app/core/config.py

@@ -17,9 +17,6 @@ class Settings(BaseSettings):
     # 60 minutes * 24 hours * 8 days = 8 days
     ACCESS_TOKEN_EXPIRE_MINUTES: int = 60 * 24 * 8
     SERVER_HOST: AnyHttpUrl
-    # BACKEND_CORS_ORIGINS is a JSON-formatted list of origins
-    # e.g: '["http://localhost", "http://localhost:4200", "http://localhost:3000", \
-    # "http://localhost:8080", "http://local.dockertoolbox.tiangolo.com"]'
     BACKEND_CORS_ORIGINS: list[AnyHttpUrl] | str = []
 
     @field_validator("BACKEND_CORS_ORIGINS", mode="before")

deployment.md

@@ -1,25 +1,124 @@
 # FastAPI Project - Deployment
 
-You can deploy the using Docker Compose with a main Traefik proxy outside handling communication to the outside world and HTTPS certificates.
+You can deploy the project using Docker Compose in a remote server.
 
-And you can use CI (continuous integration) systems to do it automatically.
+It expects you to have a Traefik proxy handling communication to the outside world and HTTPS certificates.
+
+And you can use CI (continuous integration) systems to deploy automatically.
 
 But you have to configure a couple things first.
 
-## Traefik network
+## Preparation
+
+* Have a remote server ready and available.
+* Configure the DNS records of your domain to point to the IP of the server you just created.
+* Install and configure [Docker](https://docs.docker.com/engine/install/).
+* Create a remote directory to store your code, for example:
+
+```bash
+mkdir -p /root/code/fastapi-project/
+```
+
+## Public Traefik
+
+We need a Traefik proxy to handle incoming connections and HTTPS certificates.
+
+### Traefik Docker Compose
+
+Copy the Traefik Docker Compose file to your server, to your code directory. You could do it with `rsync`:
+
+```bash
+rsync -a docker-compose.traefik.yml root@your-server.example.com:/root/code/fastapi-project/
+```
+
+### Traefik Public Network
+
+This Traefik will expect a Docker "public network" named `traefik-public` to communicate with your stack(s).
+
+This way, there will be a single public Traefik proxy that handles the communication (HTTP and HTTPS) with the outside world, and then behind that, you could have one or more stacks.
 
-This stack expects the public Traefik network to be named `traefik-public`.
+To create a Docker "public network" named `traefik-public` run:
 
-If you need to use a different Traefik public network name, update it in the `docker-compose.yml` files, in the section:
+```bash
+docker network create traefik-public
+```
+
+### Traefik Environment Variables
+
+The Traefik Docker Compose file expects some environment variables to be set.
 
-```YAML
-networks:
-  traefik-public:
-    external: true
+Create the environment variables for HTTP Basic Auth.
+
+* Create the username, e.g.:
+
+```bash
+export USERNAME=admin
+```
+
+* Create an environment variable with the password, e.g.:
+
+```bash
+export PASSWORD=changethis
+```
+
+* Use openssl to generate the "hashed" version of the password and store it in an environment variable:
+
+```bash
+export HASHED_PASSWORD=$(openssl passwd -apr1 $PASSWORD)
 ```
 
-Change `traefik-public` to the name of the used Traefik network. And then update it in the file `.env`:
+* Create an environment variable with the domain name, e.g.:
 
 ```bash
-TRAEFIK_PUBLIC_NETWORK=traefik-public
+export DOMAIN=fastapi-project.example.com
 ```
+
+* Create an environment variable with the email for Let's Encrypt, e.g.:
+
+```bash
+export EMAIL=admin@example.com
+```
+
+### Start the Traefik Docker Compose
+
+Now with the environment variables set and the `docker-compose.traefik.yml` in place, you can start the Traefik Docker Compose:
+
+```bash
+docker compose -f docker-compose.traefik.yml up -d
+```
+
+## Deploy the FastAPI Project
+
+Now that you have Traefik in place you can deploy your FastAPI project with Docker Compose.
+
+You could configure the variables in the `.env` file to match your domain, or you could override them before running the `docker compose` command.
+
+For example:
+
+```bash
+export DOMAIN=fastapi-project.example.com
+```
+
+And then deploy with Docker Compose:
+
+```bash
+docker compose -f docker-compose.yml up -d
+```
+
+For production you wouldn't want to have the overrides in `docker-compose.override.yml`, so you would need to explicitly specify the file to use, `docker-compose.yml`.
+
+## URLs
+
+Replace `fastapi-project.example.com` with your domain:
+
+Frontend: https://fastapi-project.example.com
+
+Backend API docs: https://fastapi-project.example.com/docs
+
+Backend API base URL: https://fastapi-project.example.com/api/
+
+PGAdmin: https://pgadmin.fastapi-project.example.com
+
+Flower: https://flower.fastapi-project.example.com
+
+Traefik UI: https://traefik.fastapi-project.example.com

docker-compose.override.yml

@@ -2,6 +2,9 @@ version: "3.3"
 services:
 
   proxy:
+    image: traefik:v2.3
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
     ports:
       - "80:80"
       - "8090:8080"
@@ -10,10 +13,13 @@ services:
       # Enable Docker in Traefik, so that it reads labels from Docker services
       - --providers.docker
       # Add a constraint to only use services with the label for this stack
-      # from the env var TRAEFIK_TAG
-      - --providers.docker.constraints=Label(`traefik.constraint-label-stack`, `${TRAEFIK_TAG?Variable not set}`)
+      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
       # Do not expose all Docker services, only the ones explicitly exposed
       - --providers.docker.exposedbydefault=false
+      # Create an entrypoint "http" listening on port 80
+      - --entrypoints.http.address=:80
+      # Create an entrypoint "https" listening on port 443
+      - --entrypoints.https.address=:443
       # Enable the access log, with HTTP requests
       - --accesslog
       # Enable the Traefik log, for configurations and errors
@@ -23,8 +29,12 @@ services:
       # Enable the Dashboard and API in insecure mode for local development
       - --api.insecure=true
     labels:
-      - traefik.http.routers.${STACK_NAME?Variable not set}-traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
-      - traefik.http.services.${STACK_NAME?Variable not set}-traefik-public.loadbalancer.server.port=80
+      # Enable Traefik for this service, to make it available in the public network
+      - traefik.enable=true
+      - traefik.constraint-label=traefik-public
+      # Dummy https-redirect middleware that doesn't really redirect, only to
+      # allow running it locally
+      - traefik.http.middlewares.https-redirect.contenttype.autodetect=false
 
   db:
     ports:
@@ -72,6 +82,13 @@ services:
       args:
         INSTALL_DEV: ${INSTALL_DEV-true}
 
+  frontend:
+    build:
+      context: ./frontend
+      args:
+        - VITE_API_URL=http://${DOMAIN?Variable not set}
+        - NODE_ENV=development
+
 networks:
   traefik-public:
     # For local dev, don't expect an external Traefik network

docker-compose.traefik.yml

@@ -0,0 +1,77 @@
+services:
+  traefik:
+    image: traefik:v2.3
+    ports:
+      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
+      - 80:80
+      # Listen on port 443, default for HTTPS
+      - 443:443
+    restart: always
+    labels:
+      # Enable Traefik for this service, to make it available in the public network
+      - traefik.enable=true
+      # Use the traefik-public network (declared below)
+      - traefik.docker.network=traefik-public
+      # Define the port inside of the Docker service to use
+      - traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080
+      # Make Traefik use this domain (from an environment variable) in HTTP
+      - traefik.http.routers.traefik-dashboard-http.entrypoints=http
+      - traefik.http.routers.traefik-dashboard-http.rule=Host(`traefik.${DOMAIN?Variable not set}`)
+      # traefik-https the actual router using HTTPS
+      - traefik.http.routers.traefik-dashboard-https.entrypoints=https
+      - traefik.http.routers.traefik-dashboard-https.rule=Host(`traefik.${DOMAIN?Variable not set}`)
+      - traefik.http.routers.traefik-dashboard-https.tls=true
+      # Use the "le" (Let's Encrypt) resolver created below
+      - traefik.http.routers.traefik-dashboard-https.tls.certresolver=le
+      # Use the special Traefik service api@internal with the web UI/Dashboard
+      - traefik.http.routers.traefik-dashboard-https.service=api@internal
+      # https-redirect middleware to redirect HTTP to HTTPS
+      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
+      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
+      # traefik-http set up only to use the middleware to redirect to https
+      - traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect
+      # admin-auth middleware with HTTP Basic auth
+      # Using the environment variables USERNAME and HASHED_PASSWORD
+      - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
+      # Enable HTTP Basic auth, using the middleware created above
+      - traefik.http.routers.traefik-dashboard-https.middlewares=admin-auth
+    volumes:
+      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      # Mount the volume to store the certificates
+      - traefik-public-certificates:/certificates
+    command:
+      # Enable Docker in Traefik, so that it reads labels from Docker services
+      - --providers.docker
+      # Do not expose all Docker services, only the ones explicitly exposed
+      - --providers.docker.exposedbydefault=false
+      # Create an entrypoint "http" listening on port 80
+      - --entrypoints.http.address=:80
+      # Create an entrypoint "https" listening on port 443
+      - --entrypoints.https.address=:443
+      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
+      - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
+      # Store the Let's Encrypt certificates in the mounted volume
+      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
+      # Use the TLS Challenge for Let's Encrypt
+      - --certificatesresolvers.le.acme.tlschallenge=true
+      # Enable the access log, with HTTP requests
+      - --accesslog
+      # Enable the Traefik log, for configurations and errors
+      - --log
+      # Enable the Dashboard and API
+      - --api
+    networks:
+      # Use the public network created to be shared between Traefik and
+      # any other service that needs to be publicly available with HTTPS
+      - traefik-public
+
+volumes:
+  # Create a volume to store the certificates, even if the container is recreated
+  traefik-public-certificates:
+
+networks:
+  # Use the previously created public network "traefik-public", shared with other
+  # services that need to be publicly available via this Traefik
+  traefik-public:
+    external: true

docker-compose.yml

@@ -1,67 +1,5 @@
 version: "3.3"
 services:
-
-  proxy:
-    image: traefik:v2.3
-    networks:
-      - ${TRAEFIK_PUBLIC_NETWORK?Variable not set}
-      - default
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    command:
-      # Enable Docker in Traefik, so that it reads labels from Docker services
-      - --providers.docker
-      # Add a constraint to only use services with the label for this stack
-      # from the env var TRAEFIK_TAG
-      - --providers.docker.constraints=Label(`traefik.constraint-label-stack`, `${TRAEFIK_TAG?Variable not set}`)
-      # Do not expose all Docker services, only the ones explicitly exposed
-      - --providers.docker.exposedbydefault=false
-      # Enable the access log, with HTTP requests
-      - --accesslog
-      # Enable the Traefik log, for configurations and errors
-      - --log
-      # Enable the Dashboard and API
-      - --api
-    labels:
-      # Enable Traefik for this service, to make it available in the public network
-      - traefik.enable=true
-      # Use the traefik-public network (declared below)
-      - traefik.docker.network=${TRAEFIK_PUBLIC_NETWORK?Variable not set}
-      # Use the custom label "traefik.constraint-label=traefik-public"
-      # This public Traefik will only use services with this label
-      - traefik.constraint-label=${TRAEFIK_PUBLIC_TAG?Variable not set}
-      # traefik-http set up only to use the middleware to redirect to https
-      - traefik.http.middlewares.${STACK_NAME?Variable not set}-https-redirect.redirectscheme.scheme=https
-      - traefik.http.middlewares.${STACK_NAME?Variable not set}-https-redirect.redirectscheme.permanent=true
-      # Handle host with and without "www" to redirect to only one of them
-      # Uses environment variable DOMAIN
-      # To disable www redirection remove the Host() you want to discard, here and
-      # below for HTTPS
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-http.rule=Host(`${DOMAIN?Variable not set}`) || Host(`www.${DOMAIN?Variable not set}`)
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-http.entrypoints=http
-      # traefik-https the actual router using HTTPS
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-https.rule=Host(`${DOMAIN?Variable not set}`) || Host(`www.${DOMAIN?Variable not set}`)
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-https.entrypoints=https
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-https.tls=true
-      # Use the "le" (Let's Encrypt) resolver created below
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-https.tls.certresolver=le
-      # Define the port inside of the Docker service to use
-      - traefik.http.services.${STACK_NAME?Variable not set}-proxy.loadbalancer.server.port=80
-      # Handle domain with and without "www" to redirect to only one
-      # To disable www redirection remove the next line
-      - traefik.http.middlewares.${STACK_NAME?Variable not set}-www-redirect.redirectregex.regex=^https?://(www.)?(${DOMAIN?Variable not set})/(.*)
-      # Redirect a domain with www to non-www
-      # To disable it remove the next line
-      - traefik.http.middlewares.${STACK_NAME?Variable not set}-www-redirect.redirectregex.replacement=https://${DOMAIN?Variable not set}/$${3}
-      # Redirect a domain without www to www
-      # To enable it remove the previous line and uncomment the next
-      # - traefik.http.middlewares.${STACK_NAME}-www-redirect.redirectregex.replacement=https://www.${DOMAIN}/$${3}
-      # Middleware to redirect www, to disable it remove the next line
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-https.middlewares=${STACK_NAME?Variable not set}-www-redirect
-      # Middleware to redirect www, and redirect HTTP to HTTPS
-      # to disable www redirection remove the section: ${STACK_NAME?Variable not set}-www-redirect,
-      - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-http.middlewares=${STACK_NAME?Variable not set}-www-redirect,${STACK_NAME?Variable not set}-https-redirect
-
   db:
     image: postgres:12
     volumes:
@@ -74,19 +12,19 @@ services:
   pgadmin:
     image: dpage/pgadmin4
     networks:
-      - ${TRAEFIK_PUBLIC_NETWORK?Variable not set}
+      - traefik-public
       - default
     depends_on:
       - db
     env_file:
       - .env
     labels:
       - traefik.enable=true
-      - traefik.docker.network=${TRAEFIK_PUBLIC_NETWORK?Variable not set}
-      - traefik.constraint-label=${TRAEFIK_PUBLIC_TAG?Variable not set}
+      - traefik.docker.network=traefik-public
+      - traefik.constraint-label=traefik-public
       - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-http.rule=Host(`pgadmin.${DOMAIN?Variable not set}`)
       - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-http.entrypoints=http
-      - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-http.middlewares=${STACK_NAME?Variable not set}-https-redirect
+      - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-http.middlewares=https-redirect
       - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-https.rule=Host(`pgadmin.${DOMAIN?Variable not set}`)
       - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-https.entrypoints=https
       - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-https.tls=true
@@ -103,7 +41,7 @@ services:
   flower:
     image: mher/flower:0.9.7
     networks:
-      - ${TRAEFIK_PUBLIC_NETWORK?Variable not set}
+      - traefik-public
       - default
     env_file:
       - .env
@@ -114,11 +52,11 @@ services:
       # - "--broker_api=http://guest:guest@queue:15672/api//"
     labels:
       - traefik.enable=true
-      - traefik.docker.network=${TRAEFIK_PUBLIC_NETWORK?Variable not set}
-      - traefik.constraint-label=${TRAEFIK_PUBLIC_TAG?Variable not set}
+      - traefik.docker.network=traefik-public
+      - traefik.constraint-label=traefik-public
       - traefik.http.routers.${STACK_NAME?Variable not set}-flower-http.rule=Host(`flower.${DOMAIN?Variable not set}`)
       - traefik.http.routers.${STACK_NAME?Variable not set}-flower-http.entrypoints=http
-      - traefik.http.routers.${STACK_NAME?Variable not set}-flower-http.middlewares=${STACK_NAME?Variable not set}-https-redirect
+      - traefik.http.routers.${STACK_NAME?Variable not set}-flower-http.middlewares=https-redirect
       - traefik.http.routers.${STACK_NAME?Variable not set}-flower-https.rule=Host(`flower.${DOMAIN?Variable not set}`)
       - traefik.http.routers.${STACK_NAME?Variable not set}-flower-https.entrypoints=https
       - traefik.http.routers.${STACK_NAME?Variable not set}-flower-https.tls=true
@@ -127,6 +65,9 @@ services:
 
   backend:
     image: '${DOCKER_IMAGE_BACKEND?Variable not set}:${TAG-latest}'
+    networks:
+      - traefik-public
+      - default
     depends_on:
       - db
     env_file:
@@ -143,10 +84,21 @@ services:
         INSTALL_DEV: ${INSTALL_DEV-false}
     labels:
       - traefik.enable=true
-      - traefik.constraint-label-stack=${TRAEFIK_TAG?Variable not set}
-      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.rule=PathPrefix(`/api`) || PathPrefix(`/docs`) || PathPrefix(`/redoc`)
+      - traefik.docker.network=traefik-public
+      - traefik.constraint-label=traefik-public
+
       - traefik.http.services.${STACK_NAME?Variable not set}-backend.loadbalancer.server.port=80
 
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.rule=Host(`${DOMAIN?Variable not set}`, `www.${DOMAIN?Variable not set}`) && PathPrefix(`/api`, `/docs`, `/redoc`)
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.entrypoints=http
+
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.rule=Host(`${DOMAIN?Variable not set}`, `www.${DOMAIN?Variable not set}`) && PathPrefix(`/api`, `/docs`, `/redoc`)
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.entrypoints=https
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.tls=true
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.tls.certresolver=le
+
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.middlewares=https-redirect,${STACK_NAME?Variable not set}-www-redirect
+      - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.middlewares=${STACK_NAME?Variable not set}-www-redirect
   celeryworker:
     image: '${DOCKER_IMAGE_CELERYWORKER?Variable not set}:${TAG-latest}'
     depends_on:
@@ -166,18 +118,47 @@ services:
 
   frontend:
     image: '${DOCKER_IMAGE_FRONTEND?Variable not set}:${TAG-latest}'
+    networks:
+      - traefik-public
+      - default
     build:
       context: ./frontend
-      labels:
-        - traefik.enable=true
-        - traefik.constraint-label-stack=${TRAEFIK_TAG?Variable not set}
-        - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-http.rule=PathPrefix(`/`)
-        - traefik.http.services.${STACK_NAME?Variable not set}-frontend.loadbalancer.server.port=80
+      args:
+        - VITE_API_URL=https://${DOMAIN?Variable not set}
+        - NODE_ENV=production
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-public
+      - traefik.constraint-label=traefik-public
+
+      - traefik.http.services.${STACK_NAME?Variable not set}-frontend.loadbalancer.server.port=80
+
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-http.rule=Host(`${DOMAIN?Variable not set}`, `www.${DOMAIN?Variable not set}`)
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-http.entrypoints=http
+
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.rule=Host(`${DOMAIN?Variable not set}`, `www.${DOMAIN?Variable not set}`)
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.entrypoints=https
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.tls=true
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.tls.certresolver=le
 
+      # Handle domain with and without "www" to redirect to only one
+      # To disable www redirection remove the next line
+      - traefik.http.middlewares.${STACK_NAME?Variable not set}-www-redirect.redirectregex.regex=^http(s)?://www.(${DOMAIN?Variable not set})/(.*)
+      # Redirect a domain with www to non-www
+      # To disable it remove the next line
+      - traefik.http.middlewares.${STACK_NAME?Variable not set}-www-redirect.redirectregex.replacement=http$${1}://${DOMAIN?Variable not set}/$${3}
+      # Redirect a domain without www to www
+      # To enable it remove the previous line and uncomment the next
+      # - traefik.http.middlewares.${STACK_NAME}-www-redirect.redirectregex.replacement=https://www.${DOMAIN}/$${3}
+      # Middleware to redirect www, to disable it remove the next line
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.middlewares=${STACK_NAME?Variable not set}-www-redirect
+      # Middleware to redirect www, and redirect HTTP to HTTPS
+      # to disable www redirection remove the section: ${STACK_NAME?Variable not set}-www-redirect,
+      - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-http.middlewares=https-redirect,${STACK_NAME?Variable not set}-www-redirect
 volumes:
   app-db-data:
 
 networks:
   traefik-public:
     # Allow setting it to false for testing
-    external: ${TRAEFIK_PUBLIC_NETWORK_IS_EXTERNAL-true}
+    external: true

frontend/Dockerfile

@@ -9,6 +9,8 @@ RUN npm install
 
 COPY ./ /app/
 
+ARG VITE_API_URL=${VITE_API_URL}
+
 RUN npm run build
 
 

scripts/deploy.sh

@@ -4,7 +4,6 @@
 set -e
 
 DOMAIN=${DOMAIN?Variable not set} \
-TRAEFIK_TAG=${TRAEFIK_TAG?Variable not set} \
 STACK_NAME=${STACK_NAME?Variable not set} \
 TAG=${TAG?Variable not set} \
 docker-compose \