BabyBuddy/docker-compose.yml

version: "3.8"

services:
  babybuddy:
    image: lscr.io/linuxserver/babybuddy:latest
    container_name: babybuddy
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Ljubljana
      # generate once: openssl rand -base64 48
      - SECRET_KEY=CHANGE_ME_LONG_RANDOM
      # domain settings for Django
      - ALLOWED_HOSTS=baby.rozic-dev.com
      - CSRF_TRUSTED_ORIGINS=https://baby.rozic-dev.com
      # >>> make Django treat proxied requests as HTTPS
      - USE_X_FORWARDED_HOST=true
      - SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https
      - SECURE_SSL_REDIRECT=true
      - SESSION_COOKIE_SECURE=true
      - CSRF_COOKIE_SECURE=true

    volumes:
      - ./config:/config
    restart: unless-stopped

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"

      # --- HTTPS router ---
      - "traefik.http.routers.babybuddy-https.rule=Host(`baby.rozic-dev.com`)"
      - "traefik.http.routers.babybuddy-https.entrypoints=websecure"
      - "traefik.http.routers.babybuddy-https.tls=true"
      - "traefik.http.routers.babybuddy-https.tls.certresolver=letsencrypt"
      - "traefik.http.routers.babybuddy-https.service=babybuddy"
      - "traefik.http.services.babybuddy.loadbalancer.server.port=8000"

      # --- HTTP -> HTTPS redirect ---
      - "traefik.http.routers.babybuddy-http.rule=Host(`baby.rozic-dev.com`)"
      - "traefik.http.routers.babybuddy-http.entrypoints=web"
      - "traefik.http.routers.babybuddy-http.middlewares=babybuddy-redirect"
      - "traefik.http.middlewares.babybuddy-redirect.redirectscheme.scheme=https"

      # --- Optional compression/headers ---
      - "traefik.http.middlewares.babybuddy-compress.compress=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.browserXssFilter=true"
      - "traefik.http.routers.babybuddy-https.middlewares=babybuddy-compress,babybuddy-headers"


    # Security headers + HSTS
      - "traefik.http.middlewares.babybuddy-headers.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.babybuddy-headers.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.stsPreload=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.browserXssFilter=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.referrerPolicy=no-referrer-when-downgrade"
      - "traefik.http.routers.babybuddy-https.middlewares=babybuddy-compress,babybuddy-headers"
    networks:
      - traefik

networks:
  traefik:
    external: true
    name: traefik_default
first commit 2025-11-24 17:06:27 +00:00			`version: "3.8"`

			`services:`
			`babybuddy:`
			`image: lscr.io/linuxserver/babybuddy:latest`
			`container_name: babybuddy`
			`environment:`
			`- PUID=1000`
			`- PGID=1000`
			`- TZ=Europe/Ljubljana`
			`# generate once: openssl rand -base64 48`
			`- SECRET_KEY=CHANGE_ME_LONG_RANDOM`
			`# domain settings for Django`
			`- ALLOWED_HOSTS=baby.rozic-dev.com`
			`- CSRF_TRUSTED_ORIGINS=https://baby.rozic-dev.com`
			`# >>> make Django treat proxied requests as HTTPS`
			`- USE_X_FORWARDED_HOST=true`
			`- SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https`
			`- SECURE_SSL_REDIRECT=true`
			`- SESSION_COOKIE_SECURE=true`
			`- CSRF_COOKIE_SECURE=true`

			`volumes:`
			`- ./config:/config`
			`restart: unless-stopped`

			`labels:`
			`- "traefik.enable=true"`
			`- "traefik.docker.network=traefik_default"`

			`# --- HTTPS router ---`
			- "traefik.http.routers.babybuddy-https.rule=Host(`baby.rozic-dev.com`)"
			`- "traefik.http.routers.babybuddy-https.entrypoints=websecure"`
			`- "traefik.http.routers.babybuddy-https.tls=true"`
			`- "traefik.http.routers.babybuddy-https.tls.certresolver=letsencrypt"`
			`- "traefik.http.routers.babybuddy-https.service=babybuddy"`
			`- "traefik.http.services.babybuddy.loadbalancer.server.port=8000"`

			`# --- HTTP -> HTTPS redirect ---`
			- "traefik.http.routers.babybuddy-http.rule=Host(`baby.rozic-dev.com`)"
			`- "traefik.http.routers.babybuddy-http.entrypoints=web"`
			`- "traefik.http.routers.babybuddy-http.middlewares=babybuddy-redirect"`
			`- "traefik.http.middlewares.babybuddy-redirect.redirectscheme.scheme=https"`

			`# --- Optional compression/headers ---`
			`- "traefik.http.middlewares.babybuddy-compress.compress=true"`
			`- "traefik.http.middlewares.babybuddy-headers.headers.contentTypeNosniff=true"`
			`- "traefik.http.middlewares.babybuddy-headers.headers.browserXssFilter=true"`
			`- "traefik.http.routers.babybuddy-https.middlewares=babybuddy-compress,babybuddy-headers"`


			`# Security headers + HSTS`
			`- "traefik.http.middlewares.babybuddy-headers.headers.stsSeconds=31536000"`
			`- "traefik.http.middlewares.babybuddy-headers.headers.stsIncludeSubdomains=true"`
			`- "traefik.http.middlewares.babybuddy-headers.headers.stsPreload=true"`
			`- "traefik.http.middlewares.babybuddy-headers.headers.contentTypeNosniff=true"`
			`- "traefik.http.middlewares.babybuddy-headers.headers.browserXssFilter=true"`
			`- "traefik.http.middlewares.babybuddy-headers.headers.referrerPolicy=no-referrer-when-downgrade"`
			`- "traefik.http.routers.babybuddy-https.middlewares=babybuddy-compress,babybuddy-headers"`
			`networks:`
			`- traefik`

			`networks:`
			`traefik:`
			`external: true`
			`name: traefik_default`