From 32e7e54f4ec33e8bb11978a2f8a597832dc7cf53 Mon Sep 17 00:00:00 2001
From: Hendrik <hsiegeln@gmx.net>
Date: Fri, 17 Apr 2026 16:05:06 +0200
Subject: [PATCH] feat(infra): add Traefik labels and network topology for
 homelab ingress
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- kochwas service gets Traefik v2 labels matching the project's conventions:
  websecure entrypoint, cloudflareResolver, Host(`kochwas.siegeln.net`).
- Service port 3000 exposed to Traefik only; the external port binding is gone.
- Dual network: external 'proxy' (for Traefik ingress) and internal 'internal'
  (for kochwas ↔ searxng). traefik.docker.network hint is set.
- SearXNG has no Traefik labels — intentionally only reachable from kochwas.

Note: the 'proxy' network name must match the existing external Traefik network
(change via 'name:' field if your homelab uses a different one like 'traefik').

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docker-compose.prod.yml | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 138dc5f..de99186 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -4,8 +4,6 @@ services:
     # Tag-Override per Umgebungsvariable: KOCHWAS_TAG=sha-abcd1234 docker compose pull
     image: gitea.siegeln.net/claude/kochwas:${KOCHWAS_TAG:-latest}
     pull_policy: always
-    ports:
-      - '3000:3000'
     volumes:
       - ./data:/data
     environment:
@@ -16,8 +14,22 @@ services:
     depends_on:
       - searxng
     restart: unless-stopped
+    networks:
+      - proxy
+      - internal
+    labels:
+      - "traefik.enable=true"
+      # Router for HTTPS traffic
+      - "traefik.http.routers.kochwas.rule=Host(`kochwas.siegeln.net`)"
+      - "traefik.http.routers.kochwas.entrypoints=websecure"
+      - "traefik.http.routers.kochwas.tls.certresolver=cloudflareResolver"
+      # Specify which port Traefik should forward traffic to inside the container
+      - "traefik.http.services.kochwas.loadbalancer.server.port=3000"
+      # Explicitly tell Traefik which network to use (since kochwas is on two networks)
+      - "traefik.docker.network=proxy"
 
   searxng:
+    # Absichtlich nur intern erreichbar — keine Traefik-Labels, kein externer Port.
     image: searxng/searxng:latest
     volumes:
       - ./searxng:/etc/searxng
@@ -25,3 +37,13 @@ services:
       - BASE_URL=http://searxng:8080/
       - INSTANCE_NAME=kochwas-search
     restart: unless-stopped
+    networks:
+      - internal
+
+networks:
+  proxy:
+    # Muss dem Namen des externen Traefik-Netzwerks entsprechen (ggf. in `name:` ändern).
+    external: true
+  internal:
+    # Eigenes internes Netz für kochwas ↔ searxng. Wird von Compose automatisch angelegt.
+    driver: bridge