This repo is an example of using Docker Swarm with Traefik reverse proxy and automated deployment to DigitalOcean

• Infrastructure:
  • Docker compose for local development
  • Docker Swarm with Secrets as production development
  • Traefik reverse proxy with Let's Encrypt certificates and HTTPS in production
  • Github Actions testing and deployment worflows
  • DigitalOcean nodes creation and manual deployment scripts
• Services
  • Minimal Nodejs Express api service with session auth and VSCode debugger
  • Redis (here only as session store)
  • PostgreSQL database with custom initialization scripts and pgadmin
  • React with Nextjs and TypeScript for the frontend. Uses ChakraUI

Requires Docker

• Clone the repo

  git clone https://github.com/thinktwice13/swarm-traefik-digitalocean.git
  

• Install dependencies:

  cd api && npm i && cd ../web && npm i
  

• Run with docker compose from project root

  docker-compose up
  

• Open the app on localhost. Api available on localhost/api;
• Run api and webclient tests from /apiand/websubdirectories withnpm run test`. Will run Jest in --watch mode;

Requires:

• Docker
• Doctl
• SSH Keys added to DigitalOcean account

• Create the droplets maually or edit do-config.shand run do-bootstrap.sh script (Droplets will be created in the Default DigitalOcean project in DO console);

• Get manager droplet public IP in DO console or with:

  doctl compute droplet ls
  

• SSH into each droplet and adjust ports used by Docker:

    ssh root@$DROPLET_PUBLIC_IP
  
  # Docker now uses an additional port, 2377, for managing the Swarm. The port should be blocked from public access and only accessed by trusted users and nodes. We recommend using VPNs or private networks to secure access
  
  ufw allow 2376/tcp
  ufw allow 2377/tcp
  ufw allow 7946/tcp
  ufw allow 7946/udp
  ufw allow 4789/udp
  # sudo ufw allow 22/tcp # Rate limiting by default on port 22
  ufw reload
  

• Enable Docker on startup:

  sudo systemctl enable docker.service
  sudo systemctl enable containerd.service
  

You can do this section by sshing into the droplet or creating a new Docker Context on your machine.

• Initilize Docker Swarm

  docker swarm init --advertise-addr $MANAGER_DROPLET_PRIVATE_IP
  

• Create the overlay network

  docker network create -d overlay web-public
  

• If more than one node created, join the worker nodes to the manager

  TODO
  

Docker CLI looks for DOCKER_HOST variable. If not set, it uses unix:///var/run/docker.sock. For remote host set and unset DOCKER_HOST or use Docker Context

• Setup Swarm Secrets (Only pg_password and cookie_secret used in this example stack);
• For deployment, use docker stack deploy $APP_NAME -c docker-compose.yaml or use do-deploy.sh script;
• For single service updates, use `docker service update --force $SERVICE_NAME (or $SERVICE_ID)

• Set Github Secrets

  # Docker credentials to push updated images
  DOCKER_USERNAME
  DOCKER_PASSWORD
  
  # DigitalOcean manager droplet user and host (public ip or domain) for ssh
  DO_HOST
  DO_USER (root)
  
  # SSH private key used for the ssh connection
  DO_SSH_PRIVATE
  

If you get Permission denied (publickey) error while trying to ssh into a node:

• Check the ssh key used to create the nodes. To use custom ssh key name on ssh root@$NODE_IP: ssh -i $PATH_TO_KEY=~/.ssh/<KEY_NAME>
• Or try this solution from DigitalOcean.com