refactor: convert labels and environment to YAML mapping format

stack.production.yml

@@ -21,20 +21,31 @@ services:
     networks:
       - traefik
     environment:
-      - N8N_HOST=${N8N_HOST:-n8n.nixc.us}
+      N8N_HOST: ${N8N_HOST:-n8n.nixc.us}
-      - N8N_PORT=5678
+      N8N_PORT: 5678
-      - N8N_PROTOCOL=${N8N_PROTOCOL:-https}
+      N8N_PROTOCOL: ${N8N_PROTOCOL:-https}
-      - NODE_ENV=production
+      NODE_ENV: production
     volumes:
       - n8n_data:/home/node/.n8n
     labels:
-      - traefik.enable=true
+      traefik.enable: true
-      - traefik.http.routers.production_n8n.rule=Host(n8n.nixc.us)
+      traefik.http.routers.production_n8n.rule: Host(`n8n.nixc.us`)
-      - traefik.http.routers.production_n8n.entrypoints=websecure
+      traefik.http.routers.production_n8n.entrypoints: websecure
-      - traefik.http.routers.production_n8n.tls=true
+      traefik.http.routers.production_n8n.tls: true
-      - traefik.http.routers.production_n8n.tls.certresolver=letsencryptresolver
+      traefik.http.routers.production_n8n.tls.certresolver: letsencryptresolver
-      - traefik.http.services.production_n8n.loadbalancer.server.port=5678
+      traefik.http.services.production_n8n.loadbalancer.server.port: 5678
-      - traefik.http.routers.production_n8n.middlewares=secure-headers
+      traefik.http.routers.production_n8n.middlewares: secure-headers
+      traefik.docker.network: traefik
+      # Security headers middleware
+      traefik.http.middlewares.secure-headers.headers.stsSeconds: 63072000
+      traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains: true
+      traefik.http.middlewares.secure-headers.headers.stsPreload: true
+      traefik.http.middlewares.secure-headers.headers.forceSTSHeader: true
+      traefik.http.middlewares.secure-headers.headers.frameDeny: true
+      traefik.http.middlewares.secure-headers.headers.contentTypeNosniff: true
+      traefik.http.middlewares.secure-headers.headers.browserXssFilter: true
+      traefik.http.middlewares.secure-headers.headers.referrerPolicy: no-referrer
+      traefik.http.middlewares.secure-headers.headers.featurePolicy: camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'
 
 volumes:
   n8n_data:

stack.staging.yml

@@ -22,15 +22,15 @@ services:
     networks:
       - traefik
     labels:
-      - traefik.enable=true
+      traefik.enable: true
-      - traefik.http.routers.staging_template.rule=Host(`staging.template.nixc.us`)
+      traefik.http.routers.staging_template.rule: Host(`staging.template.nixc.us`)
-      - traefik.http.routers.staging_template.entrypoints=websecure
+      traefik.http.routers.staging_template.entrypoints: websecure
-      - traefik.http.routers.staging_template.tls=true
+      traefik.http.routers.staging_template.tls: true
-      - traefik.http.routers.staging_template.tls.certresolver=letsencryptresolver
+      traefik.http.routers.staging_template.tls.certresolver: letsencryptresolver
-      - traefik.http.services.staging_template.loadbalancer.server.port=3000
+      traefik.http.services.staging_template.loadbalancer.server.port: 3000
-      # - traefik.http.services.staging_template.loadbalancer.healthcheck.path=/health
+      # traefik.http.services.staging_template.loadbalancer.healthcheck.path: /health
-      # - traefik.http.services.staging_template.loadbalancer.healthcheck.interval=30s
+      # traefik.http.services.staging_template.loadbalancer.healthcheck.interval: 30s
-      # - traefik.http.services.staging_template.loadbalancer.healthcheck.timeout=5s
+      # traefik.http.services.staging_template.loadbalancer.healthcheck.timeout: 5s
 
   n8n:
     image: git.nixc.us/colin/n8n:staging
@@ -49,11 +49,33 @@ services:
         order: stop-first
     networks:
       - traefik
+    environment:
+      N8N_HOST: ${N8N_HOST:-staging-n8n.nixc.us}
+      N8N_PORT: 5678
+      N8N_PROTOCOL: ${N8N_PROTOCOL:-https}
+      NODE_ENV: production
+    volumes:
+      - n8n_data:/home/node/.n8n
     labels:
-      - traefik.enable=true
+      traefik.enable: true
-      - traefik.http.routers.staging_n8n.rule=Host(`staging-n8n.nixc.us`)
+      traefik.http.routers.staging_n8n.rule: Host(`staging-n8n.nixc.us`)
-      - traefik.http.routers.staging_n8n.entrypoints=websecure
+      traefik.http.routers.staging_n8n.entrypoints: websecure
-      - traefik.http.routers.staging_n8n.tls=true
+      traefik.http.routers.staging_n8n.tls: true
-      - traefik.http.routers.staging_n8n.tls.certresolver=letsencryptresolver
+      traefik.http.routers.staging_n8n.tls.certresolver: letsencryptresolver
-      - traefik.http.services.staging_n8n.loadbalancer.server.port=5678
+      traefik.http.services.staging_n8n.loadbalancer.server.port: 5678
-      - traefik.http.routers.staging_n8n.middlewares=secure-headers
+      traefik.http.routers.staging_n8n.middlewares: secure-headers
+      traefik.docker.network: traefik
+      # Security headers middleware
+      traefik.http.middlewares.secure-headers.headers.stsSeconds: 63072000
+      traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains: true
+      traefik.http.middlewares.secure-headers.headers.stsPreload: true
+      traefik.http.middlewares.secure-headers.headers.forceSTSHeader: true
+      traefik.http.middlewares.secure-headers.headers.frameDeny: true
+      traefik.http.middlewares.secure-headers.headers.contentTypeNosniff: true
+      traefik.http.middlewares.secure-headers.headers.browserXssFilter: true
+      traefik.http.middlewares.secure-headers.headers.referrerPolicy: no-referrer
+      traefik.http.middlewares.secure-headers.headers.featurePolicy: camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'
+
+volumes:
+  n8n_data:
+    driver: local