EspoCRM with docker compose: switch from http to https and add SSL certificates

services:

  traefik:
    image: traefik:v3.4.1
    environment:
      - TZ
      - CF_API_EMAIL
      - CF_DNS_API_TOKEN
    command:
      - "--providers.docker"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.file.directory=/dynamic"
      - "--api=true"
      - "--api.dashboard=true"
      - "--ping"
      - "--accesslog=true"
      - "--log.level=INFO"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.email=$LETSENCRYPT_EMAIL"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=$DNS_PROVIDER"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik:/dynamic:ro
      - traefik:/letsencrypt
    ports:
      - "80:80"
      - "443:443"
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      timeout: 30s
      interval: 30s
      retries: 5
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.rule=Host(`$DOMAIN`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dashboard.middlewares=secure-headers@file,dash-auth@file"

  db:
    image: postgres:18.0-alpine3.22
    security_opt:
      - no-new-privileges:true
    volumes:
      - postgres:/var/lib/postgresql/data:rw
      - ./db/01-init.sh:/docker-entrypoint-initdb.d/01-init.sh:r
    environment:
      - TZ
      - PGTZ
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - ESPOCRM_DATABASE_USER
      - ESPOCRM_DATABASE_PASSWORD
      - ESPOCRM_DATABASE_NAME
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -q -d $${POSTGRES_DB} -u $${POSTGRES_USER}"]
      interval: 1m30s
      timeout: 30s
      retries: 5
      start_period: 30s

  espo:
    image: espocrm/espocrm:9.1.5-apache
    volumes:
      - espo:/var/www/html
      - ./espo/custom:/var/www/html/custom
      - ./espo/application:/var/www/html/application
      - ./espo/install:/var/www/html/application/install
    environment:
      - TZ
      - ESPOCRM_TIME_ZONE
      - ESPOCRM_WEEK_START
      - ESPOCRM_DATABASE_PLATFORM
      - ESPOCRM_DATABASE_HOST
      - ESPOCRM_DATABASE_USER
      - ESPOCRM_DATABASE_PASSWORD
      - ESPOCRM_DATABASE_NAME
      - ESPOCRM_ADMIN_USERNAME
      - ESPOCRM_ADMIN_PASSWORD
      - ESPOCRM_SITE_URL
      - ESPOCRM_CONFIG_CRYPT_KEY
      - ESPOCRM_CONFIG_LOGGER_LEVEL
      - ESPOCRM_CONFIG_LOGGER_DATABASE_HANDLER
    depends_on:
      - traefik
      - db
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.espo.loadbalancer.server.port=80"
      - "traefik.http.routers.espo.rule=Host(`$DOMAIN`)"
      - "traefik.http.routers.espo.tls=true"
      - "traefik.http.routers.espo.tls.domains[0].main=$DOMAIN"
      - "traefik.http.routers.espo.tls.certresolver=letsencrypt"
      - "traefik.http.routers.espo.middlewares=secure-headers@file"