From 479fc3f62cdf4f94b53f6feb0096c5d5642b1257 Mon Sep 17 00:00:00 2001
From: primal <primal@primal.host>
Date: Mon, 2 Feb 2026 16:19:51 -0500
Subject: [PATCH] Move Traefik routing to file-based config

Extract routing rules from docker-compose labels to traefik.yml.
Traefik now loads this file via volume mount.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 docker-compose.yml | 35 ++----------------------
 traefik.yml        | 67 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 33 deletions(-)
 create mode 100644 traefik.yml

diff --git a/docker-compose.yml b/docker-compose.yml
index ca03180..7c07b23 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
   pds-1440-news:
-    image: ghcr.io/bluesky-social/pds:0.4
-    container_name: pds-1440-news
+    image: ghcr.io/bluesky-social/pds:0.4.204
+    container_name: atproto-1440news-pds
     restart: unless-stopped
     volumes:
       - ./data:/pds
@@ -9,37 +9,6 @@ services:
       - pds.env
     networks:
       - proxy
-    labels:
-      - "traefik.enable=true"
-      # PDS API endpoint: pds.1440.news and 1440.news (alias)
-      - "traefik.http.routers.pds-1440-news.rule=Host(`pds.1440.news`) || Host(`1440.news`)"
-      - "traefik.http.routers.pds-1440-news.entrypoints=https"
-      - "traefik.http.routers.pds-1440-news.tls.certresolver=letsencrypt-dns"
-      - "traefik.http.routers.pds-1440-news.priority=10"
-      # Wildcard for account handles: *.1440.news (requires DNS challenge)
-      - "traefik.http.routers.pds-1440-news-handles.rule=HostRegexp(`^.+\\.1440\\.news$$`)"
-      - "traefik.http.routers.pds-1440-news-handles.entrypoints=https"
-      - "traefik.http.routers.pds-1440-news-handles.tls.certresolver=letsencrypt-dns"
-      - "traefik.http.routers.pds-1440-news-handles.tls.domains[0].main=1440.news"
-      - "traefik.http.routers.pds-1440-news-handles.tls.domains[0].sans=*.1440.news"
-      - "traefik.http.routers.pds-1440-news-handles.priority=1"
-      # HTTP to HTTPS redirect
-      - "traefik.http.routers.pds-1440-news-redirect.rule=Host(`pds.1440.news`) || Host(`1440.news`)"
-      - "traefik.http.routers.pds-1440-news-redirect.entrypoints=http"
-      - "traefik.http.routers.pds-1440-news-redirect.middlewares=https-redirect"
-      - "traefik.http.routers.pds-1440-news-handles-redirect.rule=HostRegexp(`^.+\\.1440\\.news$$`)"
-      - "traefik.http.routers.pds-1440-news-handles-redirect.entrypoints=http"
-      - "traefik.http.routers.pds-1440-news-handles-redirect.middlewares=https-redirect"
-      - "traefik.http.routers.pds-1440-news-handles-redirect.priority=1"
-      # Shared middleware
-      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
-      # Service port
-      - "traefik.http.services.pds-1440-news.loadbalancer.server.port=3000"
-      # Local development
-      - "traefik.http.routers.pds-1440-news-local.rule=Host(`pds.1440.localhost`) || Host(`1440.localhost`)"
-      - "traefik.http.routers.pds-1440-news-local.entrypoints=http"
-      - "traefik.http.routers.pds-1440-news-local.priority=10"
 
 networks:
   proxy:
diff --git a/traefik.yml b/traefik.yml
new file mode 100644
index 0000000..8c79967
--- /dev/null
+++ b/traefik.yml
@@ -0,0 +1,67 @@
+# Traefik routing for PDS (1440.news)
+http:
+  routers:
+    # PDS API: pds.1440.news
+    pds-1440-news:
+      rule: "Host(`pds.1440.news`)"
+      entryPoints: [https]
+      tls:
+        certResolver: letsencrypt-dns
+      service: pds-1440-news
+      priority: 10
+
+    # PDS API: 1440.news (only /xrpc and /.well-known)
+    pds-1440-news-api:
+      rule: "Host(`1440.news`) && (PathPrefix(`/xrpc`) || PathPrefix(`/.well-known`))"
+      entryPoints: [https]
+      tls:
+        certResolver: letsencrypt-dns
+      service: pds-1440-news
+      priority: 20
+
+    # Wildcard handles: *.1440.news
+    pds-1440-news-handles:
+      rule: "HostRegexp(`^.+\\.1440\\.news$$`)"
+      entryPoints: [https]
+      tls:
+        certResolver: letsencrypt-dns
+        domains:
+          - main: "1440.news"
+            sans:
+              - "*.1440.news"
+      service: pds-1440-news
+      priority: 1
+
+    # HTTP redirects
+    pds-1440-news-redirect:
+      rule: "Host(`pds.1440.news`)"
+      entryPoints: [http]
+      middlewares: [https-redirect]
+      service: pds-1440-news
+
+    pds-1440-news-api-redirect:
+      rule: "Host(`1440.news`) && (PathPrefix(`/xrpc`) || PathPrefix(`/.well-known`))"
+      entryPoints: [http]
+      middlewares: [https-redirect]
+      service: pds-1440-news
+      priority: 20
+
+    pds-1440-news-handles-redirect:
+      rule: "HostRegexp(`^.+\\.1440\\.news$$`)"
+      entryPoints: [http]
+      middlewares: [https-redirect]
+      service: pds-1440-news
+      priority: 1
+
+    # Local development
+    pds-1440-news-local:
+      rule: "Host(`pds.1440.localhost`) || Host(`1440.localhost`)"
+      entryPoints: [http]
+      service: pds-1440-news
+      priority: 10
+
+  services:
+    pds-1440-news:
+      loadBalancer:
+        servers:
+          - url: "http://atproto-1440news-pds:3000"