From f647e1327b7c8a962e42bcb813b39312bc7045d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sun, 9 Nov 2025 04:07:44 +0100
Subject: [PATCH] feat: expose asciinema admin interface via Traefik
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added admin interface routing at admin.asciinema.pivoine.art:
- Port 4002 exposed via Traefik
- HTTP Basic Auth protection using AUTH_USERS
- HTTPS with Let's Encrypt certificate
- Security headers and compression middleware

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 asciinema/compose.yaml | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/asciinema/compose.yaml b/asciinema/compose.yaml
index 4ebda61..1d21086 100644
--- a/asciinema/compose.yaml
+++ b/asciinema/compose.yaml
@@ -24,19 +24,31 @@ services:
       SIGN_UP_DISABLED: ${ASCIINEMA_SIGN_UP_DISABLED:-false}
     labels:
       - 'traefik.enable=${ASCIINEMA_TRAEFIK_ENABLED}'
-      # HTTP to HTTPS redirect
+      # Main web interface - HTTP to HTTPS redirect
       - 'traefik.http.middlewares.${ASCIINEMA_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
       - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-web.middlewares=${ASCIINEMA_COMPOSE_PROJECT_NAME}-redirect-web-secure'
       - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-web.rule=Host(`${ASCIINEMA_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
-      # HTTPS router
+      # Main web interface - HTTPS router
       - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${ASCIINEMA_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
       - 'traefik.http.middlewares.${ASCIINEMA_COMPOSE_PROJECT_NAME}-compress.compress=true'
       - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${ASCIINEMA_COMPOSE_PROJECT_NAME}-compress,security-headers@file'
-      # Service
       - 'traefik.http.services.${ASCIINEMA_COMPOSE_PROJECT_NAME}.loadbalancer.server.port=4000'
+      # Admin interface - HTTP to HTTPS redirect
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web.middlewares=${ASCIINEMA_COMPOSE_PROJECT_NAME}-redirect-web-secure'
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web.rule=Host(`admin.${ASCIINEMA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web.entrypoints=web'
+      # Admin interface - HTTPS router with Basic Auth
+      - 'traefik.http.middlewares.${ASCIINEMA_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}'
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web-secure.rule=Host(`admin.${ASCIINEMA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web-secure.entrypoints=web-secure'
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web-secure.middlewares=${ASCIINEMA_COMPOSE_PROJECT_NAME}-auth,${ASCIINEMA_COMPOSE_PROJECT_NAME}-compress,security-headers@file'
+      - 'traefik.http.routers.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin-web-secure.service=${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin'
+      - 'traefik.http.services.${ASCIINEMA_COMPOSE_PROJECT_NAME}-admin.loadbalancer.server.port=4002'
+      # Network
       - 'traefik.docker.network=${NETWORK_NAME}'
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'