Route OHM domains and subdomain through Cloudflare tunnel

.github/workflows/chartpress.yaml

@@ -4,6 +4,7 @@ on:
     branches:
       - 'main'
       - 'staging'
+      - 'disable_alb'
 jobs:
   build:
     runs-on: ubuntu-22.04
@@ -45,7 +46,7 @@ jobs:
           DEVELOPMENT_DB_EBS: ${{ secrets.STAGING_DB_EBS }}
           DEVELOPMENT_DB_PASSWORD: ${{ secrets.STAGING_DB_PASSWORD }}
           DEVELOPMENT_DB_USER: ${{ secrets.STAGING_DB_USER }}
-          DEVELOPMENT_DOMAIN_NAME: staging.openhistoricalmap.org
+          DEVELOPMENT_DOMAIN_NAME: ohmstaging.org
           DEVELOPMENT_ID_KEY: ${{ secrets.STAGING_ID_KEY }}
           DEVELOPMENT_ID_APPLICATION: ${{ secrets.STAGING_ID_APPLICATION }}
           DEVELOPMENT_OAUTH_CLIENT_ID: ${{ secrets.STAGING_OAUTH_CLIENT_ID }}
@@ -70,7 +71,7 @@ jobs:
           OHM_SLACK_WEBHOOK_URL: ${{ secrets.OHM_SLACK_WEBHOOK_URL }}
       ################ Staging secrets ################ 
       - name: Staging - substitute secrets
-        if: github.ref == 'refs/heads/staging' 
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/disable_alb'
         uses: bluwy/substitute-string-action@v1
         with:
           _input-file: 'values.staging.template.yaml'
@@ -87,7 +88,7 @@ jobs:
           STAGING_DB_EBS: ${{ secrets.STAGING_DB_EBS }}
           STAGING_DB_PASSWORD: ${{ secrets.STAGING_DB_PASSWORD }}
           STAGING_DB_USER: ${{ secrets.STAGING_DB_USER }}
-          STAGING_DOMAIN_NAME: staging.openhistoricalmap.org
+          STAGING_DOMAIN_NAME: ohmstaging.org
           STAGING_ID_KEY: ${{ secrets.STAGING_ID_KEY }}
           STAGING_ID_APPLICATION: ${{ secrets.STAGING_ID_APPLICATION }}
           STAGING_OAUTH_CLIENT_ID: ${{ secrets.STAGING_OAUTH_CLIENT_ID }}
@@ -188,14 +189,14 @@ jobs:
           PRODUCTION_OPENSTREETMAP_AUTH_SECRET: ${{ secrets.PRODUCTION_OPENSTREETMAP_AUTH_SECRET }}
 
       - name: AWS Credentials
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' 
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
       - name: Setup Kubectl and Helm Dependencies
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' 
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         run: |
           sudo pip install awscli --ignore-installed six
           sudo curl -L -o /usr/bin/kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.17.7/2020-07-08/bin/linux/amd64/kubectl
@@ -208,24 +209,23 @@ jobs:
           sudo chmod +x /usr/local/bin/helm
           helm version
 
-      - name: Update kube-config staging 
-        if: github.ref == 'refs/heads/staging' 
+      - name: Update kube-config staging
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/disable_alb'
         run: aws eks --region us-east-1 update-kubeconfig --name osmseed-staging
       - name: Update kube-config prod
         if: github.ref == 'refs/heads/main'
         run: aws eks --region us-east-1 update-kubeconfig --name osmseed-production-v2
       - name: Add Helm repository
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' 
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         run: |
           helm repo add osm-seed https://osm-seed.github.io/osm-seed-chart/
           helm repo update
       - name: Install helm dependencies for
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' 
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         run: cd ohm && helm dep up
       # Staging
       - name: Staging - helm deploy
-        # if: github.ref == 'refs/heads/staging' 
-        if: github.ref == 'refs/heads/staging'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/disable_alb'
         run: helm upgrade --install staging --wait ohm/ -f values.staging.yaml -f ohm/values.yaml
       # Production
       - name: Production - helm deploy

.gitignore

@@ -29,4 +29,7 @@ images/tiler-server/vtiles_languages.geojson
 !hetzner/*/.*.sample
 
 hetzner/*/.envs.*.production
-.vscode
+.vscode
+hetzner/traefik/cloudflare-ips.txt
+hetzner/traefik/traefik.yml
+.vscode/

hetzner/README.md

@@ -58,3 +58,24 @@ This is important because this is charged to serve the site through the setup IP
 ```sh
 docker compose -f hetzner/services.yml up -d --remove-orphans  --force-recreate
 ```
+
+
+## Deploy all services
+
+1. **Create a `.env` file** in the `hetzner/` directory with:
+
+   - `CLOUDFLARED_TOKEN` – your Cloudflare Tunnel token (see `CLOUDFLARE_TUNNEL_SETUP.md`)
+   - `OHM_DOMAIN` – `openhistoricalmap.net` (staging) or `openhistoricalmap.org` (production)
+   - `TRAEFIK_CONFIG_PATH` – optional; defaults to `./traefik/traefik.yml`
+
+2. **Start routing and core services** (Traefik, Cloudflare Tunnel, node-exporter, cadvisor):
+
+   ```sh
+   docker compose -f hetzner/services.yml up -d --remove-orphans --force-recreate
+   ```
+
+3. **Deploy application services** using the startup script (updates Cloudflare IPs, generates Traefik config, and starts the services defined in the script):
+
+   ```sh
+   ENVIRONMENT=staging ./hetzner/start_all.sh   # or ENVIRONMENT=production
+   ```

hetzner/deploy.sh

@@ -1,33 +1,52 @@
 #!/bin/bash
 set -e
 
-ACTION=$1
-SERVICE=$2
-ENVIRONMENT=${3:-staging}
+# Parse --yes / -y so script can run non-interactively
+AUTO_YES=false
+ARGS=()
+for a in "$@"; do
+    if [[ "$a" == "--yes" || "$a" == "-y" ]]; then
+        AUTO_YES=true
+    else
+        ARGS+=("$a")
+    fi
+done
+
+ACTION=${ARGS[0]}
+SERVICE=${ARGS[1]}
+ENVIRONMENT=${ARGS[2]:-staging}
 
 # Check if first arg is an action (start/stop/restart)
 if [ "$ACTION" = "start" ] || [ "$ACTION" = "stop" ] || [ "$ACTION" = "restart" ]; then
     # First arg is an action, so SERVICE is $2
     if [ -z "$SERVICE" ]; then
-        echo "Usage: $0 start|stop|restart <service> [staging|production]"
+        echo "Usage: $0 [--yes|-y] start|stop|restart <service> [staging|production]"
         echo "Example: $0 start taginfo staging"
         exit 1
     fi
 fi
 
 if [ -z "$SERVICE" ]; then
-    echo "Usage: $0 [start|stop|restart] <service> [staging|production]"
+    echo "Usage: $0 [--yes|-y] [start|stop|restart] <service> [staging|production]"
+    echo "  --yes, -y    Skip confirmation prompts"
     echo "Examples:"
     echo "  $0 taginfo staging          # Start service"
+    echo "  $0 --yes start taginfo production   # Start without prompting"
     echo "  $0 stop taginfo staging     # Stop service"
-    echo "  $0 restart taginfo staging # Restart service"
+    echo "  $0 restart taginfo staging  # Restart service"
     exit 1
 fi
 
 SERVICE_DIR="$(cd "$(dirname "$0")" && pwd)/$SERVICE"
 BASE_FILE="$SERVICE_DIR/$SERVICE.base.yml"
 ENV_FILE="$SERVICE_DIR/$SERVICE.$ENVIRONMENT.yml"
 
+# Load environment variables from .env.traefik
+HETZNER_DIR="$(cd "$(dirname "$0")" && pwd)"
+if [ -f "$HETZNER_DIR/.env.traefik" ]; then
+    export $(grep -v '^#' "$HETZNER_DIR/.env.traefik" | xargs)
+fi
+
 # For staging, only use base file. For production, use base + environment file
 if [ "$ENVIRONMENT" = "staging" ]; then
     COMPOSE_CMD="docker compose -f $BASE_FILE"
@@ -79,20 +98,22 @@ case "$ACTION" in
         echo "================================================"
         echo ""
 
-        # Ask for confirmation, especially for production
-        if [ "$ENVIRONMENT" = "production" ]; then
-            echo "⚠️  WARNING: You are about to deploy to PRODUCTION"
-            echo ""
-            read -p "Do you want to continue? (yes/no): " confirm
-            if [ "$confirm" != "yes" ]; then
-                echo "Deployment cancelled."
-                exit 0
-            fi
-        else
-            read -p "Do you want to continue with deployment? (yes/no): " confirm
-            if [ "$confirm" != "yes" ]; then
-                echo "Deployment cancelled."
-                exit 0
+        # Ask for confirmation (skip if --yes/-y)
+        if [ "$AUTO_YES" != "true" ]; then
+            if [ "$ENVIRONMENT" = "production" ]; then
+                echo "⚠️  WARNING: You are about to deploy to PRODUCTION"
+                echo ""
+                read -p "Do you want to continue? (yes/no): " confirm
+                if [ "$confirm" != "yes" ]; then
+                    echo "Deployment cancelled."
+                    exit 0
+                fi
+            else
+                read -p "Do you want to continue with deployment? (yes/no): " confirm
+                if [ "$confirm" != "yes" ]; then
+                    echo "Deployment cancelled."
+                    exit 0
+                fi
             fi
         fi
 

hetzner/nominatim/nominatim.base.yml

@@ -1,6 +1,6 @@
 services:
   nominatim:
-    container_name: nominatim_staging
+    container_name: nominatim
     image: developmentseed/osmseed-nominatim:0.1.0-0.dev.git.956.h49d677b
     volumes:
       - nominatim_data:/var/lib/postgresql/16/main
@@ -16,13 +16,12 @@ services:
       IMPORT_GB_POSTCODES: false
       IMPORT_TIGER_ADDRESSES: false
       PGDATA: /var/lib/postgresql/16/main
-      OSMSEED_WEB_API_DOMAIN: www.openhistoricalmap.org
+      OSMSEED_WEB_API_DOMAIN: www.${OHM_DOMAIN}
       NOMINATIM_ADDRESS_LEVEL_CONFIG_URL: https://raw.githubusercontent.com/OpenHistoricalMap/nominatim-ui/master/address-levels.json
       UPDATE_MODE: continuous
       IMPORT_STYLE: extratags
       EXTRA_TAGS: "start_date,start_date:edtf,end_date,end_date:edt"
     restart: always
-    cpus: 4.0
     healthcheck:
       test: ["CMD-SHELL", "curl -f http://localhost:8080/status || exit 1"]
       interval: 30s
@@ -31,20 +30,20 @@ services:
       start_period: 120m
     networks:
       - ohm_network
-    ports:
-      - '8081:8080'
+    # ports:
+    #   - '8081:8080'
     env_file:
-      - ./.env.sample
+      - ./.env.nominatim
 
   nominatim_ui:
-    container_name: nominatim_ui_staging
+    container_name: nominatim_ui
     image: ghcr.io/openhistoricalmap/nominatim-ui:a469b5e
     command:
       - /bin/sh
       - -c
       - |
         set -x && \
-        echo "Nominatim_Config.Nominatim_API_Endpoint = 'https://nominatim.staging.openhistoricalmap.org/';" \
+        echo "Nominatim_Config.Nominatim_API_Endpoint = 'https://nominatim.${OHM_DOMAIN}/';" \
         >> /usr/share/nginx/html/ui/theme/config.theme.js && \
         nginx -g "daemon off;"
     restart: always
@@ -56,14 +55,14 @@ services:
       start_period: 20s
     networks:
       - ohm_network
-    ports:
-      - '8082:80'
+    # ports:
+    #   - '8082:80'
 
 networks:
   ohm_network:
     external: true
 
 volumes:
   nominatim_data:
-    driver: local
-    name: nominatim_db
+    name: nominatim_db_18_07_2025
+

hetzner/nominatim/nominatim.production.yml

@@ -1,24 +1,6 @@
 services:
   nominatim:
-    container_name: nominatim_production
-    ports: !override
-      - '8083:8080'
     mem_limit: 16g
-    env_file:
-      - ./.env.nominatim.production
+    cpus: 4.0
+
 
-  nominatim_ui:
-    container_name: nominatim_ui_production
-    ports: !override
-      - '8084:80'
-    command:
-      - /bin/sh
-      - -c
-      - |
-        set -x && \
-        echo "Nominatim_Config.Nominatim_API_Endpoint = 'https://nominatim.openhistoricalmap.org/';" \
-        >> /usr/share/nginx/html/ui/theme/config.theme.js && \
-        nginx -g "daemon off;"
-volumes:
-  nominatim_data:
-    name: nominatim_db_18_07_2025

hetzner/osmcha/.env.sample

@@ -19,11 +19,11 @@ DJANGO_SECURE_SSL_REDIRECT=False
 DJANGO_SETTINGS_MODULE=config.settings.production
 OAUTH2_OSM_KEY=12345678
 OAUTH2_OSM_SECRET=xyzasdesd
-OAUTH_REDIRECT_URI=https://osmcha.staging.openhistoricalmap.org/authorized
+OAUTH_REDIRECT_URI=https://${OHM_DOMAIN}/authorized
 OSMCHA_API_URL=www.staging.openhistoricalmap.org
 OSMCHA_FRONTEND_VERSION=v0.86.0-production
-OSMCHA_URL=https://osmcha.staging.openhistoricalmap.org
+OSMCHA_URL=https://${OHM_DOMAIN}
 OSM_PLANET_BASE_URL=https://s3.amazonaws.com/planet.openhistoricalmap.org/replication/changesets/
-OSM_SERVER_URL=https://www.staging.openhistoricalmap.org
+OSM_SERVER_URL=https://www.${OHM_DOMAIN}
 REDIS_URL=redis://osmcha_redis:6379