Docker: Add Let's Encrypt info to cloud config docs

docker/examples/cloud/README.txt

@@ -45,4 +45,32 @@ should match the number of cores. Indexing large photo and video
 collections significantly benefits from fast, local SSD storage.
 
 RAW file conversion and automatic image classification using TensorFlow
-will be disabled on servers with less than 2 GB of physical memory.
+will be disabled on servers with less than 2 GB of physical memory.
+
+## Using Let's Encrypt as HTTPS certificate resolver ##
+
+By default, a self-signed certificate will be used for HTTPS connections.
+Browsers are going to show a security warning because of that. Depending
+on your settings, they may also refuse connecting at all.
+
+To get an official, free HTTPS certificate from Let's Encrypt, your server
+needs a fully  qualified public domain name first, e.g. "photos.yourdomain.com".
+You may add a static DNS entry (on DigitalOcean go to Networking > Domains),
+or use a Dynamic DNS service of your choice.
+
+Once your server has a public domain name, please disable the self-signed
+certificate and enable domain based routing in docker-compose.yml and
+traefik.yaml (see inline instructions in !! UPPERCASE !!):
+
+  ssh root@<YOUR SERVER IP>
+  nano /opt/photoprism/docker-compose.yml
+  nano /opt/photoprism/traefik.yaml
+
+Then restart services in a terminal for the changes to take effect:
+
+  docker-compose stop
+  docker-compose up -d
+
+To check logs for errors:
+
+  docker-compose logs -f

docker/examples/cloud/docker-compose.yml

@@ -75,8 +75,8 @@ version: '3.5'
 
 services:
   photoprism:
-    # Use photoprism/photoprism:latest instead for stable builds:
-    image: photoprism/photoprism:preview
+    # Use photoprism/photoprism:preview instead for testing preview builds:
+    image: photoprism/photoprism:latest
     container_name: photoprism
     restart: always
     security_opt:
@@ -88,15 +88,18 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.photoprism.loadbalancer.server.port=2342"
-      - "traefik.http.routers.photoprism.entrypoints=websecure"
-      - "traefik.http.routers.photoprism.rule=PathPrefix(`/`)"
       - "traefik.http.routers.photoprism.tls=true"
+      - "traefik.http.routers.photoprism.entrypoints=websecure"
+      # !! UNCOMMENT when using Let's Encrypt with a public host name !!
+      # - "traefik.http.routers.photoprism.rule=Host(`custom.domain.com`)"
+      # - "traefik.http.routers.photoprism.tls.certresolver=myresolver"
+      # !! REMOVE default route when using Let's Encrypt / domain based routing !!
+      - "traefik.http.routers.photoprism.rule=PathPrefix(`/`)"
+      # !! REMOVE both for Let's Encrypt with HTTP challenge (DNS challenge supports wildcards) !!
       - "traefik.http.routers.photoprism.tls.domains[0].main=example.com"
       - "traefik.http.routers.photoprism.tls.domains[0].sans=*.example.com"
-      # Uncomment if your server has a public host name for HTTPS:
-      # - "traefik.http.routers.photoprism.rule=Host(`photos.example.com`)"
-      # - "traefik.http.routers.photoprism.tls.certresolver=myresolver"
     environment:
+      # !! UPDATE site URL when server has a public domain name !!
       PHOTOPRISM_SITE_URL: "https://_public_ip_/"
       PHOTOPRISM_SITE_TITLE: "PhotoPrism"
       PHOTOPRISM_SITE_CAPTION: "Browse Your Life"

docker/examples/cloud/traefik.yaml

@@ -3,10 +3,13 @@
 #  level: DEBUG
 
 serversTransport:
+  # Don't verify internal HTTPS certs:
   insecureSkipVerify: true
+  # !! REMOVE when using Let's Encrypt as HTTPS cert resolver !!
   rootCAs:
     - "/certs/ca.crt"
 
+# Open ports ond protocols (HTTP will be redirected to HTTPS):
 entryPoints:
   web:
     address: ":80"
@@ -20,20 +23,25 @@ entryPoints:
 
 certificatesResolvers:
   myresolver:
+    # See https://doc.traefik.io/traefik/https/acme/
     acme:
+      # !! REPLACE example email with your actual email address !!
       email: info@example.com
       storage: /data/letsencrypt.json
       httpChallenge:
         entryPoint: web
 
 providers:
+  # !! REMOVE file provider when using Let's Encrypt as HTTPS cert resolver !!
   file:
     filename: "/certs/config.yml"
     watch: true
+  # Always keep this:
   docker:
     exposedByDefault: false
     watch: true
 
+# Traefik API & dashboard are disabled by default for security reasons:
 api:
   insecure: false
   dashboard: false