run traefik as non-root user

{{cookiecutter.project_slug}}/compose/production/traefik/Dockerfile

@@ -1,5 +1,21 @@
-FROM traefik:v2.2.11
-RUN mkdir -p /etc/traefik/acme \
-  && touch /etc/traefik/acme/acme.json \
-  && chmod 600 /etc/traefik/acme/acme.json
-COPY ./compose/production/traefik/traefik.yml /etc/traefik
+FROM traefik:2.3
+
+WORKDIR /etc/traefik/
+
+RUN addgroup --system traefik \
+  && adduser \
+  --disabled-password \
+  --gecos '' \
+  --no-create-home \
+  --ingroup traefik \
+  traefik \
+  && mkdir acme/ \
+  && touch acme/acme.json \
+  && chmod 0600 acme/acme.json \
+  && chown -R traefik:traefik .
+
+EXPOSE 8080/tcp 8443/tcp
+
+VOLUME /etc/traefik/acme/
+
+USER traefik

{{cookiecutter.project_slug}}/compose/production/traefik/traefik.yml

@@ -5,7 +5,7 @@ log:
 entryPoints:
   web:
     # http
-    address: ":80"
+    address: ":8080"
     http:
       # https://docs.traefik.io/routing/entrypoints/#entrypoint
       redirections:
@@ -14,7 +14,7 @@ entryPoints:
 
   web-secure:
     # https
-    address: ":443"
+    address: ":8443"
   {%- if cookiecutter.use_celery == 'y' %}
 
   flower:

{{cookiecutter.project_slug}}/production.yml

@@ -39,6 +39,7 @@ services:
       - django
     volumes:
       - production_traefik:/etc/traefik/acme:z
+      - ./compose/production/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
     ports:
       - "0.0.0.0:80:80"
       - "0.0.0.0:443:443"