docker soket via socket proxy (#48)

Mounting the the docker socket directly is not recommended, because it is a security issue. Instead access it via a tcp socket proxy.

See https://doc.traefik.io/traefik/providers/docker/#docker-api-access

Reviewed-on: coop-cloud/traefik#48
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Co-authored-by: p4u1 <p4u1_f4u1@riseup.net>
Co-committed-by: p4u1 <p4u1_f4u1@riseup.net>

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v20
+export TRAEFIK_YML_VERSION=v21
 export FILE_PROVIDER_YML_VERSION=v10
 export ENTRYPOINT_VERSION=v3

compose.yml

@@ -11,7 +11,6 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
     configs:
@@ -24,6 +23,7 @@ services:
         mode: 0555
     networks:
       - proxy
+      - internal
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
@@ -50,9 +50,45 @@ services:
         - "coop-cloud.${STACK_NAME}.version=2.6.3+v2.11.2"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:1.26.1-r0-ls15
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1 # Needs access
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1 # Needs access
+      - EXEC=0
+      - IMAGES=0
+      - INFO=0
+      - NETWORKS=1 # Needs access
+      - NODES=0
+      - PING=0
+      - POST=0
+      - PLUGINS=0
+      - SECRETS=0
+      - SERVICES=1 # Needs access
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=0
+      - TASKS=1 # Needs access
+      - VERSION=1 # Needs access
+      - VOLUMES=0
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - internal
+
 networks:
   proxy:
     external: true
+  internal:
 
 configs:
   traefik_yml:

traefik.yml.tmpl

@@ -4,7 +4,7 @@ log:
 
 providers:
   docker:
-    endpoint: "unix:///var/run/docker.sock"
+    endpoint: "tcp://socket-proxy:2375"
     exposedByDefault: false
     network: proxy
     swarmMode: true