Fix LetsEncrypt DNS challenge and add Cloudflare support

New version is hard to config, unsure if this is needed.

.env.sample

@@ -1,6 +1,6 @@
 TYPE=traefik
 
-DOMAIN=traefik.example.com
+DOMAIN={{ .Domain }}
 LETS_ENCRYPT_ENV=production
 
 LETS_ENCRYPT_EMAIL=certs@example.com
@@ -8,8 +8,7 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # WARN, INFO etc.
 LOG_LEVEL=WARN
 
-# This is here so later lines can extend the definition; you likely don't wanna
-# edit
+# This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
 
 #####################################################################
@@ -45,6 +44,12 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## Cloudflare, https://cloudflare.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
+#CLOUDFLARE_ENABLED=1
+#SECRET_CLOUDFLARE_EMAIL_VERSION=v1
+#SECRET_CLOUDFLARE_API_KEY=v1
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
@@ -52,6 +57,9 @@ COMPOSE_FILE="compose.yml"
 ## Enable Keycloak
 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
 #KEYCLOAK_MIDDLEWARE_ENABLED=1
+#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
+#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
+#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 
 #####################################################################
 # Prometheus metrics                                                #
@@ -69,6 +77,10 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SMTP_ENABLED=1
 
+## Compy
+#COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
+#COMPY_ENABLED=1
+
 ## Gitea SSH
 # COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
 # GITEA_SSH_ENABLED=1
@@ -92,3 +104,7 @@ COMPOSE_FILE="compose.yml"
 ## Mumble
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
 #MUMBLE_ENABLED=1
+
+## Matrix
+#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
+#MATRIX_FEDERATION_ENABLED=1

README.md

@@ -7,11 +7,11 @@
 <!-- metadata -->
 * **Category**: Utilities
 * **Status**: ?
-* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream
+* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
 * **Email**: N/A
-* **Tests**: ❷💛
+* **Tests**: 2
 * **SSO**: ? (Keycloak)
 <!-- endmetadata -->
 

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v12
-export FILE_PROVIDER_YML_VERSION=v2
+export TRAEFIK_YML_VERSION=v14
+export FILE_PROVIDER_YML_VERSION=v6
 export ENTRYPOINT_VERSION=v2

compose.cloudflare.yml

@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cloudflare_email
+      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - cloudflare_email
+      - cloudflare_api_key
+
+secrets:
+  cloudflare_email:
+    name: ${STACK_NAME}_cloudflare_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+    external: true
+  cloudflare_api_key:
+    name: ${STACK_NAME}_cloudflare_api_key_${SECRET_CLOUDFLARE_API_KEY}
+    external: true

compose.compy.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - COMPY_ENABLED
+    ports:
+      - "9999:9999"

compose.headless.yml

@@ -12,4 +12,3 @@ services:
         - "traefik.http.services.traefik.loadbalancer.server.port=web"
         - "traefik.http.routers.traefik.entrypoints=web-secure"
         - "traefik.http.routers.traefik.service=api@internal"
-        - "coop-cloud.${STACK_NAME}.app.version=v2.4.9-be23e1f6"

compose.keycloak.yml

@@ -5,6 +5,9 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.traefik.middlewares=keycloak@file"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
     environment:
       - KEYCLOAK_MIDDLEWARE_ENABLED
+      - KEYCLOAK_TFA_SERVICE
+      - KEYCLOAK_MIDDLEWARE_2_ENABLED
+      - KEYCLOAK_TFA_SERVICE_2

compose.matrix.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - MATRIX_FEDERATION_ENABLED
+    ports:
+      - "8448:8448"

compose.minio.yml

@@ -0,0 +1,9 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - MINIO_CONSOLE_ENABLED
+    ports:
+      - "9001:9001"

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.5.2"
+    image: "traefik:v2.5.6"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -26,6 +26,8 @@ services:
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
+      - LETS_ENCRYPT_EMAIL
+      - LETS_ENCRYPT_ENV
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
@@ -47,7 +49,7 @@ services:
         - "traefik.http.routers.traefik.tls.options=default@file"
         - "traefik.http.routers.traefik.service=api@internal"
         - "traefik.http.routers.traefik.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=1.0.0+v2.5.2"
+        - "coop-cloud.${STACK_NAME}.version=1.0.1+v2.5.6"
 
 networks:
   proxy:

entrypoint.sh.tmpl

@@ -11,4 +11,9 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 
+{{ if eq (env "CLOUDFLARE_ENABLED") "1" }}
+export CLOUDFLARE_EMAIL=$(cat "$CLOUDFLARE_EMAIL_FILE")
+export CLOUDFLARE_API_KEY=$(cat "$CLOUDFLARE_API_KEY_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -4,7 +4,15 @@ http:
     {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
     keycloak:
       forwardAuth:
-        address: "http://traefik-forward-auth:4181"
+        address: "http://{{ env "KEYCLOAK_TFA_SERVICE" }}:4181"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-Forwarded-User
+    {{ end }}
+    {{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
+    keycloak2:
+      forwardAuth:
+        address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
         trustForwardHeader: true
         authResponseHeaders:
           - X-Forwarded-User

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ]
-}

traefik.yml.tmpl

@@ -54,10 +54,18 @@ entrypoints:
   mumble-udp:
     address: ":64738/udp"
   {{ end }}
+  {{ if eq (env "COMPY_ENABLED") "1" }}
+  compy:
+    address: ":9999"
+  {{ end }}
   {{ if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"
   {{ end }}
+  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
+  matrix-federation:
+    address: ":9001"
+  {{ end }}
 
 ping:
   entryPoint: web
@@ -69,30 +77,36 @@ metrics:
 {{ end }}
 
 certificatesResolvers:
+  {{ if eq (env "LETS_ENCRYPT_ENV") "staging" }}
   staging:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/staging-acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      httpChallenge:
-        entryPoint: web
       {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
       {{ end }}
+  {{ end }}
+  {{ if eq (env "LETS_ENCRYPT_ENV") "production" }}
   production:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
-      httpChallenge:
-        entryPoint: web
       {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
       {{ end }}
+  {{ end }}