From f7f77dc942c70d181f3c520617f88d90121878ce Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Sat, 30 Mar 2024 17:59:48 -0300 Subject: [PATCH 01/13] =?UTF-8?q?Add=20support=20for=20unencrypted=20HTTP?= =?UTF-8?q?=20apps=20(please=20don't=20use=20this=20=F0=9F=98=A2)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .env.sample | 5 +++++ abra.sh | 2 +- traefik.yml.tmpl | 4 +++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.env.sample b/.env.sample index 30762dd..e765267 100644 --- a/.env.sample +++ b/.env.sample @@ -130,3 +130,8 @@ COMPOSE_FILE="compose.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml" #BASIC_AUTH=1 #SECRET_USERSFILE_VERSION=v1 + +##################################################################### +# Extremely insecure options, do not use # +##################################################################### +#DISABLE_HTTPS_REDIRECT=1 diff --git a/abra.sh b/abra.sh index f42c912..550ac6b 100644 --- a/abra.sh +++ b/abra.sh @@ -1,3 +1,3 @@ -export TRAEFIK_YML_VERSION=v18 +export TRAEFIK_YML_VERSION=v19 export FILE_PROVIDER_YML_VERSION=v9 export ENTRYPOINT_VERSION=v2 diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl index 0c94743..f0d2e3b 100644 --- a/traefik.yml.tmpl +++ b/traefik.yml.tmpl @@ -24,10 +24,12 @@ api: entrypoints: web: address: ":80" + {{ if not (eq (env "DISABLE_HTTPS_REDIRECT") "1") }} http: redirections: entryPoint: to: web-secure + {{ end }} web-secure: address: ":443" {{ if eq (env "GITEA_SSH_ENABLED") "1" }} @@ -114,4 +116,4 @@ certificatesResolvers: resolvers: - "1.1.1.1:53" - "9.9.9.9:53" - {{ end }} \ No newline at end of file + {{ end }} From edc29f959423d5bb70f28e5467d067c0d890d30d Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Mon, 1 Apr 2024 19:49:23 -0300 Subject: [PATCH 02/13] Add "web-alt" entrypoint (mostly for Icecast) --- .env.sample | 17 +++++++++++------ compose.web-alt.yml | 7 +++++++ traefik.yml.tmpl | 4 ++++ 3 files changed, 22 insertions(+), 6 deletions(-) create mode 100644 compose.web-alt.yml diff --git a/.env.sample b/.env.sample index e765267..0c11c44 100644 --- a/.env.sample +++ b/.env.sample @@ -60,7 +60,7 @@ COMPOSE_FILE="compose.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml" ##################################################################### -# Keycloak log-in # +# Authentication # ##################################################################### ## Enable Keycloak @@ -70,6 +70,12 @@ COMPOSE_FILE="compose.yml" #KEYCLOAK_MIDDLEWARE_2_ENABLED=1 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app +## BASIC_AUTH +## Use httpasswd to generate the secret +#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml" +#BASIC_AUTH=1 +#SECRET_USERSFILE_VERSION=v1 + ##################################################################### # Prometheus metrics # ##################################################################### @@ -125,11 +131,10 @@ COMPOSE_FILE="compose.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml" #MATRIX_FEDERATION_ENABLED=1 -## BASIC_AUTH -## Use httpasswd to generate the secret -#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml" -#BASIC_AUTH=1 -#SECRET_USERSFILE_VERSION=v1 +## "Web alt", an alternative web port +# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this +#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml" +#WEB_ALT_ENABLED=1 ##################################################################### # Extremely insecure options, do not use # diff --git a/compose.web-alt.yml b/compose.web-alt.yml new file mode 100644 index 0000000..39e7c32 --- /dev/null +++ b/compose.web-alt.yml @@ -0,0 +1,7 @@ +version: "3.8" +services: + app: + environment: + - WEB_ALT_ENABLED + ports: + - "8000:8000" diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl index f0d2e3b..1dd5def 100644 --- a/traefik.yml.tmpl +++ b/traefik.yml.tmpl @@ -48,6 +48,10 @@ entrypoints: peertube-rtmp: address: ":1935" {{ end }} + {{ if eq (env "WEB_ALT_ENABLED") "1" }} + web-alt: + address: ":8000" + {{ end }} {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }} ssb-muxrpc: address: ":8008" From c558e1dbdbf7fad3424f14cac3b99ff7e191fb23 Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Mon, 1 Apr 2024 22:53:56 -0300 Subject: [PATCH 03/13] Ditch DISABLE_HTTPS_REDIRECT --- .env.sample | 5 ----- traefik.yml.tmpl | 6 ------ 2 files changed, 11 deletions(-) diff --git a/.env.sample b/.env.sample index 0c11c44..b524da2 100644 --- a/.env.sample +++ b/.env.sample @@ -135,8 +135,3 @@ COMPOSE_FILE="compose.yml" # NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this #COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml" #WEB_ALT_ENABLED=1 - -##################################################################### -# Extremely insecure options, do not use # -##################################################################### -#DISABLE_HTTPS_REDIRECT=1 diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl index 1dd5def..3f6aeab 100644 --- a/traefik.yml.tmpl +++ b/traefik.yml.tmpl @@ -24,12 +24,6 @@ api: entrypoints: web: address: ":80" - {{ if not (eq (env "DISABLE_HTTPS_REDIRECT") "1") }} - http: - redirections: - entryPoint: - to: web-secure - {{ end }} web-secure: address: ":443" {{ if eq (env "GITEA_SSH_ENABLED") "1" }} From 2db2f71a803a5926c89090dc8d4f4dcb79ada916 Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Mon, 1 Apr 2024 22:56:20 -0300 Subject: [PATCH 04/13] chore: publish 2.6.0+v2.11.0 release --- compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose.yml b/compose.yml index 00357da..1599bf6 100644 --- a/compose.yml +++ b/compose.yml @@ -47,7 +47,7 @@ services: - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.service=api@internal" - "traefik.http.routers.${STACK_NAME}.middlewares=security@file" - - "coop-cloud.${STACK_NAME}.version=2.5.0+v2.11.0" + - "coop-cloud.${STACK_NAME}.version=2.6.0+v2.11.0" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" networks: From bdf84fcefd0d36a733ac2dab4853d705ba9059be Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Sat, 6 Apr 2024 14:35:53 -0300 Subject: [PATCH 05/13] Reinstate missing HTTP->HTTPS redirect --- traefik.yml.tmpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl index 3f6aeab..5ef1676 100644 --- a/traefik.yml.tmpl +++ b/traefik.yml.tmpl @@ -24,6 +24,10 @@ api: entrypoints: web: address: ":80" + http: + redirections: + entryPoint: + to: web-secure web-secure: address: ":443" {{ if eq (env "GITEA_SSH_ENABLED") "1" }} From 70d10587bcb1738719689014f0cd67ae63944a6b Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Sat, 6 Apr 2024 14:36:21 -0300 Subject: [PATCH 06/13] chore: publish 2.6.1+v2.11.0 release --- compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose.yml b/compose.yml index 1599bf6..9d8fee2 100644 --- a/compose.yml +++ b/compose.yml @@ -47,7 +47,7 @@ services: - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.service=api@internal" - "traefik.http.routers.${STACK_NAME}.middlewares=security@file" - - "coop-cloud.${STACK_NAME}.version=2.6.0+v2.11.0" + - "coop-cloud.${STACK_NAME}.version=2.6.1+v2.11.0" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" networks: From e92e76ac8834732116f09d6a81a28d0aef62740a Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Sat, 6 Apr 2024 14:52:55 -0300 Subject: [PATCH 07/13] Fix Drone CI --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 2d95596..29b22ed 100644 --- a/.drone.yml +++ b/.drone.yml @@ -16,7 +16,7 @@ steps: STACK_NAME: traefik LETS_ENCRYPT_ENV: production LETS_ENCRYPT_EMAIL: helo@autonomic.zone - TRAEFIK_YML_VERSION: v4 + TRAEFIK_YML_VERSION: v5 FILE_PROVIDER_YML_VERSION: v3 ENTRYPOINT_VERSION: v1 trigger: From daec338066e5d2f97fe5a13c31f391f8ed2ae002 Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Sat, 6 Apr 2024 14:53:41 -0300 Subject: [PATCH 08/13] Another Drone fix? --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 29b22ed..521072c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -17,7 +17,7 @@ steps: LETS_ENCRYPT_ENV: production LETS_ENCRYPT_EMAIL: helo@autonomic.zone TRAEFIK_YML_VERSION: v5 - FILE_PROVIDER_YML_VERSION: v3 + FILE_PROVIDER_YML_VERSION: v4 ENTRYPOINT_VERSION: v1 trigger: branch: From e76d61be0010a9fa20e504c26b12e20a76aa058d Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Fri, 19 Nov 2021 22:42:41 +0200 Subject: [PATCH 09/13] Add preliminary DigitalOcean DNS support --- .env.sample | 5 +++++ abra.sh | 6 +++--- compose.digitalocean.yml | 15 +++++++++++++++ entrypoint.sh.tmpl | 4 ++++ 4 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 compose.digitalocean.yml diff --git a/.env.sample b/.env.sample index b524da2..8d57cee 100644 --- a/.env.sample +++ b/.env.sample @@ -46,6 +46,11 @@ COMPOSE_FILE="compose.yml" #GANDI_ENABLED=1 #SECRET_GANDIV5_API_KEY_VERSION=v1 +## DigitalOcean, https://digitalocean.com +#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml" +#DIGITALOCEAN_ENABLED=1 +#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 + ##################################################################### # Manual wildcard certificate insertion # ##################################################################### diff --git a/abra.sh b/abra.sh index 550ac6b..ea6b88f 100644 --- a/abra.sh +++ b/abra.sh @@ -1,3 +1,3 @@ -export TRAEFIK_YML_VERSION=v19 -export FILE_PROVIDER_YML_VERSION=v9 -export ENTRYPOINT_VERSION=v2 +export TRAEFIK_YML_VERSION=v20 +export FILE_PROVIDER_YML_VERSION=v10 +export ENTRYPOINT_VERSION=v3 diff --git a/compose.digitalocean.yml b/compose.digitalocean.yml new file mode 100644 index 0000000..ebb1cc5 --- /dev/null +++ b/compose.digitalocean.yml @@ -0,0 +1,15 @@ +version: "3.8" + +services: + app: + environment: + - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token + - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED + - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER + secrets: + - digitalocean_auth_token + +secrets: + digitalocean_auth_token: + name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION} + external: true diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 298d5dc..41cbf44 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -11,4 +11,8 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE") export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE") {{ end }} +{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }} +export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE") +{{ end }} + /entrypoint.sh "$@" From af33ec8510a9a27e6fd79b942ec751ccb2ffa3f1 Mon Sep 17 00:00:00 2001 From: Javielico Date: Sun, 14 Apr 2024 21:36:25 +0100 Subject: [PATCH 10/13] chore: publish 2.6.2+v2.11.1 release --- compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compose.yml b/compose.yml index 9d8fee2..0afc525 100644 --- a/compose.yml +++ b/compose.yml @@ -3,7 +3,7 @@ version: "3.8" services: app: - image: "traefik:v2.11.0" + image: "traefik:v2.11.1" # Note(decentral1se): *please do not* add any additional ports here. # Doing so could break new installs with port conflicts. Please use # the usual `compose.$app.yml` approach for any additional ports @@ -47,7 +47,7 @@ services: - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.service=api@internal" - "traefik.http.routers.${STACK_NAME}.middlewares=security@file" - - "coop-cloud.${STACK_NAME}.version=2.6.1+v2.11.0" + - "coop-cloud.${STACK_NAME}.version=2.6.2+v2.11.1" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" networks: From b7ea50d6aa5a7a5ae3478b12389321029abfeefa Mon Sep 17 00:00:00 2001 From: Javielico Date: Sun, 14 Apr 2024 21:38:48 +0100 Subject: [PATCH 11/13] chore: publish 2.6.3+v2.11.2 release --- compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compose.yml b/compose.yml index 0afc525..636b171 100644 --- a/compose.yml +++ b/compose.yml @@ -3,7 +3,7 @@ version: "3.8" services: app: - image: "traefik:v2.11.1" + image: "traefik:v2.11.2" # Note(decentral1se): *please do not* add any additional ports here. # Doing so could break new installs with port conflicts. Please use # the usual `compose.$app.yml` approach for any additional ports @@ -47,7 +47,7 @@ services: - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.service=api@internal" - "traefik.http.routers.${STACK_NAME}.middlewares=security@file" - - "coop-cloud.${STACK_NAME}.version=2.6.2+v2.11.1" + - "coop-cloud.${STACK_NAME}.version=2.6.3+v2.11.2" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" networks: From 35d435b4f6595c24854fb99e27c1dd58d19cdf9f Mon Sep 17 00:00:00 2001 From: f Date: Sat, 1 Jun 2024 13:54:50 -0300 Subject: [PATCH 12/13] fix: the command is "secret" --- .env.sample | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.env.sample b/.env.sample index 8d57cee..500940a 100644 --- a/.env.sample +++ b/.env.sample @@ -57,8 +57,8 @@ COMPOSE_FILE="compose.yml" # Set wildcards = 1, and uncomment compose_file to enable. # Create your certs elsewhere and add them like: -# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)" -# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)" +# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)" +# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)" #WILDCARDS_ENABLED=1 #SECRET_WILDCARD_CERT_VERSION=v1 #SECRET_WILDCARD_KEY_VERSION=v1 From 60b79b447a525e44e61af0d7470f6e0e42a9664a Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 4 Jun 2024 15:22:25 +0200 Subject: [PATCH 13/13] add alakazam matrix federation integration --- alaconnect.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 alaconnect.yml diff --git a/alaconnect.yml b/alaconnect.yml new file mode 100644 index 0000000..52334b9 --- /dev/null +++ b/alaconnect.yml @@ -0,0 +1,4 @@ +matrix-synapse: + uncomment: + - compose.matrix.yml + - MATRIX_FEDERATION_ENABLED