Merge branch 'master' into socket-proxy

.drone.yml

@@ -16,8 +16,8 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v4
+      TRAEFIK_YML_VERSION: v5
-      FILE_PROVIDER_YML_VERSION: v3
+      FILE_PROVIDER_YML_VERSION: v4
       ENTRYPOINT_VERSION: v1
 trigger:
   branch:

.env.sample

@@ -46,21 +46,26 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## DigitalOcean, https://digitalocean.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
+#DIGITALOCEAN_ENABLED=1
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
 
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
-# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
-# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
 
 #####################################################################
-# Keycloak log-in                                                   #
+# Authentication                                                    #
 #####################################################################
 
 ## Enable Keycloak
@@ -70,6 +75,12 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 
+## BASIC_AUTH
+## Use httpasswd to generate the secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#BASIC_AUTH=1
+#SECRET_USERSFILE_VERSION=v1
+
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################
@@ -125,8 +136,7 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
 
-## BASIC_AUTH
+## "Web alt", an alternative web port
-## Use httpasswd to generate the secret
+# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
-#BASIC_AUTH=1
+#WEB_ALT_ENABLED=1
-#SECRET_USERSFILE_VERSION=v1

abra.sh

@@ -1,3 +1,3 @@
 export TRAEFIK_YML_VERSION=v21
-export FILE_PROVIDER_YML_VERSION=v9
+export FILE_PROVIDER_YML_VERSION=v10
-export ENTRYPOINT_VERSION=v2
+export ENTRYPOINT_VERSION=v3

alaconnect.yml

@@ -0,0 +1,4 @@
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_FEDERATION_ENABLED

compose.digitalocean.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - digitalocean_auth_token
+
+secrets:
+  digitalocean_auth_token:
+    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
+    external: true

compose.web-alt.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - WEB_ALT_ENABLED
+    ports:
+      - "8000:8000"

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.11.0"
+    image: "traefik:v2.11.2"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -47,7 +47,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.5.0+v2.11.0"
+        - "coop-cloud.${STACK_NAME}.version=2.6.3+v2.11.2"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   socket-proxy:

entrypoint.sh.tmpl

@@ -11,4 +11,8 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 
+{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
+export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"

traefik.yml.tmpl

@@ -46,6 +46,10 @@ entrypoints:
   peertube-rtmp:
     address: ":1935"
   {{ end }}
+  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
+  web-alt:
+    address: ":8000"
+  {{ end }}
   {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
   ssb-muxrpc:
     address: ":8008"