Fix LetsEncrypt DNS challenge and add Cloudflare support

.drone.yml

@@ -3,12 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: traefik
-      networks:
-       - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -24,17 +22,11 @@ trigger:
     - master
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
   - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
     settings:
-      server: https://build.coopcloud.tech
+      command: recipe traefik release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,8 +1,6 @@
 TYPE=traefik
-TIMEOUT=300
-ENABLE_AUTO_UPDATE=true
 
-DOMAIN=traefik.example.com
+DOMAIN={{ .Domain }}
 LETS_ENCRYPT_ENV=production
 
 LETS_ENCRYPT_EMAIL=certs@example.com
@@ -46,6 +44,12 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## Cloudflare, https://cloudflare.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
+#CLOUDFLARE_ENABLED=1
+#SECRET_CLOUDFLARE_EMAIL_VERSION=v1
+#SECRET_CLOUDFLARE_API_KEY=v1
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
@@ -65,12 +69,6 @@ COMPOSE_FILE="compose.yml"
 ## used used by the coop-cloud monitoring stack
 #METRICS_ENABLED=1
 
-#####################################################################
-# File provider directory configuration                             #
-# (Route bare metal and non-docker services on the machine!)        #
-#####################################################################
-#FILE_PROVIDER_DIRECTORY_ENABLED=1
-
 #####################################################################
 # Additional services                                               #
 #####################################################################
@@ -110,9 +108,3 @@ COMPOSE_FILE="compose.yml"
 ## Matrix
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
-
-## BASIC_AUTH
-## Use httpasswd to generate the secret
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
-#BASIC_AUTH=1
-#SECRET_USERSFILE_VERSION=v1

README.md

@@ -19,29 +19,8 @@
 
 1. Set up Docker Swarm and [`abra`]
 2. `abra app new traefik`
-3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
    your Docker swarm box
-4. `abra app deploy YOURAPPDOMAIN`
+4. `abra app YOURAPPDOMAIN deploy`
-
-## Configuring wildcard SSL using DNS
-
-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
-subdomains, like
-[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
-
-1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
-   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
-2. Run `abra app config YOURAPPDOMAIN`
-3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
-   `SECRET_GANDIV5_API_KEY_VERSION`
-4. Generate an API key for your provider
-5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
-   `gandiv5_api_key` and `SECRETVALUE` is the API key.
-6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v16
+export TRAEFIK_YML_VERSION=v14
-export FILE_PROVIDER_YML_VERSION=v8
+export FILE_PROVIDER_YML_VERSION=v6
 export ENTRYPOINT_VERSION=v2

compose.basicauth.yml

@@ -1,12 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - BASIC_AUTH
-    secrets:
-      - usersfile
-
-secrets:
-  usersfile:
-    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
-    external: true

compose.cloudflare.yml

@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cloudflare_email
+      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - cloudflare_email
+      - cloudflare_api_key
+
+secrets:
+  cloudflare_email:
+    name: ${STACK_NAME}_cloudflare_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+    external: true
+  cloudflare_api_key:
+    name: ${STACK_NAME}_cloudflare_api_key_${SECRET_CLOUDFLARE_API_KEY}
+    external: true

compose.headless.yml

@@ -10,5 +10,5 @@ services:
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
+        - "traefik.http.routers.traefik.service=api@internal"

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.10.1"
+    image: "traefik:v2.5.6"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -13,7 +13,6 @@ services:
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
-      - "file-providers:/etc/traefik/file-providers"
     configs:
       - source: traefik_yml
         target: /etc/traefik/traefik.yml
@@ -27,6 +26,8 @@ services:
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
+      - LETS_ENCRYPT_EMAIL
+      - LETS_ENCRYPT_ENV
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
@@ -41,14 +42,14 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
+        - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
+        - "traefik.http.routers.traefik.tls.options=default@file"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
+        - "traefik.http.routers.traefik.service=api@internal"
-        - "coop-cloud.${STACK_NAME}.version=2.3.1+v2.10.2"
+        - "traefik.http.routers.traefik.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=1.0.1+v2.5.6"
 
 networks:
   proxy:
@@ -70,4 +71,3 @@ configs:
 
 volumes:
   letsencrypt:
-  file-providers:

entrypoint.sh.tmpl

@@ -11,4 +11,9 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 
+{{ if eq (env "CLOUDFLARE_ENABLED") "1" }}
+export CLOUDFLARE_EMAIL=$(cat "$CLOUDFLARE_EMAIL_FILE")
+export CLOUDFLARE_API_KEY=$(cat "$CLOUDFLARE_API_KEY_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -17,11 +17,6 @@ http:
         authResponseHeaders:
           - X-Forwarded-User
     {{ end }}
-    {{ if eq (env "BASIC_AUTH") "1" }}
-    basicauth:
-      basicAuth:
-        usersFile: "/run/secrets/usersfile"
-    {{ end }}
     security:
       headers:
         frameDeny: true

traefik.yml.tmpl

@@ -8,14 +8,8 @@ providers:
     exposedByDefault: false
     network: proxy
     swarmMode: true
-  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
-  file:
-    directory: /etc/traefik/file-providers
-    watch: true
-  {{ else }}
   file:
     filename: /etc/traefik/file-provider.yml
-  {{ end }}
 
 api:
   dashboard: {{ env "DASHBOARD_ENABLED" }}
@@ -83,30 +77,36 @@ metrics:
 {{ end }}
 
 certificatesResolvers:
+  {{ if eq (env "LETS_ENCRYPT_ENV") "staging" }}
   staging:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/staging-acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      httpChallenge:
-        entryPoint: web
       {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
       {{ end }}
+  {{ end }}
+  {{ if eq (env "LETS_ENCRYPT_ENV") "production" }}
   production:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
-      httpChallenge:
-        entryPoint: web
       {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
-          - "9.9.9.9:53"
+          - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
+      {{ end }}
   {{ end }}