feat: pull request template

Reviewed-on: #73
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.drone.yml

@@ -8,7 +8,7 @@ steps:
       host: swarm-test.autonomic.zone
       stack: traefik
       networks:
-       - proxy
+        - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -16,9 +16,9 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v4
-      FILE_PROVIDER_YML_VERSION: v3
-      ENTRYPOINT_VERSION: v1
+      TRAEFIK_YML_VERSION: v26
+      FILE_PROVIDER_YML_VERSION: v10
+      ENTRYPOINT_VERSION: v4
 trigger:
   branch:
     - master
@@ -34,7 +34,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,6 +1,7 @@
 TYPE=traefik
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
+ENABLE_BACKUPS=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@@ -9,6 +10,7 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # DASHBOARD_ENABLED=true
 # WARN, INFO etc.
 LOG_LEVEL=WARN
+LOG_MAX_AGE=1
 
 # This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
@@ -42,25 +44,47 @@ COMPOSE_FILE="compose.yml"
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
-#GANDI_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
+#GANDI_API_KEY_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## Gandi, https://gandi.net
+## note: uses GandiV5 Personal Access Token
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
+#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
+
+## DigitalOcean, https://digitalocean.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
+#DIGITALOCEAN_ENABLED=1
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+
+## Azure, https://azure.com
+## To insert your Azure client secret:
+## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
+#AZURE_ENABLED=1
+#AZURE_TENANT_ID=
+#AZURE_CLIENT_ID=
+#AZURE_SUBSCRIPTION_ID=
+#AZURE_RESOURCE_GROUP=
+#SECRET_AZURE_SECRET_VERSION=v1
+
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
 
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
-# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
-# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
 
 #####################################################################
-# Keycloak log-in                                                   #
+# Authentication                                                    #
 #####################################################################
 
 ## Enable Keycloak
@@ -70,6 +94,12 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 
+## BASIC_AUTH
+## Use httpasswd to generate the secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#BASIC_AUTH=1
+#SECRET_USERSFILE_VERSION=v1
+
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################
@@ -101,6 +131,10 @@ COMPOSE_FILE="compose.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
 # GITEA_SSH_ENABLED=1
 
+## P2Panda UDP
+# COMPOSE_FILE="$COMPOSE_FILE:compose.p2panda.yml"
+# P2PANDA_ENABLED=1
+
 ## Foodsoft SMTP
 # COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
 # FOODSOFT_SMTP_ENABLED=1
@@ -125,8 +159,19 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
 
-## BASIC_AUTH
-## Use httpasswd to generate the secret
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
-#BASIC_AUTH=1
-#SECRET_USERSFILE_VERSION=v1
+## "Web alt", an alternative web port
+# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
+#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
+#WEB_ALT_ENABLED=1
+
+## Matrix
+#COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
+#IRC_ENABLED=1
+
+## Garage
+#COMPOSE_FILE="$COMPOSE_FILE:compose.garage.yml"
+#GARAGE_RPC_ENABLED=1
+
+## Nextcloud Talk HPB
+#COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
+#NEXTCLOUD_TALK_HPB_ENABLED=1

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,15 @@
+---
+name: "Traefik pull request template"
+---
+
+<!-- 
+Thank you for doing recipe maintenance work!
+Please mark all checklist items which are relevant for your changes.
+Please remove the checklist items which are not relevant for your changes.
+Feel free to remove this comment.
+-->
+
+* [ ] I have deployed and tested my changes
+* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
+* [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
+* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

MAINTENANCE.md

@@ -0,0 +1,29 @@
+# Traefik Recipe Maintenance
+
+All contributions should be made via a pull request. This is to ensure a
+certain quality and consistency, that others can rely on.
+
+## Maintainer Responsibilities
+
+A recipe maintainer has the following responsibilities:
+
+- Respond to pull requests / issues within a week
+- Make image security updates within a day
+- Make image patch / minor updates within a week
+- Make image major updates within a month
+
+In order to fullfill these responsibilities a recipe maintainer:
+
+- Has to watch the repository (to get notifications)
+- Needs to make sure renovate is configured properly
+
+## Pull Requests
+
+A pull request can be merged if it is approved by at least one maintainer. For
+pull requests opened by a maintainer they need to be approved by another
+maintainer.
+
+## Become a maintainer
+
+Everyone can apply to be a recipe maintainer. Simply add your self to the list
+in the [README.md](./README.md) and open a new pull request with the change.

README.md

@@ -1,12 +1,14 @@
 # Traefik
 
-[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/traefik/status.svg)](https://drone.autonomic.zone/coop-cloud/traefik)
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/traefik/status.svg)](https://build.coopcloud.tech/coop-cloud/traefik)
 
 > https://docs.traefik.io
 
 <!-- metadata -->
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se)
+* **Status**: `stable`
 * **Category**: Utilities
-* **Status**: ?
+* **Features**: ?
 * **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
@@ -23,6 +25,13 @@
    your Docker swarm box
 4. `abra app deploy YOURAPPDOMAIN`
 
+## Configuring basic auth
+
+1. Create the usersfile locally: `htpasswd -c usersfile <username>`
+2. Uncomment the Basic Auth section in your .env file
+3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
+4. Redploy your app: `abra app deploy -f <domain>`
+
 ## Configuring wildcard SSL using DNS
 
 Automatic certificate generation will Just Work™ for most recipes  which use a fixed
@@ -40,8 +49,10 @@ Letsencrypt DNS challenges.
    `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
    `gandiv5_api_key` and `SECRETVALUE` is the API key.
+   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
+     Access Token, in which case use compose.gandi-personal-access-token.yml.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v18
-export FILE_PROVIDER_YML_VERSION=v9
-export ENTRYPOINT_VERSION=v2
+export TRAEFIK_YML_VERSION=v28
+export FILE_PROVIDER_YML_VERSION=v11
+export ENTRYPOINT_VERSION=v5

alaconnect.yml

@@ -0,0 +1,4 @@
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_FEDERATION_ENABLED

compose.azure.yml

@@ -0,0 +1,17 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - AZURE_TENANT_ID
+      - AZURE_CLIENT_ID
+      - AZURE_SUBSCRIPTION_ID
+      - AZURE_RESOURCE_GROUP
+      - AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
+    secrets:
+      - azure_secret
+
+secrets:
+  azure_secret:
+    name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
+    external: true

compose.digitalocean.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - digitalocean_auth_token
+
+secrets:
+  digitalocean_auth_token:
+    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
+    external: true

compose.gandi-personal-access-token.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - gandiv5_pat
+
+secrets:
+  gandiv5_pat:
+    name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
+    external: true

compose.garage.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - GARAGE_RPC_ENABLED
+    ports:
+      - "3901:3901"

compose.irc.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - IRC_ENABLED
+    ports:
+      - "6697:6697"

compose.nextcloud-talk-hpb.yml

@@ -0,0 +1,8 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - NEXTCLOUD_TALK_HPB_ENABLED
+    ports:
+      - "3478:3478/udp"
+      - "3478:3478/tcp"

compose.p2panda.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - P2PANDA_ENABLED
+    ports:
+      - target: 2022
+        published: 2022
+        protocol: udp
+        mode: host
+      - target: 2023
+        published: 2023
+        protocol: udp
+        mode: host

compose.web-alt.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - WEB_ALT_ENABLED
+    ports:
+      - "8000:8000"

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.11.0"
+    image: "traefik:v3.6.5"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -11,7 +11,6 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
     configs:
@@ -24,9 +23,11 @@ services:
         mode: 0555
     networks:
       - proxy
+      - internal
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
+      - ${LOG_MAX_AGE:-0}
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
@@ -47,12 +48,51 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.5.0+v2.11.0"
+        - "coop-cloud.${STACK_NAME}.version=3.9.0+v3.6.5"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:3.2.10-r0-ls65
+    deploy:
+      endpoint_mode: dnsrr
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1 # Needs access
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1 # Needs access
+      - EXEC=0
+      - IMAGES=0
+      - INFO=0
+      - NETWORKS=1 # Needs access
+      - NODES=1
+      - PING=1
+      - POST=0
+      - PLUGINS=0
+      - SECRETS=0
+      - SERVICES=1 # Needs access
+      - SESSION=0
+      - SWARM=1
+      - SYSTEM=0
+      - TASKS=1 # Needs access
+      - VERSION=1 # Needs access
+      - VOLUMES=0
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - internal
 
 networks:
   proxy:
     external: true
+  internal:
 
 configs:
   traefik_yml:

entrypoint.sh.tmpl

@@ -7,8 +7,12 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
-{{ if eq (env "GANDI_ENABLED") "1" }}
-export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
+{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
+export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+{{ end }}
+
+{{ if eq (env "AZURE_ENABLED") "1" }}
+export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
 {{ end }}
 
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -43,6 +43,7 @@ tls:
       curvePreferences:
         - CurveP521
         - CurveP384
+        - CurveP256
       sniStrict: true
   {{ if eq (env "WILDCARDS_ENABLED") "1" }}
   certificates:

release/2.8.0+v2.11.10

@@ -0,0 +1 @@
+Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

release/2.9.0+v2.11.14

@@ -0,0 +1 @@
+Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg

release/2.9.1+v2.11.14

@@ -0,0 +1 @@
+Reverts max log retention

release/3.0.0+v2.11.22

@@ -0,0 +1,2 @@
+socket-proxy: switch to endpoint-mode dnsrr instead of vip
+See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.

release/3.3.0+v2.11.26

@@ -0,0 +1 @@
+Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5

release/3.4.0+v3.4.4

@@ -0,0 +1 @@
+Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax

release/3.4.2+v3.4.5

@@ -0,0 +1 @@
+Bumps the TRAEFIK_YML_VERSION

release/3.5.0+v3.4.5

@@ -0,0 +1 @@
+Add support to azure DNS-01 acme challenge

release/3.6.0+v3.4.5

@@ -0,0 +1 @@
+Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

traefik.yml.tmpl

@@ -1,13 +1,16 @@
 ---
+core:
+  defaultRuleSyntax: v2
+
 log:
   level: {{ env "LOG_LEVEL" }}
+  maxAge: {{ env "LOG_MAX_AGE" }}
 
 providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
+  swarm:
+    endpoint: "tcp://socket-proxy:2375"
     exposedByDefault: false
     network: proxy
-    swarmMode: true
   {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
   file:
     directory: /etc/traefik/file-providers
@@ -30,10 +33,29 @@ entrypoints:
           to: web-secure
   web-secure:
     address: ":443"
+    http:
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedBackSlash: true
+        allowEncodedNullCharacter: true
+        allowEncodedSemicolon: true
+        allowEncodedPercent: true
+        allowEncodedQuestionMark: true
+        allowEncodedHash: true
   {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
   gitea-ssh:
     address: ":2222"
   {{ end }}
+  {{ if eq (env "P2PANDA_ENABLED") "1" }}
+  p2panda-udp-v4:
+    address: ":2022/udp"
+  p2panda-udp-v6:
+    address: ":2023/udp"
+  {{ end }}
+  {{ if eq (env "GARAGE_RPC_ENABLED") "1" }}
+  garage-rpc:
+    address: ":3901"
+  {{ end }}
   {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
   foodsoft-smtp:
     address: ":2525"
@@ -46,6 +68,10 @@ entrypoints:
   peertube-rtmp:
     address: ":1935"
   {{ end }}
+  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
+  web-alt:
+    address: ":8000"
+  {{ end }}
   {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
   ssb-muxrpc:
     address: ":8008"
@@ -64,6 +90,10 @@ entrypoints:
   compy:
     address: ":9999"
   {{ end }}
+  {{ if eq (env "IRC_ENABLED") "1" }}
+  irc:
+    address: ":6697"
+  {{ end }}
   {{ if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"
@@ -75,6 +105,12 @@ entrypoints:
   matrix-federation:
     address: ":9001"
   {{ end }}
+  {{ if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
+  nextcloud-talk-hpb:
+    address: ":3478"
+  nextcloud-talk-hpb-udp:
+    address: ":3478/udp"
+  {{ end }}
 
 ping:
   entryPoint: web
@@ -114,4 +150,4 @@ certificatesResolvers:
         resolvers:
           - "1.1.1.1:53"
           - "9.9.9.9:53"
-      {{ end }}
+      {{ end }}