attempt using staticresponse

.drone.yml

@@ -8,7 +8,7 @@ steps:
       host: swarm-test.autonomic.zone
       stack: traefik
       networks:
-        - proxy
+       - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -16,9 +16,9 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v22
+      TRAEFIK_YML_VERSION: v4
-      FILE_PROVIDER_YML_VERSION: v10
+      FILE_PROVIDER_YML_VERSION: v3
-      ENTRYPOINT_VERSION: v4
+      ENTRYPOINT_VERSION: v1
 trigger:
   branch:
     - master
@@ -34,7 +34,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,7 +1,4 @@
 TYPE=traefik
-TIMEOUT=300
-ENABLE_AUTO_UPDATE=true
-ENABLE_BACKUPS=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@@ -10,7 +7,6 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # DASHBOARD_ENABLED=true
 # WARN, INFO etc.
 LOG_LEVEL=WARN
-LOG_MAX_AGE=1
 
 # This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
@@ -19,6 +15,9 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################
 
+## Error pages
+COMPOSE_FILE="$COMPOSE_FILE:compose.error-pages.yml"
+
 ## Host-mode networking
 #COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
 
@@ -44,47 +43,12 @@ COMPOSE_FILE="compose.yml"
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
-#GANDI_API_KEY_ENABLED=1
+#GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
-## Gandi, https://gandi.net
-## note: uses GandiV5 Personal Access Token
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
-#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
-#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
-
-## DigitalOcean, https://digitalocean.com
-#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
-#DIGITALOCEAN_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
-
-## Azure, https://azure.com
-## To insert your Azure client secret:
-## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
-#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
-#AZURE_ENABLED=1
-#AZURE_TENANT_ID=
-#AZURE_CLIENT_ID=
-#AZURE_SUBSCRIPTION_ID=
-#AZURE_RESOURCE_GROUP=
-#SECRET_AZURE_SECRET_VERSION=v1
-
 #####################################################################
-# Manual wildcard certificate insertion                             #
+# Keycloak log-in                                                   #
-#####################################################################
-
-# Set wildcards = 1, and uncomment compose_file to enable.
-# Create your certs elsewhere and add them like:
-# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
-# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
-#WILDCARDS_ENABLED=1
-#SECRET_WILDCARD_CERT_VERSION=v1
-#SECRET_WILDCARD_KEY_VERSION=v1
-#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
-
-#####################################################################
-# Authentication                                                    #
 #####################################################################
 
 ## Enable Keycloak
@@ -94,27 +58,14 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 
-## BASIC_AUTH
-## Use httpasswd to generate the secret
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
-#BASIC_AUTH=1
-#SECRET_USERSFILE_VERSION=v1
-
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################
 
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
-#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
 
-#####################################################################
-# File provider directory configuration                             #
-# (Route bare metal and non-docker services on the machine!)        #
-#####################################################################
-#FILE_PROVIDER_DIRECTORY_ENABLED=1
-
 #####################################################################
 # Additional services                                               #
 #####################################################################
@@ -154,16 +105,3 @@ COMPOSE_FILE="compose.yml"
 ## Matrix
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
-
-## "Web alt", an alternative web port
-# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
-#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
-#WEB_ALT_ENABLED=1
-
-## Matrix
-#COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
-#IRC_ENABLED=1
-
-## Garage
-#COMPOSE_FILE="$COMPOSE_FILE:compose.garage.yml"
-#GARAGE_RPC_ENABLED=1

README.md

@@ -40,10 +40,8 @@ Letsencrypt DNS challenges.
    `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
    `gandiv5_api_key` and `SECRETVALUE` is the API key.
-   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
-     Access Token, in which case use compose.gandi-personal-access-token.yml.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v24
+export TRAEFIK_YML_VERSION=v15
-export FILE_PROVIDER_YML_VERSION=v10
+export FILE_PROVIDER_YML_VERSION=v6
-export ENTRYPOINT_VERSION=v5
+export ENTRYPOINT_VERSION=v2

alaconnect.yml

@@ -1,4 +0,0 @@
-matrix-synapse:
-    uncomment:
-        - compose.matrix.yml
-        - MATRIX_FEDERATION_ENABLED

compose.azure.yml

@@ -1,17 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - AZURE_TENANT_ID
-      - AZURE_CLIENT_ID
-      - AZURE_SUBSCRIPTION_ID
-      - AZURE_RESOURCE_GROUP
-      - AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
-    secrets:
-      - azure_secret
-
-secrets:
-  azure_secret:
-    name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
-    external: true

compose.basicauth.yml

@@ -1,12 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - BASIC_AUTH
-    secrets:
-      - usersfile
-
-secrets:
-  usersfile:
-    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
-    external: true

compose.digitalocean.yml

@@ -1,15 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
-      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
-      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
-    secrets:
-      - digitalocean_auth_token
-
-secrets:
-  digitalocean_auth_token:
-    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
-    external: true

compose.error-pages.yml

@@ -0,0 +1,31 @@
+version: '3.8'
+
+services:
+
+  app:
+    command:
+      - --providers.docker
+      - --experimental.plugins.staticresponse.modulename=github.com/jdel/staticresponse
+      - --experimental.plugins.staticresponse.version=v0.0.1
+    deploy:
+      labels:
+        # custom traefik errors
+        - "traefik.http.middlewares.web-secure.errors.status=400-599"
+        - "traefik.http.middlewares.web-secure.errors.service=down-rule"
+        - "traefik.http.middlewares.web-secure.errors.query=/traefik-http-error/{status}"
+        # catchall rule
+        - "traefik.http.routers.http-catchall.entrypoints=web-secure"
+        - "traefik.http.routers.http-catchall.rule=PathPrefix(`/`)"
+        # lowest possible priority, evaluated when no other router is matched
+        - "traefik.http.routers.http-catchall.priority=1"
+        - "traefik.http.routers.http-catchall.middlewares=503down"
+        # static error message
+        - "traefik.http.middlewares.503down.plugin.staticresponse"
+        - "traefik.http.middlewares.503down.plugin.staticresponse.StatusCode=503"
+        - "traefik.http.middlewares.503down.plugin.staticresponse.Body=Sorry, currently under maintenance. Please try again later."
+        # error page
+        - "traefik.http.routers.down-rule.rule=PathPrefix(`/traefik-http-error`)"
+        - "traefik.http.routers.down-rule.service=noop@internal"
+        - "traefik.http.routers.down-rule.entrypoints=web-secure"
+        - "traefik.http.routers.down-rule.middlewares=503down"
+        

compose.gandi-personal-access-token.yml

@@ -1,15 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
-      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
-      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
-    secrets:
-      - gandiv5_pat
-
-secrets:
-  gandiv5_pat:
-    name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
-    external: true

compose.garage.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - GARAGE_RPC_ENABLED
-    ports:
-      - "3901:3901"

compose.irc.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - IRC_ENABLED
-    ports:
-      - "6697:6697"

compose.metrics.yml

@@ -1,9 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - METRICS_ENABLED
-    ports:
-      - target: 8082
-        published: 8082
-        mode: host

compose.web-alt.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - WEB_ALT_ENABLED
-    ports:
-      - "8000:8000"

compose.wildcard.yml

@@ -1,16 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    secrets:
-      - ssl_cert
-      - ssl_key
-
-secrets:
-  ssl_cert:
-    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
-    external: true
-  ssl_key:
-    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
-    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v3.4.5"
+    image: "traefik:v2.9.9"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -11,8 +11,8 @@ services:
       - "80:80"
       - "443:443"
     volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
-      - "file-providers:/etc/traefik/file-providers"
     configs:
       - source: traefik_yml
         target: /etc/traefik/traefik.yml
@@ -23,11 +23,9 @@ services:
         mode: 0555
     networks:
       - proxy
-      - internal
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
-      - ${LOG_MAX_AGE:-0}
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
@@ -48,51 +46,11 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=3.6.2+v3.4.5"
+        - "coop-cloud.${STACK_NAME}.version=2.1.0+v2.9.9"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
-
-  socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls30
-    deploy:
-      endpoint_mode: dnsrr
-    environment:
-      - ALLOW_START=0
-      - ALLOW_STOP=0
-      - ALLOW_RESTARTS=0
-      - AUTH=0
-      - BUILD=0
-      - COMMIT=0
-      - CONFIGS=0
-      - CONTAINERS=1 # Needs access
-      - DISABLE_IPV6=0
-      - DISTRIBUTION=0
-      - EVENTS=1 # Needs access
-      - EXEC=0
-      - IMAGES=0
-      - INFO=0
-      - NETWORKS=1 # Needs access
-      - NODES=0
-      - PING=0
-      - POST=0
-      - PLUGINS=0
-      - SECRETS=0
-      - SERVICES=1 # Needs access
-      - SESSION=0
-      - SWARM=1
-      - SYSTEM=0
-      - TASKS=1 # Needs access
-      - VERSION=1 # Needs access
-      - VOLUMES=0
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - internal
 
 networks:
   proxy:
     external: true
-  internal:
 
 configs:
   traefik_yml:
@@ -110,4 +68,3 @@ configs:
 
 volumes:
   letsencrypt:
-  file-providers:

entrypoint.sh.tmpl

@@ -7,12 +7,8 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
-{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
+{{ if eq (env "GANDI_ENABLED") "1" }}
-export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
-{{ end }}
-
-{{ if eq (env "AZURE_ENABLED") "1" }}
-export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
 {{ end }}
 
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -17,14 +17,10 @@ http:
         authResponseHeaders:
           - X-Forwarded-User
     {{ end }}
-    {{ if eq (env "BASIC_AUTH") "1" }}
-    basicauth:
-      basicAuth:
-        usersFile: "/run/secrets/usersfile"
-    {{ end }}
     security:
       headers:
         frameDeny: true
+        sslRedirect: true
         browserXssFilter: true
         contentTypeNosniff: true
         stsIncludeSubdomains: true
@@ -44,8 +40,3 @@ tls:
         - CurveP521
         - CurveP384
       sniStrict: true
-  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
-  certificates:
-    - certFile: /run/secrets/ssl_cert
-      keyFile: /run/secrets/ssl_key
-  {{ end }}

release/2.8.0+v2.11.10

@@ -1 +0,0 @@
-Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

release/2.9.0+v2.11.14

@@ -1 +0,0 @@
-Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg

release/2.9.1+v2.11.14

@@ -1 +0,0 @@
-Reverts max log retention

release/3.0.0+v2.11.22

@@ -1,2 +0,0 @@
-socket-proxy: switch to endpoint-mode dnsrr instead of vip
-See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.

release/3.3.0+v2.11.26

@@ -1 +0,0 @@
-Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5

release/3.4.0+v3.4.4

@@ -1 +0,0 @@
-Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax

release/3.4.2+v3.4.5

@@ -1 +0,0 @@
-Bumps the TRAEFIK_YML_VERSION

release/3.5.0+v3.4.5

@@ -1 +0,0 @@
-Add support to azure DNS-01 acme challenge

release/3.6.0+v3.4.5

@@ -1 +0,0 @@
-Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.

traefik.yml.tmpl

@@ -1,24 +1,15 @@
 ---
-core:
-  defaultRuleSyntax: v2
- 
 log:
   level: {{ env "LOG_LEVEL" }}
-  maxAge: {{ env "LOG_MAX_AGE" }}
 
 providers:
-  swarm:
+  docker:
-    endpoint: "tcp://socket-proxy:2375"
+    endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
     network: proxy
-  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
+    swarmMode: true
-  file:
-    directory: /etc/traefik/file-providers
-    watch: true
-  {{ else }}
   file:
     filename: /etc/traefik/file-provider.yml
-  {{ end }}
 
 api:
   dashboard: {{ env "DASHBOARD_ENABLED" }}
@@ -37,10 +28,6 @@ entrypoints:
   gitea-ssh:
     address: ":2222"
   {{ end }}
-  {{ if eq (env "GARAGE_RPC_ENABLED") "1" }}
-  garage-rpc:
-    address: ":3901"
-  {{ end }}
   {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
   foodsoft-smtp:
     address: ":2525"
@@ -53,10 +40,6 @@ entrypoints:
   peertube-rtmp:
     address: ":1935"
   {{ end }}
-  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
-  web-alt:
-    address: ":8000"
-  {{ end }}
   {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
   ssb-muxrpc:
     address: ":8008"
@@ -75,16 +58,9 @@ entrypoints:
   compy:
     address: ":9999"
   {{ end }}
-  {{ if eq (env "IRC_ENABLED") "1" }}
-  irc:
-    address: ":6697"
-  {{ end }}
   {{ if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"
-    http:
-      middlewares:
-        - basicauth@file
   {{ end }}
   {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
@@ -98,8 +74,6 @@ ping:
 metrics:
   prometheus:
     entryPoint: metrics
-    addRoutersLabels: true
-    addServicesLabels: true
 {{ end }}
 
 certificatesResolvers: