Error pages

Re coop-cloud/organising#115

.drone.yml

@@ -8,7 +8,7 @@ steps:
       host: swarm-test.autonomic.zone
       stack: traefik
       networks:
-        - proxy
+       - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -16,9 +16,9 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v26
-      FILE_PROVIDER_YML_VERSION: v10
-      ENTRYPOINT_VERSION: v4
+      TRAEFIK_YML_VERSION: v4
+      FILE_PROVIDER_YML_VERSION: v3
+      ENTRYPOINT_VERSION: v1
 trigger:
   branch:
     - master
@@ -34,7 +34,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,7 +1,6 @@
 TYPE=traefik
-#TIMEOUT=300
+TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
-ENABLE_BACKUPS=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@@ -10,7 +9,6 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # DASHBOARD_ENABLED=true
 # WARN, INFO etc.
 LOG_LEVEL=WARN
-LOG_MAX_AGE=1
 
 # This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
@@ -19,14 +17,8 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################
 
-## Ingress-mode port publishing for ports 80 and 443
-##
-## /!\ Using this prevents the use of any compose override adding
-##     published ports to the traefik_app service (almost all of them)
-##     and it prevents the use of IPv6 for ingress traffic.
-##     Do not uncomment unless you know exactly what you are doing
-##
-#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"
+## Host-mode networking
+#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
 
 ## "Headless mode" (no domain configured)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
@@ -36,10 +28,8 @@ COMPOSE_FILE="compose.yml"
 #####################################################################
 
 ## Enable dns challenge (for wildcard domains)
-##   https://go-acme.github.io/lego/dns/#dns-providers
+##   https://doc.traefik.io/traefik/https/acme/#dnschallenge
 #LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
-## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun.
-## Uncomment the corresponding provider below to insert your secret token/key.
 #LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
 
 ## OVH, https://ovh.com
@@ -52,48 +42,18 @@ COMPOSE_FILE="compose.yml"
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
-#GANDI_API_KEY_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
+#GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
-## Gandi, https://gandi.net
-## note: uses GandiV5 Personal Access Token
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
-#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
-#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
-
-## DigitalOcean, https://digitalocean.com
-#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
-#DIGITALOCEAN_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
-
-## Azure, https://azure.com
-## To insert your Azure client secret:
-## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
-#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
-#AZURE_ENABLED=1
-#AZURE_TENANT_ID=
-#AZURE_CLIENT_ID=
-#AZURE_SUBSCRIPTION_ID=
-#AZURE_RESOURCE_GROUP=
-#SECRET_AZURE_SECRET_VERSION=v1
-
-## Porkbun, https://porkbun.com
-## To insert your secrets:
-## abra app secret insert 1312.net pb_api_key v1 pk1_413
-## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
-#COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
-#SECRET_PORKBUN_API_KEY_VERSION=v1
-#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
-
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
 
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
-# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
-# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1
@@ -147,10 +107,6 @@ COMPOSE_FILE="compose.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
 # GITEA_SSH_ENABLED=1
 
-## P2Panda UDP
-# COMPOSE_FILE="$COMPOSE_FILE:compose.p2panda.yml"
-# P2PANDA_ENABLED=1
-
 ## Foodsoft SMTP
 # COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
 # FOODSOFT_SMTP_ENABLED=1
@@ -179,28 +135,3 @@ COMPOSE_FILE="compose.yml"
 # NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
 #COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
 #WEB_ALT_ENABLED=1
-
-## Matrix
-#COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
-#IRC_ENABLED=1
-
-## Garage
-#COMPOSE_FILE="$COMPOSE_FILE:compose.garage.yml"
-#GARAGE_RPC_ENABLED=1
-
-## Nextcloud Talk HPB
-#COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
-#NEXTCLOUD_TALK_HPB_ENABLED=1
-
-## Anubis
-#COMPOSE_FILE="$COMPOSE_FILE:compose.anubis.yml"
-#ANUBIS_COOKIE_DOMAIN=example.com
-#ANUBIS_DOMAIN=anubis.example.com
-#ANUBIS_REDIRECT_DOMAINS=
-#ANUBIS_OG_PASSTHROUGH=true
-#ANUBIS_OG_EXPIRY_TIME=1h
-#ANUBIS_OG_CACHE_CONSIDER_HOST=true
-#ANUBIS_SERVE_ROBOTS_TXT=true
-
-## Enable onion service support
-#ONION_ENABLED=1

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -1,16 +0,0 @@
----
-name: "Traefik pull request template"
-about: "Traefik pull request template"
----
-
-<!-- 
-Thank you for doing recipe maintenance work!
-Please mark all checklist items which are relevant for your changes.
-Please remove the checklist items which are not relevant for your changes.
-Feel free to remove this comment.
--->
-
-* [ ] I have deployed and tested my changes
-* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
-* [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
-* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

MAINTENANCE.md

@@ -1,32 +0,0 @@
-# Traefik Recipe Maintenance
-
-All contributions should be made via a pull request. This is to ensure a
-certain quality and consistency, that others can rely on.
-
-## Maintainer Responsibilities
-
-A recipe maintainer has the following responsibilities:
-
-- Respond to pull requests / issues within a week
-- Make image security updates within a day
-- Make image patch / minor updates within a week
-- Make image major updates within a month
-
-In order to fullfill these responsibilities a recipe maintainer:
-
-- Has to watch the repository (to get notifications)
-- Needs to make sure renovate is configured properly
-
-## Pull Requests
-
-A pull request can be merged if it is approved by at least one maintainer. For
-pull requests opened by a maintainer they need to be approved by another
-maintainer. Even though it is okay to merge a pull request with one approval, it
-is always better if all maintainers looked at the pull request and approved it.
-
-## Become a maintainer
-
-Everyone can apply to be a recipe maintainer:
-1. Watch the repository to always get updates
-2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
-3. Once the pull request gets merged you will be added to the [traefik maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/traefik-maintainers).

README.md

@@ -1,14 +1,12 @@
 # Traefik
 
-[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/traefik/status.svg)](https://build.coopcloud.tech/coop-cloud/traefik)
+[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/traefik/status.svg)](https://drone.autonomic.zone/coop-cloud/traefik)
 
 > https://docs.traefik.io
 
 <!-- metadata -->
-* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico)
-* **Status**: `stable`
 * **Category**: Utilities
-* **Features**: ?
+* **Status**: ?
 * **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
@@ -25,13 +23,6 @@
    your Docker swarm box
 4. `abra app deploy YOURAPPDOMAIN`
 
-## Configuring basic auth
-
-1. Create the usersfile locally: `htpasswd -c usersfile <username>`
-2. Uncomment the Basic Auth section in your .env file
-3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
-4. Redploy your app: `abra app deploy -f <domain>`
-
 ## Configuring wildcard SSL using DNS
 
 Automatic certificate generation will Just Work™ for most recipes  which use a fixed
@@ -42,37 +33,15 @@ subdomains, like
 need to give Traefik access to your DNS provider so that it can carry out
 Letsencrypt DNS challenges.
 
-1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
-   can be easily added, see
-   [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
+1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
+   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
 2. Run `abra app config YOURAPPDOMAIN`
 3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
    `SECRET_GANDIV5_API_KEY_VERSION`
-4. Set `LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER` to your provider, e.g. `gandi`
-4. Generate an API key for your provider, probably using their web interface.
+4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
    `gandiv5_api_key` and `SECRETVALUE` is the API key.
-   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
-     Access Token, in which case use compose.gandi-personal-access-token.yml.
-   - See comments for each provider in your env file for specific instructions
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
-## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)
-
-Uncomment the lines on the Anubis section of the configuration.  Set
-a domain name for the cookies and a domain that will serve Anubis
-redirection service.  Optionally and for [added
-security](https://anubis.techaro.lol/docs/admin/configuration/redirect-domains),
-set a list of the domain names for the apps that are going to be
-protected.
-
-After deploying these changes, go to each recipe that supports Anubis
-and follow the process there.  **Enabling Anubis here is not enough for
-protection your apps.**
-
-## Enabling onion service
-
-Uncomment the line in the config setting `ONION_ENABLED=1`. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the [onion recipe](https://recipes.coopcloud.tech/onion).
-
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v29
-export FILE_PROVIDER_YML_VERSION=v11
-export ENTRYPOINT_VERSION=v5
+export TRAEFIK_YML_VERSION=v20
+export FILE_PROVIDER_YML_VERSION=v10
+export ENTRYPOINT_VERSION=v2

alaconnect.yml

@@ -1,4 +0,0 @@
-matrix-synapse:
-    uncomment:
-        - compose.matrix.yml
-        - MATRIX_FEDERATION_ENABLED

compose.anubis.yml

@@ -1,29 +0,0 @@
----
-version: "3.8"
-services:
-  app:
-    deploy:
-      labels:
-      - "traefik.http.middlewares.anubis.forwardauth.address=http://anubis:8080/.within.website/x/cmd/anubis/api/check"
-  anubis:
-    image: "ghcr.io/techarohq/anubis:v1.25.0"
-    environment:
-      BIND: ":8080"
-      TARGET: " "
-      REDIRECT_DOMAINS: "${ANUBIS_REDIRECT_DOMAINS}"
-      COOKIE_DOMAIN: "${ANUBIS_COOKIE_DOMAIN}"
-      PUBLIC_URL: "https://${ANUBIS_DOMAIN}"
-      OG_PASSTHROUGH: "${ANUBIS_OG_PASSTHROUGH}"
-      OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
-      OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
-      SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
-    networks:
-    - proxy
-    deploy:
-      labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.anubis.rule=Host(`${ANUBIS_DOMAIN}`)"
-      - "traefik.http.routers.anubis.tls.certresolver=${LETS_ENCRYPT_ENV}"
-      - "traefik.http.routers.anubis.entrypoints=web-secure"
-      - "traefik.http.services.anubis.loadbalancer.server.port=8080"
-      - "traefik.http.routers.anubis.service=anubis"

compose.azure.yml

@@ -1,17 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - AZURE_TENANT_ID
-      - AZURE_CLIENT_ID
-      - AZURE_SUBSCRIPTION_ID
-      - AZURE_RESOURCE_GROUP
-      - AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
-    secrets:
-      - azure_secret
-
-secrets:
-  azure_secret:
-    name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
-    external: true

compose.compy.yml

@@ -4,7 +4,4 @@ services:
     environment:
       - COMPY_ENABLED
     ports:
-      - target: 9999
-        published: 9999
-        protocol: tcp
-        mode: host
+      - "9999:9999"

compose.digitalocean.yml

@@ -1,15 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
-      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
-      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
-    secrets:
-      - digitalocean_auth_token
-
-secrets:
-  digitalocean_auth_token:
-    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
-    external: true

compose.errors.yml

@@ -0,0 +1,29 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - "CUSTOM_ERRORS=1"
+    volumes:
+      - "traefik-plugins:/plugins-local/"
+  errors:
+    image: "tarampampam/error-pages:2.27.0"
+    networks:
+      - proxy
+    deploy:
+      labels:
+          - "traefik.enable=true"
+          # use as "fallback" for any non-registered services (with priority below normal)
+          - "traefik.http.routers.${STACK_NAME}-error.rule=HostRegexp(`{host:.+}`)"
+          - "traefik.http.routers.${STACK_NAME}-error.priority=10"
+          - "traefik.http.routers.${STACK_NAME}-error.entrypoints=web-secure"
+          - "traefik.http.routers.${STACK_NAME}-error.tls.certresolver=${LETS_ENCRYPT_ENV}"
+          - "traefik.http.services.${STACK_NAME}-error.loadbalancer.server.port=8080"
+          # "errors" middleware settings
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.status=400-599"
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.service=${STACK_NAME}-error"
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.query=/{status}.html"
+
+volumes:
+  traefik-plugins:

compose.foodsoft.yml

@@ -4,7 +4,4 @@ services:
     environment:
       - FOODSOFT_SMTP_ENABLED
     ports:
-      - target: 2525
-        published: 2525
-        protocol: tcp
-        mode: host
+      - "2525:2525"

compose.gandi-personal-access-token.yml

@@ -1,15 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
-      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
-      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
-    secrets:
-      - gandiv5_pat
-
-secrets:
-  gandiv5_pat:
-    name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
-    external: true

compose.garage.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - GARAGE_RPC_ENABLED
-    ports:
-      - "3901:3901"

compose.gitea.yml

@@ -4,7 +4,4 @@ services:
     environment:
       - GITEA_SSH_ENABLED
     ports:
-      - target: 2222
-        published: 2222
-        protocol: tcp
-        mode: host
+      - "2222:2222"

compose.host.yml

@@ -1,2 +1,15 @@
 ---
 version: "3.8"
+
+services:
+  app:
+    deploy:
+      update_config:
+        order: stop-first
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host

compose.irc.yml

@@ -1,10 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - IRC_ENABLED
-    ports:
-      - target: 6697
-        published: 6697
-        protocol: tcp
-        mode: host

compose.matrix.yml

@@ -4,7 +4,4 @@ services:
     environment:
       - MATRIX_FEDERATION_ENABLED
     ports:
-      - target: 8448
-        published: 8448
-        protocol: tcp
-        mode: host
+      - "8448:8448"

compose.minio.yml

@@ -6,7 +6,4 @@ services:
     environment:
       - MINIO_CONSOLE_ENABLED
     ports:
-      - target: 9001
-        published: 9001
-        protocol: tcp
-        mode: host
+      - "9001:9001"

compose.mumble.yml

@@ -4,11 +4,6 @@ services:
     environment:
       - MUMBLE_ENABLED
     ports:
-      - target: 64738
-        published: 64738
-        protocol: udp
-        mode: host
-      - target: 64738
-        published: 64738
-        protocol: tcp
-        mode: host
+      - "64738:64738/udp"
+      # note (3wc): see https://github.com/docker/compose/issues/7627
+      - "64737-64739:64737-64739/tcp"

compose.nextcloud-talk-hpb.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - NEXTCLOUD_TALK_HPB_ENABLED
-    ports:
-      - target: 3478
-        published: 3478
-        protocol: udp
-        mode: host
-      - target: 3478
-        published: 3478
-        protocol: tcp
-        mode: host

compose.no-host.yml

@@ -1,16 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    ports:
-      - target: 80
-        published: 80
-        protocol: tcp
-        mode: ingress
-      - target: 443
-        published: 443
-        protocol: tcp
-        mode: ingress
-    deploy:
-      endpoint_mode: vip

compose.p2panda.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - P2PANDA_ENABLED
-    ports:
-      - target: 2022
-        published: 2022
-        protocol: udp
-        mode: host
-      - target: 2023
-        published: 2023
-        protocol: udp
-        mode: host

compose.peertube.yml

@@ -4,7 +4,4 @@ services:
     environment:
       - PEERTUBE_RTMP_ENABLED
     ports:
-      - target: 1935
-        published: 1935
-        protocol: tcp
-        mode: host
+      - "1935:1935"

compose.porkbun.yml

@@ -1,18 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - PORKBUN_API_KEY_FILE=/run/secrets/pb_api_key
-      - PORKBUN_SECRET_API_KEY_FILE=/run/secrets/pb_s_api_key
-    secrets:
-      - pb_api_key
-      - pb_s_api_key
-
-secrets:
-  pb_api_key:
-    name: ${STACK_NAME}_pb_api_key_${SECRET_PORKBUN_API_KEY_VERSION}
-    external: true
-  pb_s_api_key:
-    name: ${STACK_NAME}_pb_s_api_key_${SECRET_PORKBUN_SECRET_API_KEY_VERSION}
-    external: true

compose.smtp.yml

@@ -6,7 +6,4 @@ services:
     environment:
       - SMTP_ENABLED
     ports:
-      - target: 587
-        published: 587
-        protocol: tcp
-        mode: host
+      - "587:587"

compose.ssb.yml

@@ -4,7 +4,4 @@ services:
     environment:
       - SSB_MUXRPC_ENABLED
     ports:
-      - target: 8008
-        published: 8008
-        protocol: tcp
-        mode: host
+      - "8008:8008"

compose.web-alt.yml

@@ -4,7 +4,4 @@ services:
     environment:
       - WEB_ALT_ENABLED
     ports:
-      - target: 8000
-        published: 8000
-        protocol: tcp
-        mode: host
+      - "8000:8000"

compose.yml

@@ -3,20 +3,15 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v3.6.10"
+    image: "traefik:v2.11.0"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
     ports:
-      - target: 80
-        published: 80
-        protocol: tcp
-        mode: host
-      - target: 443
-        published: 443
-        protocol: tcp
-        mode: host
+      - "80:80"
+      - "443:443"
     volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
     configs:
@@ -29,11 +24,9 @@ services:
         mode: 0555
     networks:
       - proxy
-      - internal
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
-      - ${LOG_MAX_AGE:-0}
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
@@ -43,10 +36,9 @@ services:
     command: traefik
     entrypoint: /custom-entrypoint.sh
     deploy:
-      endpoint_mode: dnsrr
       update_config:
         failure_action: rollback
-        order: stop-first
+        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
@@ -55,51 +47,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=4.0.0+v3.6.10"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
-
-  socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:3.2.10-r0-ls65
-    deploy:
-      endpoint_mode: dnsrr
-    environment:
-      - ALLOW_START=0
-      - ALLOW_STOP=0
-      - ALLOW_RESTARTS=0
-      - AUTH=0
-      - BUILD=0
-      - COMMIT=0
-      - CONFIGS=0
-      - CONTAINERS=1 # Needs access
-      - DISABLE_IPV6=0
-      - DISTRIBUTION=0
-      - EVENTS=1 # Needs access
-      - EXEC=0
-      - IMAGES=0
-      - INFO=0
-      - NETWORKS=1 # Needs access
-      - NODES=1
-      - PING=1
-      - POST=0
-      - PLUGINS=0
-      - SECRETS=0
-      - SERVICES=1 # Needs access
-      - SESSION=0
-      - SWARM=1
-      - SYSTEM=0
-      - TASKS=1 # Needs access
-      - VERSION=1 # Needs access
-      - VOLUMES=0
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - internal
+        - "coop-cloud.${STACK_NAME}.version=2.6.0+v2.11.0"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
 networks:
   proxy:
     external: true
-  internal:
 
 configs:
   traefik_yml:

entrypoint.sh.tmpl

@@ -7,12 +7,8 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
-{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
-export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
-{{ end }}
-
-{{ if eq (env "AZURE_ENABLED") "1" }}
-export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
+{{ if eq (env "GANDI_ENABLED") "1" }}
+export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -1,6 +1,19 @@
 ---
+
 http:
   middlewares:
+    {{ if eq (env "CUSTOM_ERRORS") "1" }}
+    error:
+      plugin:
+        traefik-error-page:
+          debug: "true"
+          contentsOnly: "false"
+          contentsOnlyMatch: "Bad Gateway"
+          query: /{status}.html
+          service: http://{{ env "STACK_NAME" }}_errors:8080
+          status:
+            - 502
+    {{ end }}
     {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
     keycloak:
       forwardAuth:
@@ -43,10 +56,9 @@ tls:
       curvePreferences:
         - CurveP521
         - CurveP384
-        - CurveP256
       sniStrict: true
   {{ if eq (env "WILDCARDS_ENABLED") "1" }}
   certificates:
     - certFile: /run/secrets/ssl_cert
       keyFile: /run/secrets/ssl_key
-  {{ end }}
+  {{ end }}

release/2.8.0+v2.11.10

@@ -1 +0,0 @@
-Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

release/2.9.0+v2.11.14

@@ -1 +0,0 @@
-Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg

release/2.9.1+v2.11.14

@@ -1 +0,0 @@
-Reverts max log retention

release/3.0.0+v2.11.22

@@ -1,2 +0,0 @@
-socket-proxy: switch to endpoint-mode dnsrr instead of vip
-See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.

release/3.10.0+v3.6.7

@@ -1,10 +0,0 @@
-Short summary of the latest changes:
-
-* Traefik has been upgraded with a patch release, no issues expected.
-* "CurveP256" has been included to the TLS options.
-* The default TIMEOUT value has been removed from the label directly.
-* Anubis support is here, try out `compose.anubis.yml` and see the README.md for more.
-* Onion services with Tor are not supported! See the README.md for more.
-* There are now officially 3 recipe maintainers for Traefik!
-
-All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/3.9.0+v3.6.5...master

release/3.3.0+v2.11.26

@@ -1 +0,0 @@
-Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5

release/3.4.0+v3.4.4

@@ -1 +0,0 @@
-Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax

release/3.4.2+v3.4.5

@@ -1 +0,0 @@
-Bumps the TRAEFIK_YML_VERSION

release/3.5.0+v3.4.5

@@ -1 +0,0 @@
-Add support to azure DNS-01 acme challenge

release/3.6.0+v3.4.5

@@ -1 +0,0 @@
-Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.

release/4.0.0+v3.6.10

@@ -1,11 +0,0 @@
-Short summary of the latest changes:
-
- * Exposed ports have been switched to host-mode port publishing by default
-   This adds support for IPv6 ingress, which means that after deploying this
-   change, DNS AAAA records can be made to point to the relevant IPv6
-   address and Traefik will handle public IPv6 ingress traffic (including ACME
-   HTTP-01 challenges)
-
-   /!\ This is a breaking change. It is still possible to revert ports 80 and
-       443 to ingress-mode (the previous default) but keep in mind that there
-       is no longer an easy way to publish additional ports in ingress mode.

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ]
-}

traefik.yml.tmpl

@@ -1,24 +1,21 @@
 ---
-core:
-  defaultRuleSyntax: v2
-
 log:
   level: {{ env "LOG_LEVEL" }}
-  maxAge: {{ env "LOG_MAX_AGE" }}
 
 providers:
-  swarm:
-    endpoint: "tcp://socket-proxy:2375"
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
     network: proxy
-  {{- if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
+    swarmMode: true
+  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
   file:
     directory: /etc/traefik/file-providers
     watch: true
-  {{- else }}
+  {{ else }}
   file:
     filename: /etc/traefik/file-provider.yml
-  {{- end }}
+  {{ end }}
 
 api:
   dashboard: {{ env "DASHBOARD_ENABLED" }}
@@ -27,105 +24,68 @@ api:
 entrypoints:
   web:
     address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: web-secure
   web-secure:
     address: ":443"
-    http:
-      encodedCharacters:
-        allowEncodedSlash: true
-        allowEncodedBackSlash: true
-        allowEncodedNullCharacter: true
-        allowEncodedSemicolon: true
-        allowEncodedPercent: true
-        allowEncodedQuestionMark: true
-        allowEncodedHash: true
-  {{- if eq (env "GITEA_SSH_ENABLED") "1" }}
+  {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
   gitea-ssh:
     address: ":2222"
-  {{- end }}
-  {{- if eq (env "P2PANDA_ENABLED") "1" }}
-  p2panda-udp-v4:
-    address: ":2022/udp"
-  p2panda-udp-v6:
-    address: ":2023/udp"
-  {{- end }}
-  {{- if eq (env "GARAGE_RPC_ENABLED") "1" }}
-  garage-rpc:
-    address: ":3901"
-  {{- end }}
-  {{- if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
   foodsoft-smtp:
     address: ":2525"
-  {{- end }}
-  {{- if eq (env "SMTP_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "SMTP_ENABLED") "1" }}
   smtp-submission:
     address: ":587"
-  {{- end }}
-  {{- if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
   peertube-rtmp:
     address: ":1935"
-  {{- end }}
-  {{- if eq (env "WEB_ALT_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
   web-alt:
     address: ":8000"
-  {{- end }}
-  {{- if eq (env "SSB_MUXRPC_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
   ssb-muxrpc:
     address: ":8008"
-  {{- end }}
-  {{- if eq (env "MSSQL_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "MSSQL_ENABLED") "1" }}
   mssql:
     address: ":1433"
-  {{- end }}
-  {{- if eq (env "MUMBLE_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "MUMBLE_ENABLED") "1" }}
   mumble:
     address: ":64738"
   mumble-udp:
     address: ":64738/udp"
-  {{- end }}
-  {{- if eq (env "COMPY_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "COMPY_ENABLED") "1" }}
   compy:
     address: ":9999"
-  {{- end }}
-  {{- if eq (env "IRC_ENABLED") "1" }}
-  irc:
-    address: ":6697"
-  {{- end }}
-  {{- if eq (env "METRICS_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"
     http:
       middlewares:
         - basicauth@file
-  {{- end }}
-  {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
+  {{ end }}
+  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
     address: ":9001"
-  {{- end }}
-  {{- if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
-  nextcloud-talk-hpb:
-    address: ":3478"
-  nextcloud-talk-hpb-udp:
-    address: ":3478/udp"
-  {{- end }}
-  {{- if eq (env "ONION_ENABLED") "1" }}
-  onion:
-    address: ":9052"
-  {{- end }}
+  {{ end }}
 
 ping:
   entryPoint: web
 
-{{- if eq (env "METRICS_ENABLED") "1" }}
+{{ if eq (env "METRICS_ENABLED") "1" }}
 metrics:
   prometheus:
     entryPoint: metrics
     addRoutersLabels: true
     addServicesLabels: true
-{{- end }}
+{{ end }}
 
 certificatesResolvers:
   staging:
@@ -135,23 +95,30 @@ certificatesResolvers:
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       httpChallenge:
         entryPoint: web
-      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
-      {{- end }}
+      {{ end }}
   production:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
       httpChallenge:
         entryPoint: web
-      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "9.9.9.9:53"
-      {{- end }}
+      {{ end }}
+
+{{ if eq (env "CUSTOM_ERRORS") "1" }}
+experimental:
+  localplugins:
+    traefik-error-page:
+      moduleName: "github.com/3-w-c/traefik-error-page"
+{{ end }}