Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 8789bec57c | |||
| dd65184308 |
+9
-17
@@ -3,12 +3,10 @@ kind: pipeline
|
||||
name: deploy to swarm-test.autonomic.zone
|
||||
steps:
|
||||
- name: deployment
|
||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||
image: decentral1se/stack-ssh-deploy:latest
|
||||
settings:
|
||||
host: swarm-test.autonomic.zone
|
||||
stack: traefik
|
||||
networks:
|
||||
- proxy
|
||||
deploy_key:
|
||||
from_secret: drone_ssh_swarm_test
|
||||
environment:
|
||||
@@ -16,25 +14,19 @@ steps:
|
||||
STACK_NAME: traefik
|
||||
LETS_ENCRYPT_ENV: production
|
||||
LETS_ENCRYPT_EMAIL: helo@autonomic.zone
|
||||
TRAEFIK_YML_VERSION: v26
|
||||
FILE_PROVIDER_YML_VERSION: v10
|
||||
ENTRYPOINT_VERSION: v4
|
||||
TRAEFIK_YML_VERSION: v4
|
||||
FILE_PROVIDER_YML_VERSION: v3
|
||||
ENTRYPOINT_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- master
|
||||
---
|
||||
kind: pipeline
|
||||
name: generate recipe catalogue
|
||||
name: recipe release
|
||||
steps:
|
||||
- name: release a new version
|
||||
image: plugins/downstream
|
||||
image: thecoopcloud/drone-abra:latest
|
||||
settings:
|
||||
server: https://build.coopcloud.tech
|
||||
token:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- toolshed/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
||||
command: recipe traefik release
|
||||
deploy_key:
|
||||
from_secret: abra_bot_deploy_key
|
||||
|
||||
+13
-132
@@ -1,39 +1,22 @@
|
||||
TYPE=traefik
|
||||
#TIMEOUT=300
|
||||
ENABLE_AUTO_UPDATE=true
|
||||
ENABLE_BACKUPS=true
|
||||
|
||||
DOMAIN=traefik.example.com
|
||||
DOMAIN={{ .Domain }}
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
LETS_ENCRYPT_EMAIL=certs@example.com
|
||||
# DASHBOARD_ENABLED=true
|
||||
# WARN, INFO etc.
|
||||
LOG_LEVEL=WARN
|
||||
LOG_MAX_AGE=1
|
||||
|
||||
# This is here so later lines can extend it; you likely don't wanna edit
|
||||
COMPOSE_FILE="compose.yml"
|
||||
|
||||
# Increase read timeout (or change it to 0s) to ensure large file
|
||||
# uploads work.
|
||||
#
|
||||
# https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-transport-respondingTimeouts-readTimeout
|
||||
READ_TIMEOUT=60s
|
||||
WRITE_TIMEOUT=0s
|
||||
|
||||
#####################################################################
|
||||
# General settings #
|
||||
#####################################################################
|
||||
|
||||
## Ingress-mode port publishing for ports 80 and 443
|
||||
##
|
||||
## /!\ Using this prevents the use of any compose override adding
|
||||
## published ports to the traefik_app service (almost all of them)
|
||||
## and it prevents the use of IPv6 for ingress traffic.
|
||||
## Do not uncomment unless you know exactly what you are doing
|
||||
##
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"
|
||||
## Host-mode networking
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
|
||||
|
||||
## "Headless mode" (no domain configured)
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
|
||||
@@ -43,10 +26,8 @@ WRITE_TIMEOUT=0s
|
||||
#####################################################################
|
||||
|
||||
## Enable dns challenge (for wildcard domains)
|
||||
## https://go-acme.github.io/lego/dns/#dns-providers
|
||||
## https://doc.traefik.io/traefik/https/acme/#dnschallenge
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
|
||||
## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
|
||||
## Uncomment the corresponding provider below to insert your secret token/key.
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
|
||||
|
||||
## OVH, https://ovh.com
|
||||
@@ -54,71 +35,17 @@ WRITE_TIMEOUT=0s
|
||||
#OVH_ENABLED=1
|
||||
#OVH_APPLICATION_KEY=
|
||||
#OVH_ENDPOINT=
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
|
||||
#SECRET_OVH_CONSUMER_KEY=v1 # generate=false
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1
|
||||
#SECRET_OVH_CONSUMER_KEY=v1
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note(3wc): only "V5" (new) API is supported, so far
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
|
||||
#GANDI_API_KEY_ENABLED=1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note: uses GandiV5 Personal Access Token
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
|
||||
#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
|
||||
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## DigitalOcean, https://digitalocean.com
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
|
||||
#DIGITALOCEAN_ENABLED=1
|
||||
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## Azure, https://azure.com
|
||||
## To insert your Azure client secret:
|
||||
## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
|
||||
#AZURE_ENABLED=1
|
||||
#AZURE_TENANT_ID=
|
||||
#AZURE_CLIENT_ID=
|
||||
#AZURE_SUBSCRIPTION_ID=
|
||||
#AZURE_RESOURCE_GROUP=
|
||||
#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
|
||||
|
||||
## Porkbun, https://porkbun.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert 1312.net pb_api_key v1 pk1_413
|
||||
## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
|
||||
#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
|
||||
#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Cloudflare, htps://cloudflare.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
|
||||
## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
|
||||
## These can be the same token or different tokens
|
||||
## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
|
||||
## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
|
||||
#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
|
||||
#GANDI_ENABLED=1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||
|
||||
#####################################################################
|
||||
# Manual wildcard certificate insertion #
|
||||
#####################################################################
|
||||
|
||||
# Set wildcards = 1, and uncomment compose_file to enable.
|
||||
# Create your certs elsewhere and add them like:
|
||||
# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
|
||||
# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
|
||||
#WILDCARDS_ENABLED=1
|
||||
#SECRET_WILDCARD_CERT_VERSION=v1
|
||||
#SECRET_WILDCARD_KEY_VERSION=v1
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
|
||||
|
||||
#####################################################################
|
||||
# Authentication #
|
||||
# Keycloak log-in #
|
||||
#####################################################################
|
||||
|
||||
## Enable Keycloak
|
||||
@@ -128,28 +55,13 @@ WRITE_TIMEOUT=0s
|
||||
#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
|
||||
#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
|
||||
|
||||
## BASIC_AUTH
|
||||
## Use httpasswd to generate the secret
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
|
||||
#BASIC_AUTH=1
|
||||
#SECRET_USERSFILE_VERSION=v1
|
||||
|
||||
#####################################################################
|
||||
# Prometheus metrics #
|
||||
#####################################################################
|
||||
|
||||
## Enable prometheus metrics collection
|
||||
## used used by the coop-cloud monitoring stack
|
||||
## BASIC_AUTH should also be enabled
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
|
||||
#METRICS_ENABLED=1
|
||||
#METRICS_FQDN=metrics.traefik.example.com
|
||||
|
||||
#####################################################################
|
||||
# File provider directory configuration #
|
||||
# (Route bare metal and non-docker services on the machine!) #
|
||||
#####################################################################
|
||||
#FILE_PROVIDER_DIRECTORY_ENABLED=1
|
||||
|
||||
#####################################################################
|
||||
# Additional services #
|
||||
@@ -167,10 +79,6 @@ WRITE_TIMEOUT=0s
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
|
||||
# GITEA_SSH_ENABLED=1
|
||||
|
||||
## P2Panda UDP
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.p2panda.yml"
|
||||
# P2PANDA_ENABLED=1
|
||||
|
||||
## Foodsoft SMTP
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
|
||||
# FOODSOFT_SMTP_ENABLED=1
|
||||
@@ -195,33 +103,6 @@ WRITE_TIMEOUT=0s
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
|
||||
#MATRIX_FEDERATION_ENABLED=1
|
||||
|
||||
## "Web alt", an alternative web port
|
||||
# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
|
||||
#WEB_ALT_ENABLED=1
|
||||
|
||||
## Matrix
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
|
||||
#IRC_ENABLED=1
|
||||
|
||||
## Garage
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.garage.yml"
|
||||
#GARAGE_RPC_ENABLED=1
|
||||
|
||||
## Nextcloud Talk HPB
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
|
||||
#NEXTCLOUD_TALK_HPB_ENABLED=1
|
||||
|
||||
## Anubis
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.anubis.yml"
|
||||
#ANUBIS_COOKIE_DOMAIN=example.com
|
||||
#ANUBIS_DOMAIN=anubis.example.com
|
||||
#ANUBIS_REDIRECT_DOMAINS=
|
||||
#ANUBIS_OG_PASSTHROUGH=true
|
||||
#ANUBIS_OG_EXPIRY_TIME=1h
|
||||
#ANUBIS_OG_CACHE_CONSIDER_HOST=true
|
||||
#ANUBIS_SERVE_ROBOTS_TXT=true
|
||||
#ANUBIS_SLOG_LEVEL=INFO
|
||||
|
||||
## Enable onion service support
|
||||
#ONION_ENABLED=1
|
||||
## Minecraft
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.minecraft.yml"
|
||||
#MINECRAFT_ENABLED=1
|
||||
|
||||
@@ -1,16 +0,0 @@
|
||||
---
|
||||
name: "Traefik pull request template"
|
||||
about: "Traefik pull request template"
|
||||
---
|
||||
|
||||
<!--
|
||||
Thank you for doing recipe maintenance work!
|
||||
Please mark all checklist items which are relevant for your changes.
|
||||
Please remove the checklist items which are not relevant for your changes.
|
||||
Feel free to remove this comment.
|
||||
-->
|
||||
|
||||
* [ ] I have deployed and tested my changes
|
||||
* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
|
||||
* [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
|
||||
* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)
|
||||
@@ -1,31 +0,0 @@
|
||||
# Traefik Recipe Maintenance
|
||||
|
||||
All contributions should be made via a pull request. This is to ensure a
|
||||
certain quality and consistency, that others can rely on.
|
||||
|
||||
## Maintainer Responsibilities
|
||||
|
||||
A recipe maintainer has the following responsibilities:
|
||||
|
||||
- Respond to pull requests / issues within two weeks
|
||||
- Make image security updates within a week
|
||||
- Make image major updates every three months
|
||||
|
||||
In order to fullfill these responsibilities a recipe maintainer:
|
||||
|
||||
- Has to watch the repository (to get notifications)
|
||||
- Needs to make sure renovate is configured properly
|
||||
|
||||
## Pull Requests
|
||||
|
||||
A pull request can be merged if it is approved by at least one maintainer. For
|
||||
pull requests opened by a maintainer they need to be approved by another
|
||||
maintainer. Even though it is okay to merge a pull request with one approval, it
|
||||
is always better if all maintainers looked at the pull request and approved it.
|
||||
|
||||
## Become a maintainer
|
||||
|
||||
Everyone can apply to be a recipe maintainer:
|
||||
1. Watch the repository to always get updates
|
||||
2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
|
||||
3. Once the pull request gets merged you will be added to the [traefik maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/traefik-maintainers).
|
||||
@@ -1,14 +1,12 @@
|
||||
# Traefik
|
||||
|
||||
[](https://build.coopcloud.tech/coop-cloud/traefik)
|
||||
[](https://drone.autonomic.zone/coop-cloud/traefik)
|
||||
|
||||
> https://docs.traefik.io
|
||||
|
||||
<!-- metadata -->
|
||||
* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico), Local-IT: [@moritz](https://git.coopcloud.tech/moritz), [@msimon](https://git.coopcloud.tech/simon), [@carla](https://git.coopcloud.tech/carla)
|
||||
* **Status**: `stable`
|
||||
* **Category**: Utilities
|
||||
* **Features**: ?
|
||||
* **Status**: ?
|
||||
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
|
||||
* **Healthcheck**: Yes
|
||||
* **Backups**: No
|
||||
@@ -21,59 +19,8 @@
|
||||
|
||||
1. Set up Docker Swarm and [`abra`]
|
||||
2. `abra app new traefik`
|
||||
3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
|
||||
3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
|
||||
your Docker swarm box
|
||||
4. `abra app deploy YOURAPPDOMAIN`
|
||||
|
||||
## Configuring basic auth
|
||||
|
||||
1. Create the usersfile locally: `htpasswd -c usersfile <username>`
|
||||
2. Uncomment the Basic Auth section in your .env file
|
||||
3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
|
||||
4. Redploy your app: `abra app deploy -f <domain>`
|
||||
|
||||
## Configuring SSL using DNS
|
||||
|
||||
Automatic certificate generation will Just Work™ for most recipes which use a
|
||||
fixed number of subdomains. If your server can't be reached from the Internet,
|
||||
or if you're deploying a recipe that needs to work across arbitrary
|
||||
subdomains, like
|
||||
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
|
||||
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
|
||||
the use of wildcard certificates,) you can give Traefik access to your DNS provider
|
||||
so that it can carry out Letsencrypt DNS challenges.
|
||||
|
||||
1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
|
||||
can be easily added, see
|
||||
[the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
|
||||
2. Run `abra app config YOURAPPDOMAIN`
|
||||
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
|
||||
`SECRET_GANDIV5_API_KEY_VERSION`
|
||||
4. Set `LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER` to your provider, e.g. `gandi`
|
||||
4. Generate an API key for your provider, probably using their web interface.
|
||||
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
|
||||
`SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
|
||||
`gandiv5_api_key` and `SECRETVALUE` is the API key.
|
||||
- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
|
||||
Access Token, in which case use compose.gandi-personal-access-token.yml.
|
||||
- See comments for each provider in your env file for specific instructions
|
||||
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
|
||||
|
||||
## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)
|
||||
|
||||
Uncomment the lines on the Anubis section of the configuration. Set
|
||||
a domain name for the cookies and a domain that will serve Anubis
|
||||
redirection service. Optionally and for [added
|
||||
security](https://anubis.techaro.lol/docs/admin/configuration/redirect-domains),
|
||||
set a list of the domain names for the apps that are going to be
|
||||
protected.
|
||||
|
||||
After deploying these changes, go to each recipe that supports Anubis
|
||||
and follow the process there. **Enabling Anubis here is not enough for
|
||||
protection your apps.**
|
||||
|
||||
## Enabling onion service
|
||||
|
||||
Uncomment the line in the config setting `ONION_ENABLED=1`. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the [onion recipe](https://recipes.coopcloud.tech/onion).
|
||||
4. `abra app YOURAPPDOMAIN deploy`
|
||||
|
||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
export TRAEFIK_YML_VERSION=v32
|
||||
export FILE_PROVIDER_YML_VERSION=v12
|
||||
export ENTRYPOINT_VERSION=v5
|
||||
export TRAEFIK_YML_VERSION=v16
|
||||
export FILE_PROVIDER_YML_VERSION=v6
|
||||
export ENTRYPOINT_VERSION=v2
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
matrix-synapse:
|
||||
uncomment:
|
||||
- compose.matrix.yml
|
||||
- MATRIX_FEDERATION_ENABLED
|
||||
@@ -1,30 +0,0 @@
|
||||
---
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.http.middlewares.anubis.forwardauth.address=http://anubis:8080/.within.website/x/cmd/anubis/api/check"
|
||||
anubis:
|
||||
image: "ghcr.io/techarohq/anubis:v1.25.0"
|
||||
environment:
|
||||
BIND: ":8080"
|
||||
TARGET: " "
|
||||
REDIRECT_DOMAINS: "${ANUBIS_REDIRECT_DOMAINS}"
|
||||
COOKIE_DOMAIN: "${ANUBIS_COOKIE_DOMAIN}"
|
||||
PUBLIC_URL: "https://${ANUBIS_DOMAIN}"
|
||||
OG_PASSTHROUGH: "${ANUBIS_OG_PASSTHROUGH}"
|
||||
OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
|
||||
OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
|
||||
SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
|
||||
SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
|
||||
networks:
|
||||
- proxy
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.anubis.rule=Host(`${ANUBIS_DOMAIN}`)"
|
||||
- "traefik.http.routers.anubis.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.anubis.entrypoints=web-secure"
|
||||
- "traefik.http.services.anubis.loadbalancer.server.port=8080"
|
||||
- "traefik.http.routers.anubis.service=anubis"
|
||||
@@ -1,17 +0,0 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- AZURE_TENANT_ID
|
||||
- AZURE_CLIENT_ID
|
||||
- AZURE_SUBSCRIPTION_ID
|
||||
- AZURE_RESOURCE_GROUP
|
||||
- AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
|
||||
secrets:
|
||||
- azure_secret
|
||||
|
||||
secrets:
|
||||
azure_secret:
|
||||
name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
|
||||
external: true
|
||||
@@ -1,12 +0,0 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- BASIC_AUTH
|
||||
secrets:
|
||||
- usersfile
|
||||
|
||||
secrets:
|
||||
usersfile:
|
||||
name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
|
||||
external: true
|
||||
@@ -1,18 +0,0 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
|
||||
- CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
|
||||
secrets:
|
||||
- cf_dns_token
|
||||
- cf_zone_token
|
||||
|
||||
secrets:
|
||||
cf_dns_token:
|
||||
name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
|
||||
external: true
|
||||
cf_zone_token:
|
||||
name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
|
||||
external: true
|
||||
+1
-4
@@ -4,7 +4,4 @@ services:
|
||||
environment:
|
||||
- COMPY_ENABLED
|
||||
ports:
|
||||
- target: 9999
|
||||
published: 9999
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "9999:9999"
|
||||
|
||||
@@ -1,15 +0,0 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
|
||||
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
|
||||
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
|
||||
secrets:
|
||||
- digitalocean_auth_token
|
||||
|
||||
secrets:
|
||||
digitalocean_auth_token:
|
||||
name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
|
||||
external: true
|
||||
@@ -4,7 +4,4 @@ services:
|
||||
environment:
|
||||
- FOODSOFT_SMTP_ENABLED
|
||||
ports:
|
||||
- target: 2525
|
||||
published: 2525
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "2525:2525"
|
||||
|
||||
@@ -1,15 +0,0 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
|
||||
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
|
||||
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
|
||||
secrets:
|
||||
- gandiv5_pat
|
||||
|
||||
secrets:
|
||||
gandiv5_pat:
|
||||
name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
|
||||
external: true
|
||||
@@ -1,10 +0,0 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- GARAGE_RPC_ENABLED
|
||||
ports:
|
||||
- target: 3901
|
||||
published: 3901
|
||||
protocol: tcp
|
||||
mode: host
|
||||
+1
-4
@@ -4,7 +4,4 @@ services:
|
||||
environment:
|
||||
- GITEA_SSH_ENABLED
|
||||
ports:
|
||||
- target: 2222
|
||||
published: 2222
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "2222:2222"
|
||||
|
||||
@@ -10,5 +10,5 @@ services:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.traefik.loadbalancer.server.port=web"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
||||
- "traefik.http.routers.traefik.entrypoints=web-secure"
|
||||
- "traefik.http.routers.traefik.service=api@internal"
|
||||
|
||||
@@ -1,2 +1,15 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
deploy:
|
||||
update_config:
|
||||
order: stop-first
|
||||
ports:
|
||||
- target: 80
|
||||
published: 80
|
||||
mode: host
|
||||
- target: 443
|
||||
published: 443
|
||||
mode: host
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- IRC_ENABLED
|
||||
ports:
|
||||
- target: 6697
|
||||
published: 6697
|
||||
protocol: tcp
|
||||
mode: host
|
||||
+1
-4
@@ -4,7 +4,4 @@ services:
|
||||
environment:
|
||||
- MATRIX_FEDERATION_ENABLED
|
||||
ports:
|
||||
- target: 8448
|
||||
published: 8448
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "8448:8448"
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- METRICS_ENABLED
|
||||
@@ -0,0 +1,7 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- MINECRAFT_ENABLED
|
||||
ports:
|
||||
- 25565:25565
|
||||
+1
-4
@@ -6,7 +6,4 @@ services:
|
||||
environment:
|
||||
- MINIO_CONSOLE_ENABLED
|
||||
ports:
|
||||
- target: 9001
|
||||
published: 9001
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "9001:9001"
|
||||
|
||||
+3
-8
@@ -4,11 +4,6 @@ services:
|
||||
environment:
|
||||
- MUMBLE_ENABLED
|
||||
ports:
|
||||
- target: 64738
|
||||
published: 64738
|
||||
protocol: udp
|
||||
mode: host
|
||||
- target: 64738
|
||||
published: 64738
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "64738:64738/udp"
|
||||
# note (3wc): see https://github.com/docker/compose/issues/7627
|
||||
- "64737-64739:64737-64739/tcp"
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- NEXTCLOUD_TALK_HPB_ENABLED
|
||||
ports:
|
||||
- target: 3478
|
||||
published: 3478
|
||||
protocol: udp
|
||||
mode: host
|
||||
- target: 3478
|
||||
published: 3478
|
||||
protocol: tcp
|
||||
mode: host
|
||||
@@ -1,16 +0,0 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
ports:
|
||||
- target: 80
|
||||
published: 80
|
||||
protocol: tcp
|
||||
mode: ingress
|
||||
- target: 443
|
||||
published: 443
|
||||
protocol: tcp
|
||||
mode: ingress
|
||||
deploy:
|
||||
endpoint_mode: vip
|
||||
@@ -1,14 +0,0 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- P2PANDA_ENABLED
|
||||
ports:
|
||||
- target: 2022
|
||||
published: 2022
|
||||
protocol: udp
|
||||
mode: host
|
||||
- target: 2023
|
||||
published: 2023
|
||||
protocol: udp
|
||||
mode: host
|
||||
@@ -4,7 +4,4 @@ services:
|
||||
environment:
|
||||
- PEERTUBE_RTMP_ENABLED
|
||||
ports:
|
||||
- target: 1935
|
||||
published: 1935
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "1935:1935"
|
||||
|
||||
@@ -1,18 +0,0 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- PORKBUN_API_KEY_FILE=/run/secrets/pb_api_key
|
||||
- PORKBUN_SECRET_API_KEY_FILE=/run/secrets/pb_s_api_key
|
||||
secrets:
|
||||
- pb_api_key
|
||||
- pb_s_api_key
|
||||
|
||||
secrets:
|
||||
pb_api_key:
|
||||
name: ${STACK_NAME}_pb_api_key_${SECRET_PORKBUN_API_KEY_VERSION}
|
||||
external: true
|
||||
pb_s_api_key:
|
||||
name: ${STACK_NAME}_pb_s_api_key_${SECRET_PORKBUN_SECRET_API_KEY_VERSION}
|
||||
external: true
|
||||
+1
-4
@@ -6,7 +6,4 @@ services:
|
||||
environment:
|
||||
- SMTP_ENABLED
|
||||
ports:
|
||||
- target: 587
|
||||
published: 587
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "587:587"
|
||||
|
||||
+1
-4
@@ -4,7 +4,4 @@ services:
|
||||
environment:
|
||||
- SSB_MUXRPC_ENABLED
|
||||
ports:
|
||||
- target: 8008
|
||||
published: 8008
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "8008:8008"
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- WEB_ALT_ENABLED
|
||||
ports:
|
||||
- target: 8000
|
||||
published: 8000
|
||||
protocol: tcp
|
||||
mode: host
|
||||
@@ -1,16 +0,0 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
secrets:
|
||||
- ssl_cert
|
||||
- ssl_key
|
||||
|
||||
secrets:
|
||||
ssl_cert:
|
||||
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
|
||||
external: true
|
||||
ssl_key:
|
||||
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
|
||||
external: true
|
||||
+13
-65
@@ -3,22 +3,16 @@ version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: "traefik:v3.7.7"
|
||||
image: "traefik:v2.5.6"
|
||||
# Note(decentral1se): *please do not* add any additional ports here.
|
||||
# Doing so could break new installs with port conflicts. Please use
|
||||
# the usual `compose.$app.yml` approach for any additional ports
|
||||
ports:
|
||||
- target: 80
|
||||
published: 80
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- target: 443
|
||||
published: 443
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
- "letsencrypt:/etc/letsencrypt"
|
||||
- "file-providers:/etc/traefik/file-providers"
|
||||
configs:
|
||||
- source: traefik_yml
|
||||
target: /etc/traefik/traefik.yml
|
||||
@@ -29,13 +23,9 @@ services:
|
||||
mode: 0555
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
environment:
|
||||
- DASHBOARD_ENABLED
|
||||
- LOG_LEVEL
|
||||
- ${LOG_MAX_AGE:-0}
|
||||
- READ_TIMEOUT=${READ_TIMEOUT:-60s}
|
||||
- WRITE_TIMEOUT=${WRITE_TIMEOUT:-0s}
|
||||
healthcheck:
|
||||
test: ["CMD", "traefik", "healthcheck"]
|
||||
interval: 30s
|
||||
@@ -45,64 +35,23 @@ services:
|
||||
command: traefik
|
||||
entrypoint: /custom-entrypoint.sh
|
||||
deploy:
|
||||
endpoint_mode: dnsrr
|
||||
update_config:
|
||||
failure_action: rollback
|
||||
order: stop-first
|
||||
order: start-first
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.0.0+v3.7.7"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
|
||||
- "backupbot.backup=${ENABLE_BACKUPS:-true}"
|
||||
|
||||
socket-proxy:
|
||||
image: lscr.io/linuxserver/socket-proxy:3.4.2
|
||||
deploy:
|
||||
endpoint_mode: dnsrr
|
||||
environment:
|
||||
- ALLOW_START=0
|
||||
- ALLOW_STOP=0
|
||||
- ALLOW_RESTARTS=0
|
||||
- AUTH=0
|
||||
- BUILD=0
|
||||
- COMMIT=0
|
||||
- CONFIGS=0
|
||||
- CONTAINERS=1 # Needs access
|
||||
- DISABLE_IPV6=0
|
||||
- DISTRIBUTION=0
|
||||
- EVENTS=1 # Needs access
|
||||
- EXEC=0
|
||||
- IMAGES=0
|
||||
- INFO=0
|
||||
- NETWORKS=1 # Needs access
|
||||
- NODES=1
|
||||
- PING=1
|
||||
- POST=0
|
||||
- PLUGINS=0
|
||||
- SECRETS=0
|
||||
- SERVICES=1 # Needs access
|
||||
- SESSION=0
|
||||
- SWARM=1
|
||||
- SYSTEM=0
|
||||
- TASKS=1 # Needs access
|
||||
- VERSION=1 # Needs access
|
||||
- VOLUMES=0
|
||||
- LOG_LEVEL=warning
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
networks:
|
||||
- internal
|
||||
- "traefik.http.services.traefik.loadbalancer.server.port=web"
|
||||
- "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.traefik.entrypoints=web-secure"
|
||||
- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.traefik.tls.options=default@file"
|
||||
- "traefik.http.routers.traefik.service=api@internal"
|
||||
- "traefik.http.routers.traefik.middlewares=security@file"
|
||||
- "coop-cloud.${STACK_NAME}.version=1.0.1+v2.5.6"
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
internal:
|
||||
|
||||
configs:
|
||||
traefik_yml:
|
||||
@@ -120,4 +69,3 @@ configs:
|
||||
|
||||
volumes:
|
||||
letsencrypt:
|
||||
file-providers:
|
||||
|
||||
+2
-6
@@ -7,12 +7,8 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
|
||||
export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
|
||||
{{ end }}
|
||||
|
||||
{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
|
||||
export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
|
||||
{{ end }}
|
||||
|
||||
{{ if eq (env "AZURE_ENABLED") "1" }}
|
||||
export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
|
||||
{{ if eq (env "GANDI_ENABLED") "1" }}
|
||||
export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
|
||||
{{ end }}
|
||||
|
||||
/entrypoint.sh "$@"
|
||||
|
||||
+1
-23
@@ -17,31 +17,15 @@ http:
|
||||
authResponseHeaders:
|
||||
- X-Forwarded-User
|
||||
{{ end }}
|
||||
{{ if eq (env "BASIC_AUTH") "1" }}
|
||||
basicauth:
|
||||
basicAuth:
|
||||
usersFile: "/run/secrets/usersfile"
|
||||
{{ end }}
|
||||
security:
|
||||
headers:
|
||||
frameDeny: true
|
||||
sslRedirect: true
|
||||
browserXssFilter: true
|
||||
contentTypeNosniff: true
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
stsSeconds: "31536000"
|
||||
{{ if eq (env "METRICS_ENABLED") "1" }}
|
||||
routers:
|
||||
traefik-metrics:
|
||||
rule: "Host(`{{ env "METRICS_FQDN" }}`)"
|
||||
entrypoints:
|
||||
- web-secure
|
||||
tls:
|
||||
certResolver: {{ env "LETS_ENCRYPT_ENV" }}
|
||||
middlewares:
|
||||
- basicauth@file
|
||||
service: prometheus@internal
|
||||
{{ end }}
|
||||
|
||||
tls:
|
||||
options:
|
||||
@@ -55,10 +39,4 @@ tls:
|
||||
curvePreferences:
|
||||
- CurveP521
|
||||
- CurveP384
|
||||
- CurveP256
|
||||
sniStrict: true
|
||||
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
|
||||
certificates:
|
||||
- certFile: /run/secrets/ssl_cert
|
||||
keyFile: /run/secrets/ssl_key
|
||||
{{ end }}
|
||||
@@ -1 +0,0 @@
|
||||
Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410
|
||||
@@ -1 +0,0 @@
|
||||
Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg
|
||||
@@ -1 +0,0 @@
|
||||
Reverts max log retention
|
||||
@@ -1,2 +0,0 @@
|
||||
socket-proxy: switch to endpoint-mode dnsrr instead of vip
|
||||
See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.
|
||||
@@ -1,10 +0,0 @@
|
||||
Short summary of the latest changes:
|
||||
|
||||
* Traefik has been upgraded with a patch release, no issues expected.
|
||||
* "CurveP256" has been included to the TLS options.
|
||||
* The default TIMEOUT value has been removed from the label directly.
|
||||
* Anubis support is here, try out `compose.anubis.yml` and see the README.md for more.
|
||||
* Onion services with Tor are not supported! See the README.md for more.
|
||||
* There are now officially 3 recipe maintainers for Traefik!
|
||||
|
||||
All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/3.9.0+v3.6.5...master
|
||||
@@ -1 +0,0 @@
|
||||
Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5
|
||||
@@ -1 +0,0 @@
|
||||
Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax
|
||||
@@ -1 +0,0 @@
|
||||
Bumps the TRAEFIK_YML_VERSION
|
||||
@@ -1 +0,0 @@
|
||||
Add support to azure DNS-01 acme challenge
|
||||
@@ -1 +0,0 @@
|
||||
Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.
|
||||
@@ -1,11 +0,0 @@
|
||||
Short summary of the latest changes:
|
||||
|
||||
* Exposed ports have been switched to host-mode port publishing by default
|
||||
This adds support for IPv6 ingress, which means that after deploying this
|
||||
change, DNS AAAA records can be made to point to the relevant IPv6
|
||||
address and Traefik will handle public IPv6 ingress traffic (including ACME
|
||||
HTTP-01 challenges)
|
||||
|
||||
/!\ This is a breaking change. It is still possible to revert ports 80 and
|
||||
443 to ingress-mode (the previous default) but keep in mind that there
|
||||
is no longer an easy way to publish additional ports in ingress mode.
|
||||
@@ -1,10 +0,0 @@
|
||||
/!\ BREAKING CHANGE: Change metrics endpoint to use https instead of http 8082
|
||||
to prevent sending BASIC_AUTH in plaintext
|
||||
|
||||
The metrics endpoint changed from http on port 8082 to the web-secure
|
||||
endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is
|
||||
enabled you need to configure a FQDN for it by setting METRICS_FQDN in your
|
||||
.env. You should also update the scrape config files in prometheus for
|
||||
Traefik metrics from port 8082 to the new FQDN.
|
||||
|
||||
All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/5.0.0+v3.6.10...4.0.0+v3.6.10
|
||||
@@ -1 +0,0 @@
|
||||
Patched CVES: CVE-2026-32595 and CVE-2026-32305
|
||||
@@ -1,13 +0,0 @@
|
||||
!Breaking: Starting with v3.6.16, the Docker provider requires Docker API version v1.40 or above (Docker Engine v19.03). Users running older (end of life) versions of Docker Engine should update their Docker Engine or use the DOCKER_API_VERSION environment variable to override the API version used by Traefik.
|
||||
|
||||
letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.
|
||||
|
||||
matrix-federation: Entrypoint was changed to :8448 to match published port
|
||||
|
||||
fix: ensure large uploads work. You can now set the following env vars:
|
||||
- READ_TIMEOUT
|
||||
- WRITE_TIMEOUT
|
||||
|
||||
cloudflare: Add Cloudflare as DNS provider
|
||||
|
||||
For more information take a look at the migration guide: https://doc.traefik.io/traefik/v3.7/migrate/v3/#v377
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": [
|
||||
"config:recommended"
|
||||
]
|
||||
}
|
||||
+36
-89
@@ -1,24 +1,15 @@
|
||||
---
|
||||
core:
|
||||
defaultRuleSyntax: v2
|
||||
|
||||
log:
|
||||
level: {{ env "LOG_LEVEL" }}
|
||||
maxAge: {{ env "LOG_MAX_AGE" }}
|
||||
|
||||
providers:
|
||||
swarm:
|
||||
endpoint: "tcp://socket-proxy:2375"
|
||||
docker:
|
||||
endpoint: "unix:///var/run/docker.sock"
|
||||
exposedByDefault: false
|
||||
network: proxy
|
||||
{{- if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
|
||||
file:
|
||||
directory: /etc/traefik/file-providers
|
||||
watch: true
|
||||
{{- else }}
|
||||
swarmMode: true
|
||||
file:
|
||||
filename: /etc/traefik/file-provider.yml
|
||||
{{- end }}
|
||||
|
||||
api:
|
||||
dashboard: {{ env "DASHBOARD_ENABLED" }}
|
||||
@@ -33,97 +24,57 @@ entrypoints:
|
||||
to: web-secure
|
||||
web-secure:
|
||||
address: ":443"
|
||||
transport:
|
||||
respondingTimeouts:
|
||||
readTimeout: {{ env "READ_TIMEOUT" }}
|
||||
writeTimeout: {{ env "WRITE_TIMEOUT" }}
|
||||
http:
|
||||
encodedCharacters:
|
||||
allowEncodedSlash: true
|
||||
allowEncodedBackSlash: true
|
||||
allowEncodedNullCharacter: true
|
||||
allowEncodedSemicolon: true
|
||||
allowEncodedPercent: true
|
||||
allowEncodedQuestionMark: true
|
||||
allowEncodedHash: true
|
||||
{{- if eq (env "GITEA_SSH_ENABLED") "1" }}
|
||||
{{ if eq (env "GITEA_SSH_ENABLED") "1" }}
|
||||
gitea-ssh:
|
||||
address: ":2222"
|
||||
{{- end }}
|
||||
{{- if eq (env "P2PANDA_ENABLED") "1" }}
|
||||
p2panda-udp-v4:
|
||||
address: ":2022/udp"
|
||||
p2panda-udp-v6:
|
||||
address: ":2023/udp"
|
||||
{{- end }}
|
||||
{{- if eq (env "GARAGE_RPC_ENABLED") "1" }}
|
||||
garage-rpc:
|
||||
address: ":3901"
|
||||
{{- end }}
|
||||
{{- if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
|
||||
{{ end }}
|
||||
{{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
|
||||
foodsoft-smtp:
|
||||
address: ":2525"
|
||||
{{- end }}
|
||||
{{- if eq (env "SMTP_ENABLED") "1" }}
|
||||
{{ end }}
|
||||
{{ if eq (env "SMTP_ENABLED") "1" }}
|
||||
smtp-submission:
|
||||
address: ":587"
|
||||
{{- end }}
|
||||
{{- if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
|
||||
{{ end }}
|
||||
{{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
|
||||
peertube-rtmp:
|
||||
address: ":1935"
|
||||
{{- end }}
|
||||
{{- if eq (env "WEB_ALT_ENABLED") "1" }}
|
||||
web-alt:
|
||||
address: ":8000"
|
||||
{{- end }}
|
||||
{{- if eq (env "SSB_MUXRPC_ENABLED") "1" }}
|
||||
{{ end }}
|
||||
{{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
|
||||
ssb-muxrpc:
|
||||
address: ":8008"
|
||||
{{- end }}
|
||||
{{- if eq (env "MSSQL_ENABLED") "1" }}
|
||||
{{ end }}
|
||||
{{ if eq (env "MSSQL_ENABLED") "1" }}
|
||||
mssql:
|
||||
address: ":1433"
|
||||
{{- end }}
|
||||
{{- if eq (env "MUMBLE_ENABLED") "1" }}
|
||||
{{ end }}
|
||||
{{ if eq (env "MUMBLE_ENABLED") "1" }}
|
||||
mumble:
|
||||
address: ":64738"
|
||||
mumble-udp:
|
||||
address: ":64738/udp"
|
||||
{{- end }}
|
||||
{{- if eq (env "COMPY_ENABLED") "1" }}
|
||||
compy:
|
||||
address: ":9999"
|
||||
{{- end }}
|
||||
{{- if eq (env "IRC_ENABLED") "1" }}
|
||||
irc:
|
||||
address: ":6697"
|
||||
{{- end }}
|
||||
{{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
|
||||
{{ end }}
|
||||
{{ if eq (env "MINECRAFT_ENABLED") "1" }}
|
||||
minecraft:
|
||||
address: ":25565"
|
||||
{{ end }}
|
||||
{{ if eq (env "METRICS_ENABLED") "1" }}
|
||||
metrics:
|
||||
address: ":8082"
|
||||
{{ end }}
|
||||
{{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
|
||||
matrix-federation:
|
||||
address: ":8448"
|
||||
{{- end }}
|
||||
{{- if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
|
||||
nextcloud-talk-hpb:
|
||||
address: ":3478"
|
||||
nextcloud-talk-hpb-udp:
|
||||
address: ":3478/udp"
|
||||
{{- end }}
|
||||
{{- if eq (env "ONION_ENABLED") "1" }}
|
||||
onion:
|
||||
address: ":9052"
|
||||
{{- end }}
|
||||
address: ":9001"
|
||||
{{ end }}
|
||||
|
||||
ping:
|
||||
entryPoint: web
|
||||
|
||||
{{- if eq (env "METRICS_ENABLED") "1" }}
|
||||
{{ if eq (env "METRICS_ENABLED") "1" }}
|
||||
metrics:
|
||||
prometheus:
|
||||
entryPoint: web-secure
|
||||
manualRouting: true
|
||||
addRoutersLabels: true
|
||||
addServicesLabels: true
|
||||
{{- end }}
|
||||
entryPoint: metrics
|
||||
{{ end }}
|
||||
|
||||
certificatesResolvers:
|
||||
staging:
|
||||
@@ -131,29 +82,25 @@ certificatesResolvers:
|
||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||
storage: /etc/letsencrypt/staging-acme.json
|
||||
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
{{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
httpChallenge:
|
||||
entryPoint: web
|
||||
{{- end }}
|
||||
{{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
dnsChallenge:
|
||||
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||
resolvers:
|
||||
- "1.1.1.1:53"
|
||||
- "8.8.8.8:53"
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
production:
|
||||
acme:
|
||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||
storage: /etc/letsencrypt/production-acme.json
|
||||
{{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
httpChallenge:
|
||||
entryPoint: web
|
||||
{{- end }}
|
||||
{{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
dnsChallenge:
|
||||
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||
resolvers:
|
||||
- "1.1.1.1:53"
|
||||
- "9.9.9.9:53"
|
||||
{{- end }}
|
||||
- "8.8.8.8:53"
|
||||
{{ end }}
|
||||
|
||||
Reference in New Issue
Block a user