chore(deps): update traefik docker tag to v3.6.8 (#89 )

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [traefik](https://github.com/containous/traefik) | patch | `v3.6.7` -> `v3.6.8` | > ❗ **Important** > > Release Notes retrieval for this PR were skipped because no github.com credentials were available. > If you are self-hosted, please see [this instruction](https://github.com/renovatebot/renovate/blob/master/docs/usage/examples/self-hosting.md#githubcom-token-for-release-notes). --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: #89 Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Co-authored-by: Renovate Bot <renovate@coopcloud.tech> Co-committed-by: Renovate Bot <renovate@coopcloud.tech>
compose: Switch to host-mode port publishing by default (#88 )
2026-02-15 18:21:05 +00:00 · 2026-02-15 18:19:19 +00:00 · 2026-01-20 09:51:07 +01:00 · 2026-01-15 09:37:12 +00:00 · 2026-01-15 09:35:16 +00:00 · 2026-01-15 10:34:40 +01:00
19 changed files with 114 additions and 35 deletions
--- a/.env.sample
+++ b/.env.sample
@ -19,8 +19,14 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################

-## Host-mode networking
-#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
+## Ingress-mode port publishing for ports 80 and 443
+##
+## /!\ Using this prevents the use of any compose override adding
+##     published ports to the traefik_app service (almost all of them)
+##     and it prevents the use of IPv6 for ingress traffic.
+##     Do not uncomment unless you know exactly what you are doing
+##
+#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"

 ## "Headless mode" (no domain configured)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
--- a/.gitea/PULL_REQUEST_TEMPLATE.md
+++ b/.gitea/PULL_REQUEST_TEMPLATE.md
@ -1,5 +1,6 @@
 ---
 name: "Traefik pull request template"
+about: "Traefik pull request template"
 ---

 <!-- 
--- a/compose.compy.yml
+++ b/compose.compy.yml
@ -4,4 +4,7 @@ services:
    environment:
      - COMPY_ENABLED
    ports:
-      - "9999:9999"
+      - target: 9999
+        published: 9999
+        protocol: tcp
+        mode: host
--- a/compose.foodsoft.yml
+++ b/compose.foodsoft.yml
@ -4,4 +4,7 @@ services:
    environment:
      - FOODSOFT_SMTP_ENABLED
    ports:
-      - "2525:2525"
+      - target: 2525
+        published: 2525
+        protocol: tcp
+        mode: host
--- a/compose.gitea.yml
+++ b/compose.gitea.yml
@ -4,4 +4,7 @@ services:
    environment:
      - GITEA_SSH_ENABLED
    ports:
-      - "2222:2222"
+      - target: 2222
+        published: 2222
+        protocol: tcp
+        mode: host
--- a/compose.host.yml
+++ b/compose.host.yml
@ -1,15 +1,2 @@
 ---
 version: "3.8"
-
-services:
-  app:
-    deploy:
-      update_config:
-        order: stop-first
-    ports:
-      - target: 80
-        published: 80
-        mode: host
-      - target: 443
-        published: 443
-        mode: host
--- a/compose.irc.yml
+++ b/compose.irc.yml
@ -4,4 +4,7 @@ services:
    environment:
      - IRC_ENABLED
    ports:
-      - "6697:6697"
+      - target: 6697
+        published: 6697
+        protocol: tcp
+        mode: host
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -4,4 +4,7 @@ services:
    environment:
      - MATRIX_FEDERATION_ENABLED
    ports:
-      - "8448:8448"
+      - target: 8448
+        published: 8448
+        protocol: tcp
+        mode: host
--- a/compose.minio.yml
+++ b/compose.minio.yml
@ -6,4 +6,7 @@ services:
    environment:
      - MINIO_CONSOLE_ENABLED
    ports:
-      - "9001:9001"
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host
--- a/compose.mumble.yml
+++ b/compose.mumble.yml
@ -4,6 +4,11 @@ services:
    environment:
      - MUMBLE_ENABLED
    ports:
-      - "64738:64738/udp"
-      # note (3wc): see https://github.com/docker/compose/issues/7627
-      - "64737-64739:64737-64739/tcp"
+      - target: 64738
+        published: 64738
+        protocol: udp
+        mode: host
+      - target: 64738
+        published: 64738
+        protocol: tcp
+        mode: host
--- a/compose.nextcloud-talk-hpb.yml
+++ b/compose.nextcloud-talk-hpb.yml
@ -4,5 +4,11 @@ services:
    environment:
      - NEXTCLOUD_TALK_HPB_ENABLED
    ports:
-      - "3478:3478/udp"
-      - "3478:3478/tcp"
+      - target: 3478
+        published: 3478
+        protocol: udp
+        mode: host
+      - target: 3478
+        published: 3478
+        protocol: tcp
+        mode: host
--- a/compose.no-host.yml
+++ b/compose.no-host.yml
@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: ingress
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: ingress
+    deploy:
+      endpoint_mode: vip
--- a/compose.peertube.yml
+++ b/compose.peertube.yml
@ -4,4 +4,7 @@ services:
    environment:
      - PEERTUBE_RTMP_ENABLED
    ports:
-      - "1935:1935"
+      - target: 1935
+        published: 1935
+        protocol: tcp
+        mode: host
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@ -6,4 +6,7 @@ services:
    environment:
      - SMTP_ENABLED
    ports:
-      - "587:587"
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host
--- a/compose.ssb.yml
+++ b/compose.ssb.yml
@ -4,4 +4,7 @@ services:
    environment:
      - SSB_MUXRPC_ENABLED
    ports:
-      - "8008:8008"
+      - target: 8008
+        published: 8008
+        protocol: tcp
+        mode: host
--- a/compose.web-alt.yml
+++ b/compose.web-alt.yml
@ -4,4 +4,7 @@ services:
    environment:
      - WEB_ALT_ENABLED
    ports:
-      - "8000:8000"
+      - target: 8000
+        published: 8000
+        protocol: tcp
+        mode: host
--- a/compose.yml
+++ b/compose.yml
@ -3,13 +3,19 @@ version: "3.8"

 services:
  app:
-    image: "traefik:v3.6.6"
+    image: "traefik:v3.6.8"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
    ports:
-      - "80:80"
-      - "443:443"
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
    volumes:
      - "letsencrypt:/etc/letsencrypt"
      - "file-providers:/etc/traefik/file-providers"
@ -37,9 +43,10 @@ services:
    command: traefik
    entrypoint: /custom-entrypoint.sh
    deploy:
+      endpoint_mode: dnsrr
      update_config:
        failure_action: rollback
-        order: start-first
+        order: stop-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
@ -48,7 +55,7 @@ services:
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=3.9.0+v3.6.5"
+        - "coop-cloud.${STACK_NAME}.version=3.10.0+v3.6.7"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"

--- a/release/3.10.0+v3.6.7
+++ b/release/3.10.0+v3.6.7
@ -0,0 +1,10 @@
+Short summary of the latest changes:
+
+* Traefik has been upgraded with a patch release, no issues expected.
+* "CurveP256" has been included to the TLS options.
+* The default TIMEOUT value has been removed from the label directly.
+* Anubis support is here, try out `compose.anubis.yml` and see the README.md for more.
+* Onion services with Tor are not supported! See the README.md for more.
+* There are now officially 3 recipe maintainers for Traefik!
+
+All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/3.9.0+v3.6.5...master
--- a/release/next
+++ b/release/next
@ -0,0 +1,11 @@
+Short summary of the latest changes:
+
+ * Exposed ports have been switched to host-mode port publishing by default
+   This adds support for IPv6 ingress, which means that after deploying this
+   change, DNS AAAA records can be made to point to the relevant IPv6
+   address and Traefik will handle public IPv6 ingress traffic (including ACME
+   HTTP-01 challenges)
+
+   /!\ This is a breaking change. It is still possible to revert ports 80 and
+       443 to ingress-mode (the previous default) but keep in mind that there
+       is no longer an easy way to publish additional ports in ingress mode.
Author	SHA1	Message	Date
Renovate Bot	795592ea3c	chore(deps): update traefik docker tag to v3.6.8 (#89 ) Some checks failed continuous-integration/drone/push Build is failing Details This PR contains the following updates: \| Package \| Update \| Change \| \|---\|---\|---\| \| [traefik](https://github.com/containous/traefik) \| patch \| `v3.6.7` -> `v3.6.8` \| > ❗ Important > > Release Notes retrieval for this PR were skipped because no github.com credentials were available. > If you are self-hosted, please see [this instruction](https://github.com/renovatebot/renovate/blob/master/docs/usage/examples/self-hosting.md#githubcom-token-for-release-notes). --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Reviewed-on: #89 Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Co-authored-by: Renovate Bot <renovate@coopcloud.tech> Co-committed-by: Renovate Bot <renovate@coopcloud.tech>	2026-02-15 18:21:05 +00:00
mirsal	b67ed0ca88	compose: Switch to host-mode port publishing by default (#88 ) Some checks failed continuous-integration/drone/push Build is failing Details By default, swarm services use ingress mode port publishing, which is not ideal for traefik (it breaks IPv6 ingress and there is no need to load-balance traffic between multiple traefik instances or to route it from multiple swarm nodes) This PR switches traefik's port publishing mode to `host` for all of its exposed ports as well as: * change traefik's update order to stop-first (there cannot be multiple containers exposing the same port when using host-mode publishing) * use `endpoint_mode: dnsrr` instead of the default `vip` * remove all overrides from `compose.host.yml`, leaving the file empty for backwards compatibility /!\ This is a breaking change Closes: #52 * [x] I have deployed and tested my changes * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes) Reviewed-on: #88 Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Co-authored-by: mirsal <mirsal@mirsal.fr> Co-committed-by: mirsal <mirsal@mirsal.fr>	2026-02-15 18:19:19 +00:00
p4u1	5f977f1cca	chore: publish 3.10.0+v3.6.7 release Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is passing Details	2026-01-20 09:51:07 +01:00
decentral1se	ee344cce5d	Merge pull request 'docs: next release notes' (#80 ) from feat-release-notes-next into master Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #80 Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>	2026-01-15 09:37:12 +00:00
decentral1se	27cc7efb72	Merge pull request 'chore(deps): update traefik docker tag to v3.6.7' (#83 ) from renovate/traefik-3.x into master Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #83 Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>	2026-01-15 09:35:16 +00:00
decentral1se	324933a9cc	docs: next release notes Some checks failed continuous-integration/drone/pr Build is failing Details	2026-01-15 10:34:40 +01:00
decentral1se	dc3e50838f	Merge pull request 'feat: Add onion service support' (#81 ) from add-onion-support into master Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #81 Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>	2026-01-15 09:33:28 +00:00
p4u1	d59f6e0302	Update .gitea/PULL_REQUEST_TEMPLATE.md Some checks failed continuous-integration/drone/push Build is failing Details	2026-01-14 20:25:43 +00:00
Renovate Bot	c2cdfd80b6	chore(deps): update traefik docker tag to v3.6.7 Some checks failed continuous-integration/drone/pr Build is failing Details	2026-01-14 19:25:37 +00:00