Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 25c219f844 | |||
| ef0d154bb1 | |||
| adeaf5afa3 | |||
| ad8a7f1bd9 | |||
|
81869a049e
|
|||
| f47a200c0b | |||
| 693fa79449 | |||
| 928bc2104a | |||
| 92b7093e45 | |||
| b2b311fef4 | |||
| b39bb5adaf | |||
| 97a68f28ac |
+24
-14
@@ -15,6 +15,13 @@ LOG_MAX_AGE=1
|
||||
# This is here so later lines can extend it; you likely don't wanna edit
|
||||
COMPOSE_FILE="compose.yml"
|
||||
|
||||
# Increase read timeout (or change it to 0s) to ensure large file
|
||||
# uploads work.
|
||||
#
|
||||
# https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-transport-respondingTimeouts-readTimeout
|
||||
READ_TIMEOUT=60s
|
||||
WRITE_TIMEOUT=0s
|
||||
|
||||
#####################################################################
|
||||
# General settings #
|
||||
#####################################################################
|
||||
@@ -38,7 +45,7 @@ COMPOSE_FILE="compose.yml"
|
||||
## Enable dns challenge (for wildcard domains)
|
||||
## https://go-acme.github.io/lego/dns/#dns-providers
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
|
||||
## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun.
|
||||
## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
|
||||
## Uncomment the corresponding provider below to insert your secret token/key.
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
|
||||
|
||||
@@ -47,25 +54,25 @@ COMPOSE_FILE="compose.yml"
|
||||
#OVH_ENABLED=1
|
||||
#OVH_APPLICATION_KEY=
|
||||
#OVH_ENDPOINT=
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1
|
||||
#SECRET_OVH_CONSUMER_KEY=v1
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
|
||||
#SECRET_OVH_CONSUMER_KEY=v1 # generate=false
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note(3wc): only "V5" (new) API is supported, so far
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
|
||||
#GANDI_API_KEY_ENABLED=1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note: uses GandiV5 Personal Access Token
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
|
||||
#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
|
||||
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
|
||||
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## DigitalOcean, https://digitalocean.com
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
|
||||
#DIGITALOCEAN_ENABLED=1
|
||||
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
|
||||
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## Azure, https://azure.com
|
||||
## To insert your Azure client secret:
|
||||
@@ -76,24 +83,26 @@ COMPOSE_FILE="compose.yml"
|
||||
#AZURE_CLIENT_ID=
|
||||
#AZURE_SUBSCRIPTION_ID=
|
||||
#AZURE_RESOURCE_GROUP=
|
||||
#SECRET_AZURE_SECRET_VERSION=v1
|
||||
#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
|
||||
|
||||
## Porkbun, https://porkbun.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert 1312.net pb_api_key v1 pk1_413
|
||||
## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
|
||||
#SECRET_PORKBUN_API_KEY_VERSION=v1
|
||||
#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
|
||||
#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
|
||||
#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Cloudflare, htps://cloudflare.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert {myapp.example.coop} cf_email v1 "<CLOUDFLARE_EMAIL>"
|
||||
## abra app secret insert {myapp.example.coop} cf_api_key v1 "<CLOUDFLARE_API_KEY>"
|
||||
## cf_api_key is an account API key from Cloudflare that has DNS read + edit permission
|
||||
## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
|
||||
## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
|
||||
## These can be the same token or different tokens
|
||||
## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
|
||||
## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
|
||||
#SECRET_CLOUDFLARE_EMAIL_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_API_KEY_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
#####################################################################
|
||||
# Manual wildcard certificate insertion #
|
||||
@@ -212,6 +221,7 @@ COMPOSE_FILE="compose.yml"
|
||||
#ANUBIS_OG_EXPIRY_TIME=1h
|
||||
#ANUBIS_OG_CACHE_CONSIDER_HOST=true
|
||||
#ANUBIS_SERVE_ROBOTS_TXT=true
|
||||
#ANUBIS_SLOG_LEVEL=INFO
|
||||
|
||||
## Enable onion service support
|
||||
#ONION_ENABLED=1
|
||||
|
||||
@@ -32,15 +32,16 @@
|
||||
3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
|
||||
4. Redploy your app: `abra app deploy -f <domain>`
|
||||
|
||||
## Configuring wildcard SSL using DNS
|
||||
## Configuring SSL using DNS
|
||||
|
||||
Automatic certificate generation will Just Work™ for most recipes which use a fixed
|
||||
number of subdomains. For some recipes which need to work across arbitrary
|
||||
Automatic certificate generation will Just Work™ for most recipes which use a
|
||||
fixed number of subdomains. If your server can't be reached from the Internet,
|
||||
or if you're deploying a recipe that needs to work across arbitrary
|
||||
subdomains, like
|
||||
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
|
||||
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
|
||||
need to give Traefik access to your DNS provider so that it can carry out
|
||||
Letsencrypt DNS challenges.
|
||||
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
|
||||
the use of wildcard certificates,) you can give Traefik access to your DNS provider
|
||||
so that it can carry out Letsencrypt DNS challenges.
|
||||
|
||||
1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
|
||||
can be easily added, see
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
export TRAEFIK_YML_VERSION=v30
|
||||
export TRAEFIK_YML_VERSION=v32
|
||||
export FILE_PROVIDER_YML_VERSION=v12
|
||||
export ENTRYPOINT_VERSION=v5
|
||||
|
||||
@@ -17,6 +17,7 @@ services:
|
||||
OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
|
||||
OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
|
||||
SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
|
||||
SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
|
||||
networks:
|
||||
- proxy
|
||||
deploy:
|
||||
|
||||
@@ -3,16 +3,16 @@ version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- CLOUDFLARE_EMAIL_FILE=/run/secrets/cf_email
|
||||
- CLOUDFLARE_API_KEY_FILE=/run/secrets/cf_api_key
|
||||
- CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
|
||||
- CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
|
||||
secrets:
|
||||
- cf_email
|
||||
- cf_api_key
|
||||
|
||||
- cf_dns_token
|
||||
- cf_zone_token
|
||||
|
||||
secrets:
|
||||
cf_email:
|
||||
name: ${STACK_NAME}_cf_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
|
||||
cf_dns_token:
|
||||
name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
|
||||
external: true
|
||||
cf_api_key:
|
||||
name: ${STACK_NAME}_cf_api_key_${SECRET_CLOUDFLARE_API_KEY_VERSION}
|
||||
cf_zone_token:
|
||||
name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
|
||||
external: true
|
||||
|
||||
+6
-3
@@ -3,7 +3,7 @@ version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: "traefik:v3.6.15"
|
||||
image: "traefik:v3.7.7"
|
||||
# Note(decentral1se): *please do not* add any additional ports here.
|
||||
# Doing so could break new installs with port conflicts. Please use
|
||||
# the usual `compose.$app.yml` approach for any additional ports
|
||||
@@ -34,6 +34,8 @@ services:
|
||||
- DASHBOARD_ENABLED
|
||||
- LOG_LEVEL
|
||||
- ${LOG_MAX_AGE:-0}
|
||||
- READ_TIMEOUT=${READ_TIMEOUT:-60s}
|
||||
- WRITE_TIMEOUT=${WRITE_TIMEOUT:-0s}
|
||||
healthcheck:
|
||||
test: ["CMD", "traefik", "healthcheck"]
|
||||
interval: 30s
|
||||
@@ -55,12 +57,12 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
|
||||
- "coop-cloud.${STACK_NAME}.version=5.1.1+v3.6.15"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.0.0+v3.7.7"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
|
||||
- "backupbot.backup=${ENABLE_BACKUPS:-true}"
|
||||
|
||||
socket-proxy:
|
||||
image: lscr.io/linuxserver/socket-proxy:3.2.19
|
||||
image: lscr.io/linuxserver/socket-proxy:3.4.2
|
||||
deploy:
|
||||
endpoint_mode: dnsrr
|
||||
environment:
|
||||
@@ -91,6 +93,7 @@ services:
|
||||
- TASKS=1 # Needs access
|
||||
- VERSION=1 # Needs access
|
||||
- VOLUMES=0
|
||||
- LOG_LEVEL=warning
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
networks:
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
!Breaking: Starting with v3.6.16, the Docker provider requires Docker API version v1.40 or above (Docker Engine v19.03). Users running older (end of life) versions of Docker Engine should update their Docker Engine or use the DOCKER_API_VERSION environment variable to override the API version used by Traefik.
|
||||
|
||||
letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.
|
||||
|
||||
matrix-federation: Entrypoint was changed to :8448 to match published port
|
||||
|
||||
fix: ensure large uploads work. You can now set the following env vars:
|
||||
- READ_TIMEOUT
|
||||
- WRITE_TIMEOUT
|
||||
|
||||
cloudflare: Add Cloudflare as DNS provider
|
||||
|
||||
For more information take a look at the migration guide: https://doc.traefik.io/traefik/v3.7/migrate/v3/#v377
|
||||
+9
-1
@@ -33,6 +33,10 @@ entrypoints:
|
||||
to: web-secure
|
||||
web-secure:
|
||||
address: ":443"
|
||||
transport:
|
||||
respondingTimeouts:
|
||||
readTimeout: {{ env "READ_TIMEOUT" }}
|
||||
writeTimeout: {{ env "WRITE_TIMEOUT" }}
|
||||
http:
|
||||
encodedCharacters:
|
||||
allowEncodedSlash: true
|
||||
@@ -96,7 +100,7 @@ entrypoints:
|
||||
{{- end }}
|
||||
{{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
|
||||
matrix-federation:
|
||||
address: ":9001"
|
||||
address: ":8448"
|
||||
{{- end }}
|
||||
{{- if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
|
||||
nextcloud-talk-hpb:
|
||||
@@ -127,8 +131,10 @@ certificatesResolvers:
|
||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||
storage: /etc/letsencrypt/staging-acme.json
|
||||
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
{{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
httpChallenge:
|
||||
entryPoint: web
|
||||
{{- end }}
|
||||
{{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
dnsChallenge:
|
||||
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||
@@ -140,8 +146,10 @@ certificatesResolvers:
|
||||
acme:
|
||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||
storage: /etc/letsencrypt/production-acme.json
|
||||
{{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
httpChallenge:
|
||||
entryPoint: web
|
||||
{{- end }}
|
||||
{{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
dnsChallenge:
|
||||
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||
|
||||
Reference in New Issue
Block a user