chore(deps): update traefik docker tag to v3.7.5 (#102)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [traefik](https://github.com/containous/traefik) | minor | `v3.6.15` -> `v3.7.5` |

> ❗ **Important**
>
> Release Notes retrieval for this PR were skipped because no github.com credentials were available.
> If you are self-hosted, please see [this instruction](https://github.com/renovatebot/renovate/blob/master/docs/usage/examples/self-hosting.md#githubcom-token-for-release-notes).

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: #102
Co-authored-by: Renovate Bot <renovate@coopcloud.tech>
Co-committed-by: Renovate Bot <renovate@coopcloud.tech>

.env.sample

@@ -38,7 +38,7 @@ COMPOSE_FILE="compose.yml"
 ## Enable dns challenge (for wildcard domains)
 ##   https://go-acme.github.io/lego/dns/#dns-providers
 #LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
-## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun.
+## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
 ## Uncomment the corresponding provider below to insert your secret token/key.
 #LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
 
@@ -47,25 +47,25 @@ COMPOSE_FILE="compose.yml"
 #OVH_ENABLED=1
 #OVH_APPLICATION_KEY=
 #OVH_ENDPOINT=
-#SECRET_OVH_APP_SECRET_VERSION=v1
-#SECRET_OVH_CONSUMER_KEY=v1
+#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
+#SECRET_OVH_CONSUMER_KEY=v1 # generate=false
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
 #GANDI_API_KEY_ENABLED=1
-#SECRET_GANDIV5_API_KEY_VERSION=v1
+#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false
 
 ## Gandi, https://gandi.net
 ## note: uses GandiV5 Personal Access Token
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
 #GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
-#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false
 
 ## DigitalOcean, https://digitalocean.com
 #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
 #DIGITALOCEAN_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false
 
 ## Azure, https://azure.com
 ## To insert your Azure client secret:
@@ -76,24 +76,26 @@ COMPOSE_FILE="compose.yml"
 #AZURE_CLIENT_ID=
 #AZURE_SUBSCRIPTION_ID=
 #AZURE_RESOURCE_GROUP=
-#SECRET_AZURE_SECRET_VERSION=v1
+#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
 
 ## Porkbun, https://porkbun.com
 ## To insert your secrets:
 ## abra app secret insert 1312.net pb_api_key v1 pk1_413
 ## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
 #COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
-#SECRET_PORKBUN_API_KEY_VERSION=v1
-#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
+#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
+#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
 
 ## Cloudflare, htps://cloudflare.com
 ## To insert your secrets:
-## abra app secret insert {myapp.example.coop} cf_email v1 "<CLOUDFLARE_EMAIL>"
-## abra app secret insert {myapp.example.coop} cf_api_key v1 "<CLOUDFLARE_API_KEY>"
-## cf_api_key is an account API key from Cloudflare that has DNS read + edit permission
+## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
+## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
+## These can be the same token or different tokens
+## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
+## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
 #COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
-#SECRET_CLOUDFLARE_EMAIL_VERSION=v1 # generate=false
-#SECRET_CLOUDFLARE_API_KEY_VERSION=v1 # generate=false
+#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
+#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false
 
 #####################################################################
 # Manual wildcard certificate insertion                             #
@@ -212,6 +214,7 @@ COMPOSE_FILE="compose.yml"
 #ANUBIS_OG_EXPIRY_TIME=1h
 #ANUBIS_OG_CACHE_CONSIDER_HOST=true
 #ANUBIS_SERVE_ROBOTS_TXT=true
+#ANUBIS_SLOG_LEVEL=INFO
 
 ## Enable onion service support
 #ONION_ENABLED=1

README.md

@@ -32,15 +32,16 @@
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`
 
-## Configuring wildcard SSL using DNS
+## Configuring SSL using DNS
 
-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
+Automatic certificate generation will Just Work™ for most recipes which use a
+fixed number of subdomains. If your server can't be reached from the Internet,
+or if you're deploying a recipe that needs to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
+the use of wildcard certificates,) you can give Traefik access to your DNS provider
+so that it can carry out Letsencrypt DNS challenges.
 
 1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
    can be easily added, see

compose.anubis.yml

@@ -17,6 +17,7 @@ services:
       OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
       OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
       SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
+      SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
     networks:
     - proxy
     deploy:

compose.cloudflare.yml

@@ -3,16 +3,16 @@ version: "3.8"
 services:
   app:
     environment:
-      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cf_email
-      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cf_api_key
+      - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
+      - CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
     secrets:
-      - cf_email
-      - cf_api_key
-  
+      - cf_dns_token
+      - cf_zone_token
+
 secrets:
-  cf_email:
-    name: ${STACK_NAME}_cf_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+  cf_dns_token:
+    name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
     external: true
-  cf_api_key:
-    name: ${STACK_NAME}_cf_api_key_${SECRET_CLOUDFLARE_API_KEY_VERSION}
+  cf_zone_token:
+    name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
     external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v3.6.15"
+    image: "traefik:v3.7.5"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -60,7 +60,7 @@ services:
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 
   socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:3.2.19
+    image: lscr.io/linuxserver/socket-proxy:3.4.0
     deploy:
       endpoint_mode: dnsrr
     environment:
@@ -91,6 +91,7 @@ services:
       - TASKS=1 # Needs access
       - VERSION=1 # Needs access
       - VOLUMES=0
+      - LOG_LEVEL=warning
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     networks:

release/next

@@ -0,0 +1 @@
+letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.

traefik.yml.tmpl

@@ -96,7 +96,7 @@ entrypoints:
   {{- end }}
   {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
-    address: ":8448"
+    address: ":9001"
   {{- end }}
   {{- if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
   nextcloud-talk-hpb:
@@ -127,8 +127,10 @@ certificatesResolvers:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/staging-acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
@@ -140,8 +142,10 @@ certificatesResolvers:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}