Compare commits
104 Commits
error-page
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 7835b585fd | |||
| 830559895e | |||
ac53e9debe
|
|||
|
acb4c6960a
|
|||
| 22578d1e8e | |||
| 55ad530fb7 | |||
| 54fe45da2f | |||
| e21dbc655a | |||
| b9d825b5c5 | |||
| 74b3ee6716 | |||
| 14d5d79520 | |||
| 7185e6ab43 | |||
| 85d0c159b0 | |||
| 6294944952 | |||
abbb3255f8
|
|||
| b5824c89f1 | |||
| 9c924f5d67 | |||
| ed0945f59f | |||
| 0fac81d4e2 | |||
|
c8894b7ee7 | ||
|
|
e65bffe337 | ||
| 8cce1b7ff7 | |||
| b9cbc9ba92 | |||
| d5f36255fe | |||
| b836d441f5 | |||
| 8de23fd652 | |||
| 6133be7830 | |||
| 5803d05532 | |||
| 0ace5037db | |||
| 9e2d000d12 | |||
| d4f1c6b45c | |||
| ca989e903c | |||
| 50cdb20a39 | |||
| 60b79b447a | |||
| f1b52916df | |||
|
35d435b4f6 | ||
| b7ea50d6aa | |||
| af33ec8510 | |||
| 685d32baf1 | |||
| e76d61be00 | |||
| daec338066 | |||
| e92e76ac88 | |||
| 70d10587bc | |||
| bdf84fcefd | |||
| 2db2f71a80 | |||
| c558e1dbdb | |||
| edc29f9594 | |||
| f7f77dc942 | |||
| ecc12b2b68 | |||
| a0e70f33be | |||
|
e3c1df83fa | ||
|
|
998190f684 | ||
|
|
cd92c909ba | ||
|
|
64351c27d1 | ||
|
|
f4b05fd87f | ||
|
|
3c5333ba71 | ||
| 5f2fd0bf37 | |||
| ac3a47fe8c | |||
| 1e02f358ed | |||
| 6cdcc25384 | |||
| d2b7b671f5 | |||
| c9d80df34d | |||
| aaa34c1ea8 | |||
| 6dee438492 | |||
| ff668b2266 | |||
| e2c16be2ff | |||
| 892f3c3124 | |||
| 4205f4911e | |||
| 13eb4a782d | |||
|
b00a65a890
|
|||
| a213094d46 | |||
| 8bb3adba81 | |||
| a7bff09db6 | |||
| 6167d41588 | |||
| 31330d967b | |||
|
f23357c9cd
|
|||
| b6bb286282 | |||
| 14a34c7b7f | |||
| 39bfdb4c82 | |||
| 1d43c68274 | |||
| f1cfb814dd | |||
| ece8807959 | |||
| a1e75e8c8b | |||
| b62cb273ef | |||
|
5f25a272cb | ||
|
|
4c7a272838 | ||
| 2e68186042 | |||
| 975d8e01a4 | |||
| fcff3a2d6a | |||
| 981d2a3808 | |||
| 29eb1058cd | |||
|
df49a1f3b2
|
|||
| 099dcfaed0 | |||
|
1d7542cd5f
|
|||
|
5e1604322e
|
|||
|
36707989d2
|
|||
|
29f90fe409
|
|||
| 8a48c5e507 | |||
|
612d0cc6cc
|
|||
| 36c7b740ab | |||
| 59b0f8d645 | |||
| 556c448c05 | |||
| 26fcaaea69 | |||
| 02ebb1412f |
26
.drone.yml
26
.drone.yml
@ -3,10 +3,12 @@ kind: pipeline
|
|||||||
name: deploy to swarm-test.autonomic.zone
|
name: deploy to swarm-test.autonomic.zone
|
||||||
steps:
|
steps:
|
||||||
- name: deployment
|
- name: deployment
|
||||||
image: decentral1se/stack-ssh-deploy:latest
|
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||||
settings:
|
settings:
|
||||||
host: swarm-test.autonomic.zone
|
host: swarm-test.autonomic.zone
|
||||||
stack: traefik
|
stack: traefik
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
deploy_key:
|
deploy_key:
|
||||||
from_secret: drone_ssh_swarm_test
|
from_secret: drone_ssh_swarm_test
|
||||||
environment:
|
environment:
|
||||||
@ -14,19 +16,25 @@ steps:
|
|||||||
STACK_NAME: traefik
|
STACK_NAME: traefik
|
||||||
LETS_ENCRYPT_ENV: production
|
LETS_ENCRYPT_ENV: production
|
||||||
LETS_ENCRYPT_EMAIL: helo@autonomic.zone
|
LETS_ENCRYPT_EMAIL: helo@autonomic.zone
|
||||||
TRAEFIK_YML_VERSION: v4
|
TRAEFIK_YML_VERSION: v21
|
||||||
FILE_PROVIDER_YML_VERSION: v3
|
FILE_PROVIDER_YML_VERSION: v10
|
||||||
ENTRYPOINT_VERSION: v1
|
ENTRYPOINT_VERSION: v4
|
||||||
trigger:
|
trigger:
|
||||||
branch:
|
branch:
|
||||||
- master
|
- master
|
||||||
---
|
---
|
||||||
kind: pipeline
|
kind: pipeline
|
||||||
name: recipe release
|
name: generate recipe catalogue
|
||||||
steps:
|
steps:
|
||||||
- name: release a new version
|
- name: release a new version
|
||||||
image: thecoopcloud/drone-abra:latest
|
image: plugins/downstream
|
||||||
settings:
|
settings:
|
||||||
command: recipe traefik release
|
server: https://build.coopcloud.tech
|
||||||
deploy_key:
|
token:
|
||||||
from_secret: abra_bot_deploy_key
|
from_secret: drone_abra-bot_token
|
||||||
|
fork: true
|
||||||
|
repositories:
|
||||||
|
- toolshed/auto-recipes-catalogue-json
|
||||||
|
|
||||||
|
trigger:
|
||||||
|
event: tag
|
||||||
|
|||||||
61
.env.sample
61
.env.sample
@ -1,4 +1,7 @@
|
|||||||
TYPE=traefik
|
TYPE=traefik
|
||||||
|
TIMEOUT=300
|
||||||
|
ENABLE_AUTO_UPDATE=true
|
||||||
|
ENABLE_BACKUPS=true
|
||||||
|
|
||||||
DOMAIN=traefik.example.com
|
DOMAIN=traefik.example.com
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
@ -40,18 +43,50 @@ COMPOSE_FILE="compose.yml"
|
|||||||
|
|
||||||
## Gandi, https://gandi.net
|
## Gandi, https://gandi.net
|
||||||
## note(3wc): only "V5" (new) API is supported, so far
|
## note(3wc): only "V5" (new) API is supported, so far
|
||||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
|
||||||
#GANDI_ENABLED=1
|
#GANDI_API_KEY_ENABLED=1
|
||||||
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||||
|
|
||||||
|
## Gandi, https://gandi.net
|
||||||
|
## note: uses GandiV5 Personal Access Token
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
|
||||||
|
#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
|
||||||
|
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
|
||||||
|
|
||||||
|
## DigitalOcean, https://digitalocean.com
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
|
||||||
|
#DIGITALOCEAN_ENABLED=1
|
||||||
|
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
|
||||||
|
|
||||||
#####################################################################
|
#####################################################################
|
||||||
# Keycloak log-in #
|
# Manual wildcard certificate insertion #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
# Set wildcards = 1, and uncomment compose_file to enable.
|
||||||
|
# Create your certs elsewhere and add them like:
|
||||||
|
# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
|
||||||
|
# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
|
||||||
|
#WILDCARDS_ENABLED=1
|
||||||
|
#SECRET_WILDCARD_CERT_VERSION=v1
|
||||||
|
#SECRET_WILDCARD_KEY_VERSION=v1
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# Authentication #
|
||||||
#####################################################################
|
#####################################################################
|
||||||
|
|
||||||
## Enable Keycloak
|
## Enable Keycloak
|
||||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
|
||||||
#KEYCLOAK_MIDDLEWARE_ENABLED=1
|
#KEYCLOAK_MIDDLEWARE_ENABLED=1
|
||||||
#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
|
#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
|
||||||
|
#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
|
||||||
|
#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
|
||||||
|
|
||||||
|
## BASIC_AUTH
|
||||||
|
## Use httpasswd to generate the secret
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
|
||||||
|
#BASIC_AUTH=1
|
||||||
|
#SECRET_USERSFILE_VERSION=v1
|
||||||
|
|
||||||
#####################################################################
|
#####################################################################
|
||||||
# Prometheus metrics #
|
# Prometheus metrics #
|
||||||
@ -59,8 +94,15 @@ COMPOSE_FILE="compose.yml"
|
|||||||
|
|
||||||
## Enable prometheus metrics collection
|
## Enable prometheus metrics collection
|
||||||
## used used by the coop-cloud monitoring stack
|
## used used by the coop-cloud monitoring stack
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
|
||||||
#METRICS_ENABLED=1
|
#METRICS_ENABLED=1
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# File provider directory configuration #
|
||||||
|
# (Route bare metal and non-docker services on the machine!) #
|
||||||
|
#####################################################################
|
||||||
|
#FILE_PROVIDER_DIRECTORY_ENABLED=1
|
||||||
|
|
||||||
#####################################################################
|
#####################################################################
|
||||||
# Additional services #
|
# Additional services #
|
||||||
#####################################################################
|
#####################################################################
|
||||||
@ -69,6 +111,10 @@ COMPOSE_FILE="compose.yml"
|
|||||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
|
||||||
#SMTP_ENABLED=1
|
#SMTP_ENABLED=1
|
||||||
|
|
||||||
|
## Compy
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
|
||||||
|
#COMPY_ENABLED=1
|
||||||
|
|
||||||
## Gitea SSH
|
## Gitea SSH
|
||||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
|
||||||
# GITEA_SSH_ENABLED=1
|
# GITEA_SSH_ENABLED=1
|
||||||
@ -92,3 +138,12 @@ COMPOSE_FILE="compose.yml"
|
|||||||
## Mumble
|
## Mumble
|
||||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
|
||||||
#MUMBLE_ENABLED=1
|
#MUMBLE_ENABLED=1
|
||||||
|
|
||||||
|
## Matrix
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
|
||||||
|
#MATRIX_FEDERATION_ENABLED=1
|
||||||
|
|
||||||
|
## "Web alt", an alternative web port
|
||||||
|
# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
|
||||||
|
#WEB_ALT_ENABLED=1
|
||||||
|
|||||||
31
README.md
31
README.md
@ -7,11 +7,11 @@
|
|||||||
<!-- metadata -->
|
<!-- metadata -->
|
||||||
* **Category**: Utilities
|
* **Category**: Utilities
|
||||||
* **Status**: ?
|
* **Status**: ?
|
||||||
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream
|
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
|
||||||
* **Healthcheck**: Yes
|
* **Healthcheck**: Yes
|
||||||
* **Backups**: No
|
* **Backups**: No
|
||||||
* **Email**: N/A
|
* **Email**: N/A
|
||||||
* **Tests**: ❷💛
|
* **Tests**: 2
|
||||||
* **SSO**: ? (Keycloak)
|
* **SSO**: ? (Keycloak)
|
||||||
<!-- endmetadata -->
|
<!-- endmetadata -->
|
||||||
|
|
||||||
@ -19,8 +19,31 @@
|
|||||||
|
|
||||||
1. Set up Docker Swarm and [`abra`]
|
1. Set up Docker Swarm and [`abra`]
|
||||||
2. `abra app new traefik`
|
2. `abra app new traefik`
|
||||||
3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
|
3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
|
||||||
your Docker swarm box
|
your Docker swarm box
|
||||||
4. `abra app YOURAPPDOMAIN deploy`
|
4. `abra app deploy YOURAPPDOMAIN`
|
||||||
|
|
||||||
|
## Configuring wildcard SSL using DNS
|
||||||
|
|
||||||
|
Automatic certificate generation will Just Work™ for most recipes which use a fixed
|
||||||
|
number of subdomains. For some recipes which need to work across arbitrary
|
||||||
|
subdomains, like
|
||||||
|
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
|
||||||
|
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
|
||||||
|
need to give Traefik access to your DNS provider so that it can carry out
|
||||||
|
Letsencrypt DNS challenges.
|
||||||
|
|
||||||
|
1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
|
||||||
|
see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
|
||||||
|
2. Run `abra app config YOURAPPDOMAIN`
|
||||||
|
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
|
||||||
|
`SECRET_GANDIV5_API_KEY_VERSION`
|
||||||
|
4. Generate an API key for your provider
|
||||||
|
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
|
||||||
|
`SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
|
||||||
|
`gandiv5_api_key` and `SECRETVALUE` is the API key.
|
||||||
|
- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
|
||||||
|
Access Token, in which case use compose.gandi-personal-access-token.yml.
|
||||||
|
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
|
||||||
|
|
||||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||||
|
|||||||
6
abra.sh
6
abra.sh
@ -1,3 +1,3 @@
|
|||||||
export TRAEFIK_YML_VERSION=v12
|
export TRAEFIK_YML_VERSION=v21
|
||||||
export FILE_PROVIDER_YML_VERSION=v3
|
export FILE_PROVIDER_YML_VERSION=v10
|
||||||
export ENTRYPOINT_VERSION=v2
|
export ENTRYPOINT_VERSION=v4
|
||||||
|
|||||||
4
alaconnect.yml
Normal file
4
alaconnect.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
matrix-synapse:
|
||||||
|
uncomment:
|
||||||
|
- compose.matrix.yml
|
||||||
|
- MATRIX_FEDERATION_ENABLED
|
||||||
12
compose.basicauth.yml
Normal file
12
compose.basicauth.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- BASIC_AUTH
|
||||||
|
secrets:
|
||||||
|
- usersfile
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
usersfile:
|
||||||
|
name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
|
||||||
|
external: true
|
||||||
7
compose.compy.yml
Normal file
7
compose.compy.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- COMPY_ENABLED
|
||||||
|
ports:
|
||||||
|
- "9999:9999"
|
||||||
15
compose.digitalocean.yml
Normal file
15
compose.digitalocean.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
|
||||||
|
secrets:
|
||||||
|
- digitalocean_auth_token
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
digitalocean_auth_token:
|
||||||
|
name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
|
||||||
|
external: true
|
||||||
15
compose.gandi-personal-access-token.yml
Normal file
15
compose.gandi-personal-access-token.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
|
||||||
|
secrets:
|
||||||
|
- gandiv5_pat
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
gandiv5_pat:
|
||||||
|
name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
|
||||||
|
external: true
|
||||||
@ -10,6 +10,5 @@ services:
|
|||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.services.traefik.loadbalancer.server.port=web"
|
- "traefik.http.services.traefik.loadbalancer.server.port=web"
|
||||||
- "traefik.http.routers.traefik.entrypoints=web-secure"
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
- "traefik.http.routers.traefik.service=api@internal"
|
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
||||||
- "coop-cloud.${STACK_NAME}.app.version=v2.4.9-be23e1f6"
|
|
||||||
|
|||||||
@ -5,7 +5,9 @@ services:
|
|||||||
app:
|
app:
|
||||||
deploy:
|
deploy:
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.routers.traefik.middlewares=keycloak@file"
|
- "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
|
||||||
environment:
|
environment:
|
||||||
- KEYCLOAK_MIDDLEWARE_ENABLED
|
- KEYCLOAK_MIDDLEWARE_ENABLED
|
||||||
- KEYCLOAK_TFA_SERVICE
|
- KEYCLOAK_TFA_SERVICE
|
||||||
|
- KEYCLOAK_MIDDLEWARE_2_ENABLED
|
||||||
|
- KEYCLOAK_TFA_SERVICE_2
|
||||||
|
|||||||
7
compose.matrix.yml
Normal file
7
compose.matrix.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- MATRIX_FEDERATION_ENABLED
|
||||||
|
ports:
|
||||||
|
- "8448:8448"
|
||||||
9
compose.metrics.yml
Normal file
9
compose.metrics.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- METRICS_ENABLED
|
||||||
|
ports:
|
||||||
|
- target: 8082
|
||||||
|
published: 8082
|
||||||
|
mode: host
|
||||||
9
compose.minio.yml
Normal file
9
compose.minio.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- MINIO_CONSOLE_ENABLED
|
||||||
|
ports:
|
||||||
|
- "9001:9001"
|
||||||
7
compose.web-alt.yml
Normal file
7
compose.web-alt.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- WEB_ALT_ENABLED
|
||||||
|
ports:
|
||||||
|
- "8000:8000"
|
||||||
16
compose.wildcard.yml
Normal file
16
compose.wildcard.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
secrets:
|
||||||
|
- ssl_cert
|
||||||
|
- ssl_key
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
ssl_cert:
|
||||||
|
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
|
||||||
|
external: true
|
||||||
|
ssl_key:
|
||||||
|
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
|
||||||
|
external: true
|
||||||
61
compose.yml
61
compose.yml
@ -3,7 +3,7 @@ version: "3.8"
|
|||||||
|
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: "traefik:v2.5.2"
|
image: "traefik:v2.11.25"
|
||||||
# Note(decentral1se): *please do not* add any additional ports here.
|
# Note(decentral1se): *please do not* add any additional ports here.
|
||||||
# Doing so could break new installs with port conflicts. Please use
|
# Doing so could break new installs with port conflicts. Please use
|
||||||
# the usual `compose.$app.yml` approach for any additional ports
|
# the usual `compose.$app.yml` approach for any additional ports
|
||||||
@ -11,8 +11,8 @@ services:
|
|||||||
- "80:80"
|
- "80:80"
|
||||||
- "443:443"
|
- "443:443"
|
||||||
volumes:
|
volumes:
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
||||||
- "letsencrypt:/etc/letsencrypt"
|
- "letsencrypt:/etc/letsencrypt"
|
||||||
|
- "file-providers:/etc/traefik/file-providers"
|
||||||
configs:
|
configs:
|
||||||
- source: traefik_yml
|
- source: traefik_yml
|
||||||
target: /etc/traefik/traefik.yml
|
target: /etc/traefik/traefik.yml
|
||||||
@ -23,6 +23,7 @@ services:
|
|||||||
mode: 0555
|
mode: 0555
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
|
- internal
|
||||||
environment:
|
environment:
|
||||||
- DASHBOARD_ENABLED
|
- DASHBOARD_ENABLED
|
||||||
- LOG_LEVEL
|
- LOG_LEVEL
|
||||||
@ -40,18 +41,57 @@ services:
|
|||||||
order: start-first
|
order: start-first
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.services.traefik.loadbalancer.server.port=web"
|
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
|
||||||
- "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
|
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||||
- "traefik.http.routers.traefik.entrypoints=web-secure"
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||||
- "traefik.http.routers.traefik.tls.options=default@file"
|
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
||||||
- "traefik.http.routers.traefik.service=api@internal"
|
- "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
|
||||||
- "traefik.http.routers.traefik.middlewares=security@file"
|
- "coop-cloud.${STACK_NAME}.version=3.1.1+v2.11.25"
|
||||||
- "coop-cloud.${STACK_NAME}.version=1.0.0+v2.5.2"
|
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||||
|
- "backupbot.backup=${ENABLE_BACKUPS:-true}"
|
||||||
|
|
||||||
|
socket-proxy:
|
||||||
|
image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls30
|
||||||
|
deploy:
|
||||||
|
endpoint_mode: dnsrr
|
||||||
|
environment:
|
||||||
|
- ALLOW_START=0
|
||||||
|
- ALLOW_STOP=0
|
||||||
|
- ALLOW_RESTARTS=0
|
||||||
|
- AUTH=0
|
||||||
|
- BUILD=0
|
||||||
|
- COMMIT=0
|
||||||
|
- CONFIGS=0
|
||||||
|
- CONTAINERS=1 # Needs access
|
||||||
|
- DISABLE_IPV6=0
|
||||||
|
- DISTRIBUTION=0
|
||||||
|
- EVENTS=1 # Needs access
|
||||||
|
- EXEC=0
|
||||||
|
- IMAGES=0
|
||||||
|
- INFO=0
|
||||||
|
- NETWORKS=1 # Needs access
|
||||||
|
- NODES=0
|
||||||
|
- PING=0
|
||||||
|
- POST=0
|
||||||
|
- PLUGINS=0
|
||||||
|
- SECRETS=0
|
||||||
|
- SERVICES=1 # Needs access
|
||||||
|
- SESSION=0
|
||||||
|
- SWARM=0
|
||||||
|
- SYSTEM=0
|
||||||
|
- TASKS=1 # Needs access
|
||||||
|
- VERSION=1 # Needs access
|
||||||
|
- VOLUMES=0
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
networks:
|
||||||
|
- internal
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
external: true
|
external: true
|
||||||
|
internal:
|
||||||
|
|
||||||
configs:
|
configs:
|
||||||
traefik_yml:
|
traefik_yml:
|
||||||
@ -69,3 +109,4 @@ configs:
|
|||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
letsencrypt:
|
letsencrypt:
|
||||||
|
file-providers:
|
||||||
|
|||||||
@ -7,8 +7,8 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
|
|||||||
export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
|
export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if eq (env "GANDI_ENABLED") "1" }}
|
{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
|
||||||
export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
|
export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
/entrypoint.sh "$@"
|
/entrypoint.sh "$@"
|
||||||
|
|||||||
@ -9,10 +9,22 @@ http:
|
|||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- X-Forwarded-User
|
- X-Forwarded-User
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
|
||||||
|
keycloak2:
|
||||||
|
forwardAuth:
|
||||||
|
address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Forwarded-User
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "BASIC_AUTH") "1" }}
|
||||||
|
basicauth:
|
||||||
|
basicAuth:
|
||||||
|
usersFile: "/run/secrets/usersfile"
|
||||||
|
{{ end }}
|
||||||
security:
|
security:
|
||||||
headers:
|
headers:
|
||||||
frameDeny: true
|
frameDeny: true
|
||||||
sslRedirect: true
|
|
||||||
browserXssFilter: true
|
browserXssFilter: true
|
||||||
contentTypeNosniff: true
|
contentTypeNosniff: true
|
||||||
stsIncludeSubdomains: true
|
stsIncludeSubdomains: true
|
||||||
@ -32,3 +44,8 @@ tls:
|
|||||||
- CurveP521
|
- CurveP521
|
||||||
- CurveP384
|
- CurveP384
|
||||||
sniStrict: true
|
sniStrict: true
|
||||||
|
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
|
||||||
|
certificates:
|
||||||
|
- certFile: /run/secrets/ssl_cert
|
||||||
|
keyFile: /run/secrets/ssl_key
|
||||||
|
{{ end }}
|
||||||
1
release/2.8.0+v2.11.10
Normal file
1
release/2.8.0+v2.11.10
Normal file
@ -0,0 +1 @@
|
|||||||
|
Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410
|
||||||
1
release/2.9.0+v2.11.14
Normal file
1
release/2.9.0+v2.11.14
Normal file
@ -0,0 +1 @@
|
|||||||
|
Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg
|
||||||
1
release/2.9.1+v2.11.14
Normal file
1
release/2.9.1+v2.11.14
Normal file
@ -0,0 +1 @@
|
|||||||
|
Reverts max log retention
|
||||||
2
release/3.0.0+v2.11.22
Normal file
2
release/3.0.0+v2.11.22
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
socket-proxy: switch to endpoint-mode dnsrr instead of vip
|
||||||
|
See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.
|
||||||
@ -4,12 +4,18 @@ log:
|
|||||||
|
|
||||||
providers:
|
providers:
|
||||||
docker:
|
docker:
|
||||||
endpoint: "unix:///var/run/docker.sock"
|
endpoint: "tcp://socket-proxy:2375"
|
||||||
exposedByDefault: false
|
exposedByDefault: false
|
||||||
network: proxy
|
network: proxy
|
||||||
swarmMode: true
|
swarmMode: true
|
||||||
|
{{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
|
||||||
|
file:
|
||||||
|
directory: /etc/traefik/file-providers
|
||||||
|
watch: true
|
||||||
|
{{ else }}
|
||||||
file:
|
file:
|
||||||
filename: /etc/traefik/file-provider.yml
|
filename: /etc/traefik/file-provider.yml
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
api:
|
api:
|
||||||
dashboard: {{ env "DASHBOARD_ENABLED" }}
|
dashboard: {{ env "DASHBOARD_ENABLED" }}
|
||||||
@ -40,6 +46,10 @@ entrypoints:
|
|||||||
peertube-rtmp:
|
peertube-rtmp:
|
||||||
address: ":1935"
|
address: ":1935"
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{ if eq (env "WEB_ALT_ENABLED") "1" }}
|
||||||
|
web-alt:
|
||||||
|
address: ":8000"
|
||||||
|
{{ end }}
|
||||||
{{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
|
{{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
|
||||||
ssb-muxrpc:
|
ssb-muxrpc:
|
||||||
address: ":8008"
|
address: ":8008"
|
||||||
@ -54,9 +64,20 @@ entrypoints:
|
|||||||
mumble-udp:
|
mumble-udp:
|
||||||
address: ":64738/udp"
|
address: ":64738/udp"
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{ if eq (env "COMPY_ENABLED") "1" }}
|
||||||
|
compy:
|
||||||
|
address: ":9999"
|
||||||
|
{{ end }}
|
||||||
{{ if eq (env "METRICS_ENABLED") "1" }}
|
{{ if eq (env "METRICS_ENABLED") "1" }}
|
||||||
metrics:
|
metrics:
|
||||||
address: ":8082"
|
address: ":8082"
|
||||||
|
http:
|
||||||
|
middlewares:
|
||||||
|
- basicauth@file
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
|
||||||
|
matrix-federation:
|
||||||
|
address: ":9001"
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
ping:
|
ping:
|
||||||
@ -66,6 +87,8 @@ ping:
|
|||||||
metrics:
|
metrics:
|
||||||
prometheus:
|
prometheus:
|
||||||
entryPoint: metrics
|
entryPoint: metrics
|
||||||
|
addRoutersLabels: true
|
||||||
|
addServicesLabels: true
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
certificatesResolvers:
|
certificatesResolvers:
|
||||||
@ -94,5 +117,5 @@ certificatesResolvers:
|
|||||||
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||||
resolvers:
|
resolvers:
|
||||||
- "1.1.1.1:53"
|
- "1.1.1.1:53"
|
||||||
- "8.8.8.8:53"
|
- "9.9.9.9:53"
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user