chore: publish 4.0.0+v3.6.10 release

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/techarohq/anubis](https://images.chainguard.dev/directory/image/static/overview) ([source](https://github.com/chainguard-images/images/tree/HEAD/images/static)) | minor | `v1.24.0` -> `v1.25.0` |

> ❗ **Important**
>
> Release Notes retrieval for this PR were skipped because no github.com credentials were available.
> If you are self-hosted, please see [this instruction](https://github.com/renovatebot/renovate/blob/master/docs/usage/examples/self-hosting.md#githubcom-token-for-release-notes).

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: #92
Co-authored-by: Renovate Bot <renovate@coopcloud.tech>
Co-committed-by: Renovate Bot <renovate@coopcloud.tech>

.env.sample

@@ -19,8 +19,14 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################
 
-## Host-mode networking
-#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
+## Ingress-mode port publishing for ports 80 and 443
+##
+## /!\ Using this prevents the use of any compose override adding
+##     published ports to the traefik_app service (almost all of them)
+##     and it prevents the use of IPv6 for ingress traffic.
+##     Do not uncomment unless you know exactly what you are doing
+##
+#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"
 
 ## "Headless mode" (no domain configured)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
@@ -30,8 +36,10 @@ COMPOSE_FILE="compose.yml"
 #####################################################################
 
 ## Enable dns challenge (for wildcard domains)
-##   https://doc.traefik.io/traefik/https/acme/#dnschallenge
+##   https://go-acme.github.io/lego/dns/#dns-providers
 #LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
+## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun.
+## Uncomment the corresponding provider below to insert your secret token/key.
 #LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
 
 ## OVH, https://ovh.com
@@ -70,6 +78,14 @@ COMPOSE_FILE="compose.yml"
 #AZURE_RESOURCE_GROUP=
 #SECRET_AZURE_SECRET_VERSION=v1
 
+## Porkbun, https://porkbun.com
+## To insert your secrets:
+## abra app secret insert 1312.net pb_api_key v1 pk1_413
+## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
+#COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
+#SECRET_PORKBUN_API_KEY_VERSION=v1
+#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
+
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################

README.md

@@ -42,17 +42,20 @@ subdomains, like
 need to give Traefik access to your DNS provider so that it can carry out
 Letsencrypt DNS challenges.
 
-1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
-   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
+1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
+   can be easily added, see
+   [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
 2. Run `abra app config YOURAPPDOMAIN`
 3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
    `SECRET_GANDIV5_API_KEY_VERSION`
-4. Generate an API key for your provider
+4. Set `LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER` to your provider, e.g. `gandi`
+4. Generate an API key for your provider, probably using their web interface.
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
    `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
    `gandiv5_api_key` and `SECRETVALUE` is the API key.
    - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
      Access Token, in which case use compose.gandi-personal-access-token.yml.
+   - See comments for each provider in your env file for specific instructions
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 ## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)

compose.anubis.yml

@@ -6,7 +6,7 @@ services:
       labels:
       - "traefik.http.middlewares.anubis.forwardauth.address=http://anubis:8080/.within.website/x/cmd/anubis/api/check"
   anubis:
-    image: "ghcr.io/techarohq/anubis:v1.24.0"
+    image: "ghcr.io/techarohq/anubis:v1.25.0"
     environment:
       BIND: ":8080"
       TARGET: " "

compose.compy.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - COMPY_ENABLED
     ports:
-      - "9999:9999"
+      - target: 9999
+        published: 9999
+        protocol: tcp
+        mode: host

compose.foodsoft.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - FOODSOFT_SMTP_ENABLED
     ports:
-      - "2525:2525"
+      - target: 2525
+        published: 2525
+        protocol: tcp
+        mode: host

compose.gitea.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - GITEA_SSH_ENABLED
     ports:
-      - "2222:2222"
+      - target: 2222
+        published: 2222
+        protocol: tcp
+        mode: host

compose.host.yml

@@ -1,15 +1,2 @@
 ---
 version: "3.8"
-
-services:
-  app:
-    deploy:
-      update_config:
-        order: stop-first
-    ports:
-      - target: 80
-        published: 80
-        mode: host
-      - target: 443
-        published: 443
-        mode: host

compose.irc.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - IRC_ENABLED
     ports:
-      - "6697:6697"
+      - target: 6697
+        published: 6697
+        protocol: tcp
+        mode: host

compose.matrix.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - MATRIX_FEDERATION_ENABLED
     ports:
-      - "8448:8448"
+      - target: 8448
+        published: 8448
+        protocol: tcp
+        mode: host

compose.minio.yml

@@ -6,4 +6,7 @@ services:
     environment:
       - MINIO_CONSOLE_ENABLED
     ports:
-      - "9001:9001"
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host

compose.mumble.yml

@@ -4,6 +4,11 @@ services:
     environment:
       - MUMBLE_ENABLED
     ports:
-      - "64738:64738/udp"
-      # note (3wc): see https://github.com/docker/compose/issues/7627
-      - "64737-64739:64737-64739/tcp"
+      - target: 64738
+        published: 64738
+        protocol: udp
+        mode: host
+      - target: 64738
+        published: 64738
+        protocol: tcp
+        mode: host

compose.nextcloud-talk-hpb.yml

@@ -4,5 +4,11 @@ services:
     environment:
       - NEXTCLOUD_TALK_HPB_ENABLED
     ports:
-      - "3478:3478/udp"
-      - "3478:3478/tcp"
+      - target: 3478
+        published: 3478
+        protocol: udp
+        mode: host
+      - target: 3478
+        published: 3478
+        protocol: tcp
+        mode: host

compose.no-host.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: ingress
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: ingress
+    deploy:
+      endpoint_mode: vip

compose.peertube.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - PEERTUBE_RTMP_ENABLED
     ports:
-      - "1935:1935"
+      - target: 1935
+        published: 1935
+        protocol: tcp
+        mode: host

compose.porkbun.yml

@@ -0,0 +1,18 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PORKBUN_API_KEY_FILE=/run/secrets/pb_api_key
+      - PORKBUN_SECRET_API_KEY_FILE=/run/secrets/pb_s_api_key
+    secrets:
+      - pb_api_key
+      - pb_s_api_key
+
+secrets:
+  pb_api_key:
+    name: ${STACK_NAME}_pb_api_key_${SECRET_PORKBUN_API_KEY_VERSION}
+    external: true
+  pb_s_api_key:
+    name: ${STACK_NAME}_pb_s_api_key_${SECRET_PORKBUN_SECRET_API_KEY_VERSION}
+    external: true

compose.smtp.yml

@@ -6,4 +6,7 @@ services:
     environment:
       - SMTP_ENABLED
     ports:
-      - "587:587"
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host

compose.ssb.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - SSB_MUXRPC_ENABLED
     ports:
-      - "8008:8008"
+      - target: 8008
+        published: 8008
+        protocol: tcp
+        mode: host

compose.web-alt.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - WEB_ALT_ENABLED
     ports:
-      - "8000:8000"
+      - target: 8000
+        published: 8000
+        protocol: tcp
+        mode: host

compose.yml

@@ -3,13 +3,19 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v3.6.6"
+    image: "traefik:v3.6.10"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
     ports:
-      - "80:80"
-      - "443:443"
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
     volumes:
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
@@ -37,9 +43,10 @@ services:
     command: traefik
     entrypoint: /custom-entrypoint.sh
     deploy:
+      endpoint_mode: dnsrr
       update_config:
         failure_action: rollback
-        order: start-first
+        order: stop-first
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
@@ -48,7 +55,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=3.9.0+v3.6.5"
+        - "coop-cloud.${STACK_NAME}.version=4.0.0+v3.6.10"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 

release/4.0.0+v3.6.10

@@ -0,0 +1,11 @@
+Short summary of the latest changes:
+
+ * Exposed ports have been switched to host-mode port publishing by default
+   This adds support for IPv6 ingress, which means that after deploying this
+   change, DNS AAAA records can be made to point to the relevant IPv6
+   address and Traefik will handle public IPv6 ingress traffic (including ACME
+   HTTP-01 challenges)
+
+   /!\ This is a breaking change. It is still possible to revert ports 80 and
+       443 to ingress-mode (the previous default) but keep in mind that there
+       is no longer an easy way to publish additional ports in ingress mode.