Compare commits
35 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 25c219f844 | |||
| ef0d154bb1 | |||
| adeaf5afa3 | |||
| ad8a7f1bd9 | |||
|
81869a049e
|
|||
| f47a200c0b | |||
| 693fa79449 | |||
| 928bc2104a | |||
| 92b7093e45 | |||
| b2b311fef4 | |||
| b39bb5adaf | |||
| 97a68f28ac | |||
| 6e67d0c8c0 | |||
| 25cf7862ed | |||
| 7fc2cac6ff | |||
| 005f0235c0 | |||
|
7c6dd3f5a5
|
|||
| 440a7f5228 | |||
|
74193326fb
|
|||
| 57a6aed540 | |||
| ff138864d4 | |||
|
7370ecfa9d
|
|||
|
57e5c49c81
|
|||
| 063d194119 | |||
| 9a46c85735 | |||
| 08669fcd60 | |||
| bac3f30609 | |||
| 1fb6925846 | |||
| d164d2870e | |||
| 795592ea3c | |||
| b67ed0ca88 | |||
| 5f977f1cca | |||
| ee344cce5d | |||
| 27cc7efb72 | |||
| c2cdfd80b6 |
+46
-9
@@ -15,12 +15,25 @@ LOG_MAX_AGE=1
|
||||
# This is here so later lines can extend it; you likely don't wanna edit
|
||||
COMPOSE_FILE="compose.yml"
|
||||
|
||||
# Increase read timeout (or change it to 0s) to ensure large file
|
||||
# uploads work.
|
||||
#
|
||||
# https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-transport-respondingTimeouts-readTimeout
|
||||
READ_TIMEOUT=60s
|
||||
WRITE_TIMEOUT=0s
|
||||
|
||||
#####################################################################
|
||||
# General settings #
|
||||
#####################################################################
|
||||
|
||||
## Host-mode networking
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
|
||||
## Ingress-mode port publishing for ports 80 and 443
|
||||
##
|
||||
## /!\ Using this prevents the use of any compose override adding
|
||||
## published ports to the traefik_app service (almost all of them)
|
||||
## and it prevents the use of IPv6 for ingress traffic.
|
||||
## Do not uncomment unless you know exactly what you are doing
|
||||
##
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"
|
||||
|
||||
## "Headless mode" (no domain configured)
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
|
||||
@@ -30,8 +43,10 @@ COMPOSE_FILE="compose.yml"
|
||||
#####################################################################
|
||||
|
||||
## Enable dns challenge (for wildcard domains)
|
||||
## https://doc.traefik.io/traefik/https/acme/#dnschallenge
|
||||
## https://go-acme.github.io/lego/dns/#dns-providers
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
|
||||
## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
|
||||
## Uncomment the corresponding provider below to insert your secret token/key.
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
|
||||
|
||||
## OVH, https://ovh.com
|
||||
@@ -39,25 +54,25 @@ COMPOSE_FILE="compose.yml"
|
||||
#OVH_ENABLED=1
|
||||
#OVH_APPLICATION_KEY=
|
||||
#OVH_ENDPOINT=
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1
|
||||
#SECRET_OVH_CONSUMER_KEY=v1
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
|
||||
#SECRET_OVH_CONSUMER_KEY=v1 # generate=false
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note(3wc): only "V5" (new) API is supported, so far
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
|
||||
#GANDI_API_KEY_ENABLED=1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note: uses GandiV5 Personal Access Token
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
|
||||
#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
|
||||
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
|
||||
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## DigitalOcean, https://digitalocean.com
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
|
||||
#DIGITALOCEAN_ENABLED=1
|
||||
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
|
||||
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## Azure, https://azure.com
|
||||
## To insert your Azure client secret:
|
||||
@@ -68,7 +83,26 @@ COMPOSE_FILE="compose.yml"
|
||||
#AZURE_CLIENT_ID=
|
||||
#AZURE_SUBSCRIPTION_ID=
|
||||
#AZURE_RESOURCE_GROUP=
|
||||
#SECRET_AZURE_SECRET_VERSION=v1
|
||||
#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
|
||||
|
||||
## Porkbun, https://porkbun.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert 1312.net pb_api_key v1 pk1_413
|
||||
## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
|
||||
#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
|
||||
#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Cloudflare, htps://cloudflare.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
|
||||
## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
|
||||
## These can be the same token or different tokens
|
||||
## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
|
||||
## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
|
||||
#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
#####################################################################
|
||||
# Manual wildcard certificate insertion #
|
||||
@@ -106,8 +140,10 @@ COMPOSE_FILE="compose.yml"
|
||||
|
||||
## Enable prometheus metrics collection
|
||||
## used used by the coop-cloud monitoring stack
|
||||
## BASIC_AUTH should also be enabled
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
|
||||
#METRICS_ENABLED=1
|
||||
#METRICS_FQDN=metrics.traefik.example.com
|
||||
|
||||
#####################################################################
|
||||
# File provider directory configuration #
|
||||
@@ -185,6 +221,7 @@ COMPOSE_FILE="compose.yml"
|
||||
#ANUBIS_OG_EXPIRY_TIME=1h
|
||||
#ANUBIS_OG_CACHE_CONSIDER_HOST=true
|
||||
#ANUBIS_SERVE_ROBOTS_TXT=true
|
||||
#ANUBIS_SLOG_LEVEL=INFO
|
||||
|
||||
## Enable onion service support
|
||||
#ONION_ENABLED=1
|
||||
|
||||
+3
-4
@@ -7,10 +7,9 @@ certain quality and consistency, that others can rely on.
|
||||
|
||||
A recipe maintainer has the following responsibilities:
|
||||
|
||||
- Respond to pull requests / issues within a week
|
||||
- Make image security updates within a day
|
||||
- Make image patch / minor updates within a week
|
||||
- Make image major updates within a month
|
||||
- Respond to pull requests / issues within two weeks
|
||||
- Make image security updates within a week
|
||||
- Make image major updates every three months
|
||||
|
||||
In order to fullfill these responsibilities a recipe maintainer:
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
> https://docs.traefik.io
|
||||
|
||||
<!-- metadata -->
|
||||
* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico)
|
||||
* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico), Local-IT: [@moritz](https://git.coopcloud.tech/moritz), [@msimon](https://git.coopcloud.tech/simon), [@carla](https://git.coopcloud.tech/carla)
|
||||
* **Status**: `stable`
|
||||
* **Category**: Utilities
|
||||
* **Features**: ?
|
||||
@@ -32,27 +32,31 @@
|
||||
3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
|
||||
4. Redploy your app: `abra app deploy -f <domain>`
|
||||
|
||||
## Configuring wildcard SSL using DNS
|
||||
## Configuring SSL using DNS
|
||||
|
||||
Automatic certificate generation will Just Work™ for most recipes which use a fixed
|
||||
number of subdomains. For some recipes which need to work across arbitrary
|
||||
Automatic certificate generation will Just Work™ for most recipes which use a
|
||||
fixed number of subdomains. If your server can't be reached from the Internet,
|
||||
or if you're deploying a recipe that needs to work across arbitrary
|
||||
subdomains, like
|
||||
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
|
||||
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
|
||||
need to give Traefik access to your DNS provider so that it can carry out
|
||||
Letsencrypt DNS challenges.
|
||||
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
|
||||
the use of wildcard certificates,) you can give Traefik access to your DNS provider
|
||||
so that it can carry out Letsencrypt DNS challenges.
|
||||
|
||||
1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
|
||||
see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
|
||||
1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
|
||||
can be easily added, see
|
||||
[the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
|
||||
2. Run `abra app config YOURAPPDOMAIN`
|
||||
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
|
||||
`SECRET_GANDIV5_API_KEY_VERSION`
|
||||
4. Generate an API key for your provider
|
||||
4. Set `LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER` to your provider, e.g. `gandi`
|
||||
4. Generate an API key for your provider, probably using their web interface.
|
||||
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
|
||||
`SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
|
||||
`gandiv5_api_key` and `SECRETVALUE` is the API key.
|
||||
- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
|
||||
Access Token, in which case use compose.gandi-personal-access-token.yml.
|
||||
- See comments for each provider in your env file for specific instructions
|
||||
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
|
||||
|
||||
## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
export TRAEFIK_YML_VERSION=v29
|
||||
export FILE_PROVIDER_YML_VERSION=v11
|
||||
export TRAEFIK_YML_VERSION=v32
|
||||
export FILE_PROVIDER_YML_VERSION=v12
|
||||
export ENTRYPOINT_VERSION=v5
|
||||
|
||||
+2
-1
@@ -6,7 +6,7 @@ services:
|
||||
labels:
|
||||
- "traefik.http.middlewares.anubis.forwardauth.address=http://anubis:8080/.within.website/x/cmd/anubis/api/check"
|
||||
anubis:
|
||||
image: "ghcr.io/techarohq/anubis:v1.24.0"
|
||||
image: "ghcr.io/techarohq/anubis:v1.25.0"
|
||||
environment:
|
||||
BIND: ":8080"
|
||||
TARGET: " "
|
||||
@@ -17,6 +17,7 @@ services:
|
||||
OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
|
||||
OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
|
||||
SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
|
||||
SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
|
||||
networks:
|
||||
- proxy
|
||||
deploy:
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
|
||||
- CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
|
||||
secrets:
|
||||
- cf_dns_token
|
||||
- cf_zone_token
|
||||
|
||||
secrets:
|
||||
cf_dns_token:
|
||||
name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
|
||||
external: true
|
||||
cf_zone_token:
|
||||
name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
|
||||
external: true
|
||||
+4
-1
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- COMPY_ENABLED
|
||||
ports:
|
||||
- "9999:9999"
|
||||
- target: 9999
|
||||
published: 9999
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- FOODSOFT_SMTP_ENABLED
|
||||
ports:
|
||||
- "2525:2525"
|
||||
- target: 2525
|
||||
published: 2525
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
+4
-1
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- GARAGE_RPC_ENABLED
|
||||
ports:
|
||||
- "3901:3901"
|
||||
- target: 3901
|
||||
published: 3901
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
+4
-1
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- GITEA_SSH_ENABLED
|
||||
ports:
|
||||
- "2222:2222"
|
||||
- target: 2222
|
||||
published: 2222
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
@@ -1,15 +1,2 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
deploy:
|
||||
update_config:
|
||||
order: stop-first
|
||||
ports:
|
||||
- target: 80
|
||||
published: 80
|
||||
mode: host
|
||||
- target: 443
|
||||
published: 443
|
||||
mode: host
|
||||
|
||||
+4
-1
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- IRC_ENABLED
|
||||
ports:
|
||||
- "6697:6697"
|
||||
- target: 6697
|
||||
published: 6697
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
+4
-1
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- MATRIX_FEDERATION_ENABLED
|
||||
ports:
|
||||
- "8448:8448"
|
||||
- target: 8448
|
||||
published: 8448
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
@@ -3,7 +3,3 @@ services:
|
||||
app:
|
||||
environment:
|
||||
- METRICS_ENABLED
|
||||
ports:
|
||||
- target: 8082
|
||||
published: 8082
|
||||
mode: host
|
||||
|
||||
+4
-1
@@ -6,4 +6,7 @@ services:
|
||||
environment:
|
||||
- MINIO_CONSOLE_ENABLED
|
||||
ports:
|
||||
- "9001:9001"
|
||||
- target: 9001
|
||||
published: 9001
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
+8
-3
@@ -4,6 +4,11 @@ services:
|
||||
environment:
|
||||
- MUMBLE_ENABLED
|
||||
ports:
|
||||
- "64738:64738/udp"
|
||||
# note (3wc): see https://github.com/docker/compose/issues/7627
|
||||
- "64737-64739:64737-64739/tcp"
|
||||
- target: 64738
|
||||
published: 64738
|
||||
protocol: udp
|
||||
mode: host
|
||||
- target: 64738
|
||||
published: 64738
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
@@ -4,5 +4,11 @@ services:
|
||||
environment:
|
||||
- NEXTCLOUD_TALK_HPB_ENABLED
|
||||
ports:
|
||||
- "3478:3478/udp"
|
||||
- "3478:3478/tcp"
|
||||
- target: 3478
|
||||
published: 3478
|
||||
protocol: udp
|
||||
mode: host
|
||||
- target: 3478
|
||||
published: 3478
|
||||
protocol: tcp
|
||||
mode: host
|
||||
@@ -0,0 +1,16 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
ports:
|
||||
- target: 80
|
||||
published: 80
|
||||
protocol: tcp
|
||||
mode: ingress
|
||||
- target: 443
|
||||
published: 443
|
||||
protocol: tcp
|
||||
mode: ingress
|
||||
deploy:
|
||||
endpoint_mode: vip
|
||||
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- PEERTUBE_RTMP_ENABLED
|
||||
ports:
|
||||
- "1935:1935"
|
||||
- target: 1935
|
||||
published: 1935
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- PORKBUN_API_KEY_FILE=/run/secrets/pb_api_key
|
||||
- PORKBUN_SECRET_API_KEY_FILE=/run/secrets/pb_s_api_key
|
||||
secrets:
|
||||
- pb_api_key
|
||||
- pb_s_api_key
|
||||
|
||||
secrets:
|
||||
pb_api_key:
|
||||
name: ${STACK_NAME}_pb_api_key_${SECRET_PORKBUN_API_KEY_VERSION}
|
||||
external: true
|
||||
pb_s_api_key:
|
||||
name: ${STACK_NAME}_pb_s_api_key_${SECRET_PORKBUN_SECRET_API_KEY_VERSION}
|
||||
external: true
|
||||
+4
-1
@@ -6,4 +6,7 @@ services:
|
||||
environment:
|
||||
- SMTP_ENABLED
|
||||
ports:
|
||||
- "587:587"
|
||||
- target: 587
|
||||
published: 587
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
+4
-1
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- SSB_MUXRPC_ENABLED
|
||||
ports:
|
||||
- "8008:8008"
|
||||
- target: 8008
|
||||
published: 8008
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
+4
-1
@@ -4,4 +4,7 @@ services:
|
||||
environment:
|
||||
- WEB_ALT_ENABLED
|
||||
ports:
|
||||
- "8000:8000"
|
||||
- target: 8000
|
||||
published: 8000
|
||||
protocol: tcp
|
||||
mode: host
|
||||
|
||||
+16
-6
@@ -3,13 +3,19 @@ version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: "traefik:v3.6.6"
|
||||
image: "traefik:v3.7.7"
|
||||
# Note(decentral1se): *please do not* add any additional ports here.
|
||||
# Doing so could break new installs with port conflicts. Please use
|
||||
# the usual `compose.$app.yml` approach for any additional ports
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- target: 80
|
||||
published: 80
|
||||
protocol: tcp
|
||||
mode: host
|
||||
- target: 443
|
||||
published: 443
|
||||
protocol: tcp
|
||||
mode: host
|
||||
volumes:
|
||||
- "letsencrypt:/etc/letsencrypt"
|
||||
- "file-providers:/etc/traefik/file-providers"
|
||||
@@ -28,6 +34,8 @@ services:
|
||||
- DASHBOARD_ENABLED
|
||||
- LOG_LEVEL
|
||||
- ${LOG_MAX_AGE:-0}
|
||||
- READ_TIMEOUT=${READ_TIMEOUT:-60s}
|
||||
- WRITE_TIMEOUT=${WRITE_TIMEOUT:-0s}
|
||||
healthcheck:
|
||||
test: ["CMD", "traefik", "healthcheck"]
|
||||
interval: 30s
|
||||
@@ -37,9 +45,10 @@ services:
|
||||
command: traefik
|
||||
entrypoint: /custom-entrypoint.sh
|
||||
deploy:
|
||||
endpoint_mode: dnsrr
|
||||
update_config:
|
||||
failure_action: rollback
|
||||
order: start-first
|
||||
order: stop-first
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
|
||||
@@ -48,12 +57,12 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
|
||||
- "coop-cloud.${STACK_NAME}.version=3.9.0+v3.6.5"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.0.0+v3.7.7"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
|
||||
- "backupbot.backup=${ENABLE_BACKUPS:-true}"
|
||||
|
||||
socket-proxy:
|
||||
image: lscr.io/linuxserver/socket-proxy:3.2.10-r0-ls65
|
||||
image: lscr.io/linuxserver/socket-proxy:3.4.2
|
||||
deploy:
|
||||
endpoint_mode: dnsrr
|
||||
environment:
|
||||
@@ -84,6 +93,7 @@ services:
|
||||
- TASKS=1 # Needs access
|
||||
- VERSION=1 # Needs access
|
||||
- VOLUMES=0
|
||||
- LOG_LEVEL=warning
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
networks:
|
||||
|
||||
@@ -30,6 +30,18 @@ http:
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
stsSeconds: "31536000"
|
||||
{{ if eq (env "METRICS_ENABLED") "1" }}
|
||||
routers:
|
||||
traefik-metrics:
|
||||
rule: "Host(`{{ env "METRICS_FQDN" }}`)"
|
||||
entrypoints:
|
||||
- web-secure
|
||||
tls:
|
||||
certResolver: {{ env "LETS_ENCRYPT_ENV" }}
|
||||
middlewares:
|
||||
- basicauth@file
|
||||
service: prometheus@internal
|
||||
{{ end }}
|
||||
|
||||
tls:
|
||||
options:
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
Short summary of the latest changes:
|
||||
|
||||
* Exposed ports have been switched to host-mode port publishing by default
|
||||
This adds support for IPv6 ingress, which means that after deploying this
|
||||
change, DNS AAAA records can be made to point to the relevant IPv6
|
||||
address and Traefik will handle public IPv6 ingress traffic (including ACME
|
||||
HTTP-01 challenges)
|
||||
|
||||
/!\ This is a breaking change. It is still possible to revert ports 80 and
|
||||
443 to ingress-mode (the previous default) but keep in mind that there
|
||||
is no longer an easy way to publish additional ports in ingress mode.
|
||||
@@ -0,0 +1,10 @@
|
||||
/!\ BREAKING CHANGE: Change metrics endpoint to use https instead of http 8082
|
||||
to prevent sending BASIC_AUTH in plaintext
|
||||
|
||||
The metrics endpoint changed from http on port 8082 to the web-secure
|
||||
endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is
|
||||
enabled you need to configure a FQDN for it by setting METRICS_FQDN in your
|
||||
.env. You should also update the scrape config files in prometheus for
|
||||
Traefik metrics from port 8082 to the new FQDN.
|
||||
|
||||
All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/5.0.0+v3.6.10...4.0.0+v3.6.10
|
||||
@@ -0,0 +1 @@
|
||||
Patched CVES: CVE-2026-32595 and CVE-2026-32305
|
||||
@@ -0,0 +1,13 @@
|
||||
!Breaking: Starting with v3.6.16, the Docker provider requires Docker API version v1.40 or above (Docker Engine v19.03). Users running older (end of life) versions of Docker Engine should update their Docker Engine or use the DOCKER_API_VERSION environment variable to override the API version used by Traefik.
|
||||
|
||||
letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.
|
||||
|
||||
matrix-federation: Entrypoint was changed to :8448 to match published port
|
||||
|
||||
fix: ensure large uploads work. You can now set the following env vars:
|
||||
- READ_TIMEOUT
|
||||
- WRITE_TIMEOUT
|
||||
|
||||
cloudflare: Add Cloudflare as DNS provider
|
||||
|
||||
For more information take a look at the migration guide: https://doc.traefik.io/traefik/v3.7/migrate/v3/#v377
|
||||
+11
-9
@@ -33,6 +33,10 @@ entrypoints:
|
||||
to: web-secure
|
||||
web-secure:
|
||||
address: ":443"
|
||||
transport:
|
||||
respondingTimeouts:
|
||||
readTimeout: {{ env "READ_TIMEOUT" }}
|
||||
writeTimeout: {{ env "WRITE_TIMEOUT" }}
|
||||
http:
|
||||
encodedCharacters:
|
||||
allowEncodedSlash: true
|
||||
@@ -94,16 +98,9 @@ entrypoints:
|
||||
irc:
|
||||
address: ":6697"
|
||||
{{- end }}
|
||||
{{- if eq (env "METRICS_ENABLED") "1" }}
|
||||
metrics:
|
||||
address: ":8082"
|
||||
http:
|
||||
middlewares:
|
||||
- basicauth@file
|
||||
{{- end }}
|
||||
{{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
|
||||
matrix-federation:
|
||||
address: ":9001"
|
||||
address: ":8448"
|
||||
{{- end }}
|
||||
{{- if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
|
||||
nextcloud-talk-hpb:
|
||||
@@ -122,7 +119,8 @@ ping:
|
||||
{{- if eq (env "METRICS_ENABLED") "1" }}
|
||||
metrics:
|
||||
prometheus:
|
||||
entryPoint: metrics
|
||||
entryPoint: web-secure
|
||||
manualRouting: true
|
||||
addRoutersLabels: true
|
||||
addServicesLabels: true
|
||||
{{- end }}
|
||||
@@ -133,8 +131,10 @@ certificatesResolvers:
|
||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||
storage: /etc/letsencrypt/staging-acme.json
|
||||
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
{{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
httpChallenge:
|
||||
entryPoint: web
|
||||
{{- end }}
|
||||
{{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
dnsChallenge:
|
||||
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||
@@ -146,8 +146,10 @@ certificatesResolvers:
|
||||
acme:
|
||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||
storage: /etc/letsencrypt/production-acme.json
|
||||
{{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
httpChallenge:
|
||||
entryPoint: web
|
||||
{{- end }}
|
||||
{{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||
dnsChallenge:
|
||||
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||
|
||||
Reference in New Issue
Block a user