Fix LetsEncrypt DNS challenge and add Cloudflare support

2022-04-28 18:07:25 -07:00
15 changed files with 68 additions and 185 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,12 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: traefik
      networks:
       - proxy
      deploy_key:
        from_secret: drone_ssh_swarm_test
    environment:
@ -16,25 +14,19 @@ steps:
      STACK_NAME: traefik
      LETS_ENCRYPT_ENV: production
      LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v5
+      TRAEFIK_YML_VERSION: v4
-      FILE_PROVIDER_YML_VERSION: v4
+      FILE_PROVIDER_YML_VERSION: v3
      ENTRYPOINT_VERSION: v1
 trigger:
  branch:
    - master
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
  - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
    settings:
-      server: https://build.coopcloud.tech
+      command: recipe traefik release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
      fork: true
      repositories:
        - coop-cloud/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,8 +1,6 @@
 TYPE=traefik
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
-DOMAIN=traefik.example.com
+DOMAIN={{ .Domain }}
 LETS_ENCRYPT_ENV=production
 LETS_ENCRYPT_EMAIL=certs@example.com
@ -46,26 +44,14 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
-## DigitalOcean, https://digitalocean.com
+## Cloudflare, https://cloudflare.com
-#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
-#DIGITALOCEAN_ENABLED=1
+#CLOUDFLARE_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+#SECRET_CLOUDFLARE_EMAIL_VERSION=v1
 #SECRET_CLOUDFLARE_API_KEY=v1
 #####################################################################
-# Manual wildcard certificate insertion                             #
+# Keycloak log-in                                                   #
 #####################################################################
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
 # abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
 # abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
 #####################################################################
 # Authentication                                                    #
 #####################################################################
 ## Enable Keycloak
@ -75,27 +61,14 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 ## BASIC_AUTH
 ## Use httpasswd to generate the secret
 #COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
 #BASIC_AUTH=1
 #SECRET_USERSFILE_VERSION=v1
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
 #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
 #####################################################################
 # File provider directory configuration                             #
 # (Route bare metal and non-docker services on the machine!)        #
 #####################################################################
 #FILE_PROVIDER_DIRECTORY_ENABLED=1
 #####################################################################
 # Additional services                                               #
 #####################################################################
@ -135,8 +108,3 @@ COMPOSE_FILE="compose.yml"
 ## Matrix
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
 ## "Web alt", an alternative web port
 # NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
 #COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
 #WEB_ALT_ENABLED=1
--- a/README.md
+++ b/README.md
@ -19,29 +19,8 @@
 1. Set up Docker Swarm and [`abra`]
 2. `abra app new traefik`
-3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
   your Docker swarm box
-4. `abra app deploy YOURAPPDOMAIN`
+4. `abra app YOURAPPDOMAIN deploy`
 ## Configuring wildcard SSL using DNS
 Automatic certificate generation will Just Work™ for most recipes  which use a fixed
 number of subdomains. For some recipes which need to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
 [`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
 need to give Traefik access to your DNS provider so that it can carry out
 Letsencrypt DNS challenges.
 1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
 2. Run `abra app config YOURAPPDOMAIN`
 3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
   `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
   `gandiv5_api_key` and `SECRETVALUE` is the API key.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v20
+export TRAEFIK_YML_VERSION=v14
-export FILE_PROVIDER_YML_VERSION=v10
+export FILE_PROVIDER_YML_VERSION=v6
-export ENTRYPOINT_VERSION=v3
+export ENTRYPOINT_VERSION=v2
--- a/compose.basicauth.yml
+++ b/compose.basicauth.yml
@ -1,12 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - BASIC_AUTH
    secrets:
      - usersfile
 secrets:
  usersfile:
    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
    external: true
--- a/compose.cloudflare.yml
+++ b/compose.cloudflare.yml
@ -0,0 +1,20 @@
 version: "3.8"
 services:
  app:
    environment:
      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cloudflare_email
      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cloudflare_api_key
      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
    secrets:
      - cloudflare_email
      - cloudflare_api_key
 secrets:
  cloudflare_email:
    name: ${STACK_NAME}_cloudflare_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
    external: true
  cloudflare_api_key:
    name: ${STACK_NAME}_cloudflare_api_key_${SECRET_CLOUDFLARE_API_KEY}
    external: true
--- a/compose.digitalocean.yml
+++ b/compose.digitalocean.yml
@ -1,15 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
    secrets:
      - digitalocean_auth_token
 secrets:
  digitalocean_auth_token:
    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
    external: true
--- a/compose.headless.yml
+++ b/compose.headless.yml
@ -10,5 +10,5 @@ services:
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
+        - "traefik.http.routers.traefik.service=api@internal"
--- a/compose.metrics.yml
+++ b/compose.metrics.yml
@ -1,9 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - METRICS_ENABLED
    ports:
      - target: 8082
        published: 8082
        mode: host
--- a/compose.web-alt.yml
+++ b/compose.web-alt.yml
@ -1,7 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - WEB_ALT_ENABLED
    ports:
      - "8000:8000"
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -1,16 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    secrets:
      - ssl_cert
      - ssl_key
 secrets:
  ssl_cert:
    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
    external: true
  ssl_key:
    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"
 services:
  app:
-    image: "traefik:v2.11.2"
+    image: "traefik:v2.5.6"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
@ -13,7 +13,6 @@ services:
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "letsencrypt:/etc/letsencrypt"
      - "file-providers:/etc/traefik/file-providers"
    configs:
      - source: traefik_yml
        target: /etc/traefik/traefik.yml
@ -27,6 +26,8 @@ services:
    environment:
      - DASHBOARD_ENABLED
      - LOG_LEVEL
      - LETS_ENCRYPT_EMAIL
      - LETS_ENCRYPT_ENV
    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 30s
@ -41,14 +42,14 @@ services:
        order: start-first
      labels:
        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
+        - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
+        - "traefik.http.routers.traefik.tls.options=default@file"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
+        - "traefik.http.routers.traefik.service=api@internal"
-        - "coop-cloud.${STACK_NAME}.version=2.6.3+v2.11.2"
+        - "traefik.http.routers.traefik.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=1.0.1+v2.5.6"
 networks:
  proxy:
@ -70,4 +71,3 @@ configs:
 volumes:
  letsencrypt:
  file-providers:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -11,8 +11,9 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
-{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
+{{ if eq (env "CLOUDFLARE_ENABLED") "1" }}
-export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+export CLOUDFLARE_EMAIL=$(cat "$CLOUDFLARE_EMAIL_FILE")
 export CLOUDFLARE_API_KEY=$(cat "$CLOUDFLARE_API_KEY_FILE")
 {{ end }}
 /entrypoint.sh "$@"
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -17,14 +17,10 @@ http:
        authResponseHeaders:
          - X-Forwarded-User
    {{ end }}
    {{ if eq (env "BASIC_AUTH") "1" }}
    basicauth:
      basicAuth:
        usersFile: "/run/secrets/usersfile"
    {{ end }}
    security:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
@ -44,8 +40,3 @@ tls:
        - CurveP521
        - CurveP384
      sniStrict: true
  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
  certificates:
    - certFile: /run/secrets/ssl_cert
      keyFile: /run/secrets/ssl_key
  {{ end }}
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -8,14 +8,8 @@ providers:
    exposedByDefault: false
    network: proxy
    swarmMode: true
  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
  file:
    directory: /etc/traefik/file-providers
    watch: true
  {{ else }}
  file:
    filename: /etc/traefik/file-provider.yml
  {{ end }}
 api:
  dashboard: {{ env "DASHBOARD_ENABLED" }}
@ -46,10 +40,6 @@ entrypoints:
  peertube-rtmp:
    address: ":1935"
  {{ end }}
  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
  web-alt:
    address: ":8000"
  {{ end }}
  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
  ssb-muxrpc:
    address: ":8008"
@ -71,9 +61,6 @@ entrypoints:
  {{ if eq (env "METRICS_ENABLED") "1" }}
  metrics:
    address: ":8082"
    http:
      middlewares:
        - basicauth@file
  {{ end }}
  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
  matrix-federation:
@ -87,35 +74,39 @@ ping:
 metrics:
  prometheus:
    entryPoint: metrics
    addRoutersLabels: true
    addServicesLabels: true
 {{ end }}
 certificatesResolvers:
  {{ if eq (env "LETS_ENCRYPT_ENV") "staging" }}
  staging:
    acme:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/staging-acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web
      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
      {{ else }}
      httpChallenge:
        entryPoint: web
      {{ end }}
  {{ end }}
  {{ if eq (env "LETS_ENCRYPT_ENV") "production" }}
  production:
    acme:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/production-acme.json
      httpChallenge:
        entryPoint: web
      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
        resolvers:
          - "1.1.1.1:53"
-          - "9.9.9.9:53"
+          - "8.8.8.8:53"
      {{ else }}
      httpChallenge:
        entryPoint: web
      {{ end }}
  {{ end }}