fix: ensure large uploads work

2026-06-03 18:23:29 +02:00
10 changed files with 29 additions and 65 deletions
@@ -38,7 +38,7 @@ COMPOSE_FILE="compose.yml"
 ## Enable dns challenge (for wildcard domains)
 ##   https://go-acme.github.io/lego/dns/#dns-providers
 #LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
-## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
+## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun.
 ## Uncomment the corresponding provider below to insert your secret token/key.
 #LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh

@@ -47,25 +47,25 @@ COMPOSE_FILE="compose.yml"
 #OVH_ENABLED=1
 #OVH_APPLICATION_KEY=
 #OVH_ENDPOINT=
-#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
-#SECRET_OVH_CONSUMER_KEY=v1 # generate=false
+#SECRET_OVH_APP_SECRET_VERSION=v1
+#SECRET_OVH_CONSUMER_KEY=v1

 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
 #GANDI_API_KEY_ENABLED=1
-#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false
+#SECRET_GANDIV5_API_KEY_VERSION=v1

 ## Gandi, https://gandi.net
 ## note: uses GandiV5 Personal Access Token
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
 #GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
-#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1

 ## DigitalOcean, https://digitalocean.com
 #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
 #DIGITALOCEAN_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1

 ## Azure, https://azure.com
 ## To insert your Azure client secret:
@@ -76,26 +76,15 @@ COMPOSE_FILE="compose.yml"
 #AZURE_CLIENT_ID=
 #AZURE_SUBSCRIPTION_ID=
 #AZURE_RESOURCE_GROUP=
-#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
+#SECRET_AZURE_SECRET_VERSION=v1

 ## Porkbun, https://porkbun.com
 ## To insert your secrets:
 ## abra app secret insert 1312.net pb_api_key v1 pk1_413
 ## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
 #COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
-#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
-#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
-
-## Cloudflare, htps://cloudflare.com
-## To insert your secrets:
-## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
-## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
-## These can be the same token or different tokens
-## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
-## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
-#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
-#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
-#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false
+#SECRET_PORKBUN_API_KEY_VERSION=v1
+#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1

 #####################################################################
 # Manual wildcard certificate insertion                             #
@@ -214,7 +203,6 @@ COMPOSE_FILE="compose.yml"
 #ANUBIS_OG_EXPIRY_TIME=1h
 #ANUBIS_OG_CACHE_CONSIDER_HOST=true
 #ANUBIS_SERVE_ROBOTS_TXT=true
-#ANUBIS_SLOG_LEVEL=INFO

 ## Enable onion service support
 #ONION_ENABLED=1
@@ -7,9 +7,10 @@ certain quality and consistency, that others can rely on.

 A recipe maintainer has the following responsibilities:

- Respond to pull requests / issues within two weeks
- Make image security updates within a week
- Make image major updates every three months
+- Respond to pull requests / issues within a week
+- Make image security updates within a day
+- Make image patch / minor updates within a week
+- Make image major updates within a month

 In order to fullfill these responsibilities a recipe maintainer:

@@ -5,7 +5,7 @@
 > https://docs.traefik.io

 <!-- metadata -->
-* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico), Local-IT: [@moritz](https://git.coopcloud.tech/moritz), [@msimon](https://git.coopcloud.tech/simon), [@carla](https://git.coopcloud.tech/carla)
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico)
 * **Status**: `stable`
 * **Category**: Utilities
 * **Features**: ?
@@ -32,16 +32,15 @@
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`

-## Configuring SSL using DNS
+## Configuring wildcard SSL using DNS

-Automatic certificate generation will Just Work™ for most recipes which use a
-fixed number of subdomains. If your server can't be reached from the Internet,
-or if you're deploying a recipe that needs to work across arbitrary
+Automatic certificate generation will Just Work™ for most recipes  which use a fixed
+number of subdomains. For some recipes which need to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
-the use of wildcard certificates,) you can give Traefik access to your DNS provider
-so that it can carry out Letsencrypt DNS challenges.
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
+need to give Traefik access to your DNS provider so that it can carry out
+Letsencrypt DNS challenges.

 1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
   can be easily added, see
@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v31
+export TRAEFIK_YML_VERSION=v30a
 export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5
@@ -17,7 +17,6 @@ services:
      OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
      OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
      SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
-      SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
    networks:
    - proxy
    deploy:
@@ -1,18 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
-      - CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
-    secrets:
-      - cf_dns_token
-      - cf_zone_token
-
-secrets:
-  cf_dns_token:
-    name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
-    external: true
-  cf_zone_token:
-    name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
-    external: true
@@ -4,7 +4,4 @@ services:
    environment:
      - GARAGE_RPC_ENABLED
    ports:
-      - target: 3901
-        published: 3901
-        protocol: tcp
-        mode: host
+      - "3901:3901"
@@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: "traefik:v3.7.5"
+    image: "traefik:v3.6.11"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
@@ -55,12 +55,12 @@ services:
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=5.1.1+v3.6.15"
+        - "coop-cloud.${STACK_NAME}.version=5.1.0+v3.6.11"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"

  socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:3.4.0
+    image: lscr.io/linuxserver/socket-proxy:3.2.14
    deploy:
      endpoint_mode: dnsrr
    environment:
@@ -91,7 +91,6 @@ services:
      - TASKS=1 # Needs access
      - VERSION=1 # Needs access
      - VOLUMES=0
-      - LOG_LEVEL=warning
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
@@ -1 +0,0 @@
-letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.
@@ -33,6 +33,10 @@ entrypoints:
          to: web-secure
  web-secure:
    address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: 0s
+        writeTimeout: 0s
    http:
      encodedCharacters:
        allowEncodedSlash: true
@@ -127,10 +131,8 @@ certificatesResolvers:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/staging-acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      httpChallenge:
        entryPoint: web
-      {{- end }}
      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
@@ -142,10 +144,8 @@ certificatesResolvers:
    acme:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/production-acme.json
-      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      httpChallenge:
        entryPoint: web
-      {{- end }}
      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
				`@@ -1 +0,0 @@`
				letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.