feat: adds basic auth middleware

[ci skip]

.drone.yml

@@ -3,10 +3,12 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: traefik
+      networks:
+       - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -22,11 +24,17 @@ trigger:
     - master
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: thecoopcloud/drone-abra:latest
+    image: plugins/downstream
     settings:
-      command: recipe traefik release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,4 +1,6 @@
 TYPE=traefik
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@@ -8,8 +10,7 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # WARN, INFO etc.
 LOG_LEVEL=WARN
 
-# This is here so later lines can extend the definition; you likely don't wanna
-# edit
+# This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
 
 #####################################################################
@@ -52,6 +53,23 @@ COMPOSE_FILE="compose.yml"
 ## Enable Keycloak
 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
 #KEYCLOAK_MIDDLEWARE_ENABLED=1
+#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
+#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
+#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
+
+#####################################################################
+# Prometheus metrics                                                #
+#####################################################################
+
+## Enable prometheus metrics collection
+## used used by the coop-cloud monitoring stack
+#METRICS_ENABLED=1
+
+#####################################################################
+# File provider directory configuration                             #
+# (Route bare metal and non-docker services on the machine!)        #
+#####################################################################
+#FILE_PROVIDER_DIRECTORY_ENABLED=1
 
 #####################################################################
 # Additional services                                               #
@@ -61,6 +79,10 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SMTP_ENABLED=1
 
+## Compy
+#COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
+#COMPY_ENABLED=1
+
 ## Gitea SSH
 # COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
 # GITEA_SSH_ENABLED=1
@@ -84,3 +106,13 @@ COMPOSE_FILE="compose.yml"
 ## Mumble
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
 #MUMBLE_ENABLED=1
+
+## Matrix
+#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
+#MATRIX_FEDERATION_ENABLED=1
+
+## BASIC_AUTH
+## Use httpasswd to generate the secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#BASIC_AUTH=1
+#SECRET_USERSFILE_VERSION=v1

README.md

@@ -7,11 +7,11 @@
 <!-- metadata -->
 * **Category**: Utilities
 * **Status**: ?
-* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream
+* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
 * **Email**: N/A
-* **Tests**: ❷💛
+* **Tests**: 2
 * **SSO**: ? (Keycloak)
 <!-- endmetadata -->
 
@@ -19,8 +19,29 @@
 
 1. Set up Docker Swarm and [`abra`]
 2. `abra app new traefik`
-3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
    your Docker swarm box
-4. `abra app YOURAPPDOMAIN deploy`
+4. `abra app deploy YOURAPPDOMAIN`
+
+## Configuring wildcard SSL using DNS
+
+Automatic certificate generation will Just Work™ for most recipes  which use a fixed
+number of subdomains. For some recipes which need to work across arbitrary
+subdomains, like
+[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
+need to give Traefik access to your DNS provider so that it can carry out
+Letsencrypt DNS challenges.
+
+1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
+   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
+2. Run `abra app config YOURAPPDOMAIN`
+3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
+   `SECRET_GANDIV5_API_KEY_VERSION`
+4. Generate an API key for your provider
+5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
+   `gandiv5_api_key` and `SECRETVALUE` is the API key.
+6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v11
-export FILE_PROVIDER_YML_VERSION=v2
+export TRAEFIK_YML_VERSION=v16
+export FILE_PROVIDER_YML_VERSION=v7
 export ENTRYPOINT_VERSION=v2

compose.basicauth.yml

@@ -0,0 +1,12 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - BASIC_AUTH
+    secrets:
+      - usersfile
+
+secrets:
+  usersfile:
+    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
+    external: true

compose.compy.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - COMPY_ENABLED
+    ports:
+      - "9999:9999"

compose.headless.yml

@@ -10,6 +10,5 @@ services:
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.traefik.service=api@internal"
-        - "coop-cloud.${STACK_NAME}.app.version=v2.4.9-be23e1f6"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.service=api@internal"

compose.host.yml

@@ -13,6 +13,3 @@ services:
       - target: 443
         published: 443
         mode: host
-      - target: 2222
-        published: 2222
-        mode: host

compose.keycloak.yml

@@ -5,6 +5,9 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.traefik.middlewares=keycloak@file"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
     environment:
       - KEYCLOAK_MIDDLEWARE_ENABLED
+      - KEYCLOAK_TFA_SERVICE
+      - KEYCLOAK_MIDDLEWARE_2_ENABLED
+      - KEYCLOAK_TFA_SERVICE_2

compose.matrix.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - MATRIX_FEDERATION_ENABLED
+    ports:
+      - "8448:8448"

compose.minio.yml

@@ -0,0 +1,9 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - MINIO_CONSOLE_ENABLED
+    ports:
+      - "9001:9001"

compose.yml

@@ -1,7 +1,9 @@
+---
 version: "3.8"
+
 services:
   app:
-    image: "traefik:v2.4.11"
+    image: "traefik:v2.10.1"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -11,6 +13,7 @@ services:
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
+      - "file-providers:/etc/traefik/file-providers"
     configs:
       - source: traefik_yml
         target: /etc/traefik/traefik.yml
@@ -38,17 +41,19 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.traefik.tls.options=default@file"
-        - "traefik.http.routers.traefik.service=api@internal"
-        - "traefik.http.routers.traefik.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.app.version=v2.4.9-be23e1f6"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
+        - "coop-cloud.${STACK_NAME}.version=2.2.0+v2.10.2"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+
 networks:
   proxy:
     external: true
+
 configs:
   traefik_yml:
     name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
@@ -62,5 +67,7 @@ configs:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
+
 volumes:
   letsencrypt:
+  file-providers:

file-provider.yml.tmpl

@@ -4,11 +4,24 @@ http:
     {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
     keycloak:
       forwardAuth:
-        address: "http://traefik-forward-auth:4181"
+        address: "http://{{ env "KEYCLOAK_TFA_SERVICE" }}:4181"
         trustForwardHeader: true
         authResponseHeaders:
           - X-Forwarded-User
     {{ end }}
+    {{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
+    keycloak2:
+      forwardAuth:
+        address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-Forwarded-User
+    {{ end }}
+    {{ if eq (env "BASIC_AUTH") "1" }}
+    basicauth:
+      basicAuth:
+        usersFile: "/run/secrets/usersfile"
+    {{ end }}
     security:
       headers:
         frameDeny: true

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ]
-}

traefik.yml.tmpl

@@ -8,8 +8,14 @@ providers:
     exposedByDefault: false
     network: proxy
     swarmMode: true
+  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
+  file:
+    directory: /etc/traefik/file-providers
+    watch: true
+  {{ else }}
   file:
     filename: /etc/traefik/file-provider.yml
+  {{ end }}
 
 api:
   dashboard: {{ env "DASHBOARD_ENABLED" }}
@@ -54,10 +60,28 @@ entrypoints:
   mumble-udp:
     address: ":64738/udp"
   {{ end }}
+  {{ if eq (env "COMPY_ENABLED") "1" }}
+  compy:
+    address: ":9999"
+  {{ end }}
+  {{ if eq (env "METRICS_ENABLED") "1" }}
+  metrics:
+    address: ":8082"
+  {{ end }}
+  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
+  matrix-federation:
+    address: ":9001"
+  {{ end }}
 
 ping:
   entryPoint: web
 
+{{ if eq (env "METRICS_ENABLED") "1" }}
+metrics:
+  prometheus:
+    entryPoint: metrics
+{{ end }}
+
 certificatesResolvers:
   staging:
     acme:
@@ -84,5 +108,5 @@ certificatesResolvers:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
-          - "8.8.8.8:53"
+          - "9.9.9.9:53"
       {{ end }}