chore(deps): update traefik docker tag to v3.7.5 (#102 )

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [traefik](https://github.com/containous/traefik) | minor | `v3.6.15` -> `v3.7.5` | > ❗ **Important** > > Release Notes retrieval for this PR were skipped because no github.com credentials were available. > If you are self-hosted, please see [this instruction](https://github.com/renovatebot/renovate/blob/master/docs/usage/examples/self-hosting.md#githubcom-token-for-release-notes). --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: #102 Co-authored-by: Renovate Bot <renovate@coopcloud.tech> Co-committed-by: Renovate Bot <renovate@coopcloud.tech>
chore(deps): update lscr.io/linuxserver/socket-proxy docker tag to v3.4.0 (#111 )
2026-06-22 13:00:36 +00:00 · 2026-06-22 12:56:20 +00:00 · 2026-06-22 12:55:18 +00:00 · 2026-06-21 12:48:19 +00:00 · 2026-06-19 12:56:52 +00:00 · 2026-06-14 09:08:30 +00:00
32 changed files with 286 additions and 110 deletions
@@ -19,8 +19,14 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################

-## Host-mode networking
-#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
+## Ingress-mode port publishing for ports 80 and 443
+##
+## /!\ Using this prevents the use of any compose override adding
+##     published ports to the traefik_app service (almost all of them)
+##     and it prevents the use of IPv6 for ingress traffic.
+##     Do not uncomment unless you know exactly what you are doing
+##
+#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"

 ## "Headless mode" (no domain configured)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
@@ -30,8 +36,10 @@ COMPOSE_FILE="compose.yml"
 #####################################################################

 ## Enable dns challenge (for wildcard domains)
-##   https://doc.traefik.io/traefik/https/acme/#dnschallenge
+##   https://go-acme.github.io/lego/dns/#dns-providers
 #LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
+## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
+## Uncomment the corresponding provider below to insert your secret token/key.
 #LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh

 ## OVH, https://ovh.com
@@ -39,25 +47,25 @@ COMPOSE_FILE="compose.yml"
 #OVH_ENABLED=1
 #OVH_APPLICATION_KEY=
 #OVH_ENDPOINT=
-#SECRET_OVH_APP_SECRET_VERSION=v1
-#SECRET_OVH_CONSUMER_KEY=v1
+#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
+#SECRET_OVH_CONSUMER_KEY=v1 # generate=false

 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
 #GANDI_API_KEY_ENABLED=1
-#SECRET_GANDIV5_API_KEY_VERSION=v1
+#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false

 ## Gandi, https://gandi.net
 ## note: uses GandiV5 Personal Access Token
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
 #GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
-#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false

 ## DigitalOcean, https://digitalocean.com
 #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
 #DIGITALOCEAN_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false

 ## Azure, https://azure.com
 ## To insert your Azure client secret:
@@ -68,7 +76,26 @@ COMPOSE_FILE="compose.yml"
 #AZURE_CLIENT_ID=
 #AZURE_SUBSCRIPTION_ID=
 #AZURE_RESOURCE_GROUP=
-#SECRET_AZURE_SECRET_VERSION=v1
+#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
+
+## Porkbun, https://porkbun.com
+## To insert your secrets:
+## abra app secret insert 1312.net pb_api_key v1 pk1_413
+## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
+#COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
+#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
+#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
+
+## Cloudflare, htps://cloudflare.com
+## To insert your secrets:
+## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
+## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
+## These can be the same token or different tokens
+## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
+## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
+#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
+#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false

 #####################################################################
 # Manual wildcard certificate insertion                             #
@@ -106,8 +133,10 @@ COMPOSE_FILE="compose.yml"

 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+## BASIC_AUTH should also be enabled
 #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
+#METRICS_FQDN=metrics.traefik.example.com

 #####################################################################
 # File provider directory configuration                             #
@@ -185,3 +214,7 @@ COMPOSE_FILE="compose.yml"
 #ANUBIS_OG_EXPIRY_TIME=1h
 #ANUBIS_OG_CACHE_CONSIDER_HOST=true
 #ANUBIS_SERVE_ROBOTS_TXT=true
+#ANUBIS_SLOG_LEVEL=INFO
+
+## Enable onion service support
+#ONION_ENABLED=1
@@ -1,5 +1,6 @@
 ---
 name: "Traefik pull request template"
+about: "Traefik pull request template"
 ---

 <!-- 
@@ -7,10 +7,9 @@ certain quality and consistency, that others can rely on.

 A recipe maintainer has the following responsibilities:

- Respond to pull requests / issues within a week
- Make image security updates within a day
- Make image patch / minor updates within a week
- Make image major updates within a month
+- Respond to pull requests / issues within two weeks
+- Make image security updates within a week
+- Make image major updates every three months

 In order to fullfill these responsibilities a recipe maintainer:

@@ -5,7 +5,7 @@
 > https://docs.traefik.io

 <!-- metadata -->
-* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico)
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico), Local-IT: [@moritz](https://git.coopcloud.tech/moritz), [@msimon](https://git.coopcloud.tech/simon), [@carla](https://git.coopcloud.tech/carla)
 * **Status**: `stable`
 * **Category**: Utilities
 * **Features**: ?
@@ -32,27 +32,31 @@
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`

-## Configuring wildcard SSL using DNS
+## Configuring SSL using DNS

-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
+Automatic certificate generation will Just Work™ for most recipes which use a
+fixed number of subdomains. If your server can't be reached from the Internet,
+or if you're deploying a recipe that needs to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
+the use of wildcard certificates,) you can give Traefik access to your DNS provider
+so that it can carry out Letsencrypt DNS challenges.

-1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
-   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
+1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
+   can be easily added, see
+   [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
 2. Run `abra app config YOURAPPDOMAIN`
 3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
   `SECRET_GANDIV5_API_KEY_VERSION`
-4. Generate an API key for your provider
+4. Set `LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER` to your provider, e.g. `gandi`
+4. Generate an API key for your provider, probably using their web interface.
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
   `gandiv5_api_key` and `SECRETVALUE` is the API key.
   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
     Access Token, in which case use compose.gandi-personal-access-token.yml.
+   - See comments for each provider in your env file for specific instructions
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`

 ## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)
@@ -68,4 +72,8 @@ After deploying these changes, go to each recipe that supports Anubis
 and follow the process there.  **Enabling Anubis here is not enough for
 protection your apps.**

+## Enabling onion service
+
+Uncomment the line in the config setting `ONION_ENABLED=1`. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the [onion recipe](https://recipes.coopcloud.tech/onion).
+
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v28
-export FILE_PROVIDER_YML_VERSION=v11
+export TRAEFIK_YML_VERSION=v31
+export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5
@@ -6,7 +6,7 @@ services:
      labels:
      - "traefik.http.middlewares.anubis.forwardauth.address=http://anubis:8080/.within.website/x/cmd/anubis/api/check"
  anubis:
-    image: "ghcr.io/techarohq/anubis:v1.24.0"
+    image: "ghcr.io/techarohq/anubis:v1.25.0"
    environment:
      BIND: ":8080"
      TARGET: " "
@@ -17,6 +17,7 @@ services:
      OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
      OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
      SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
+      SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
    networks:
    - proxy
    deploy:
@@ -0,0 +1,18 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
+      - CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
+    secrets:
+      - cf_dns_token
+      - cf_zone_token
+
+secrets:
+  cf_dns_token:
+    name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
+    external: true
+  cf_zone_token:
+    name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
+    external: true
@@ -4,4 +4,7 @@ services:
    environment:
      - COMPY_ENABLED
    ports:
-      - "9999:9999"
+      - target: 9999
+        published: 9999
+        protocol: tcp
+        mode: host
@@ -4,4 +4,7 @@ services:
    environment:
      - FOODSOFT_SMTP_ENABLED
    ports:
-      - "2525:2525"
+      - target: 2525
+        published: 2525
+        protocol: tcp
+        mode: host
@@ -4,4 +4,7 @@ services:
    environment:
      - GARAGE_RPC_ENABLED
    ports:
-      - "3901:3901"
+      - target: 3901
+        published: 3901
+        protocol: tcp
+        mode: host
@@ -4,4 +4,7 @@ services:
    environment:
      - GITEA_SSH_ENABLED
    ports:
-      - "2222:2222"
+      - target: 2222
+        published: 2222
+        protocol: tcp
+        mode: host
@@ -1,15 +1,2 @@
 ---
 version: "3.8"
-
-services:
-  app:
-    deploy:
-      update_config:
-        order: stop-first
-    ports:
-      - target: 80
-        published: 80
-        mode: host
-      - target: 443
-        published: 443
-        mode: host
@@ -4,4 +4,7 @@ services:
    environment:
      - IRC_ENABLED
    ports:
-      - "6697:6697"
+      - target: 6697
+        published: 6697
+        protocol: tcp
+        mode: host
@@ -4,4 +4,7 @@ services:
    environment:
      - MATRIX_FEDERATION_ENABLED
    ports:
-      - "8448:8448"
+      - target: 8448
+        published: 8448
+        protocol: tcp
+        mode: host
@@ -3,7 +3,3 @@ services:
  app:
    environment:
      - METRICS_ENABLED
-    ports:
-      - target: 8082
-        published: 8082
-        mode: host
@@ -6,4 +6,7 @@ services:
    environment:
      - MINIO_CONSOLE_ENABLED
    ports:
-      - "9001:9001"
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host
@@ -4,6 +4,11 @@ services:
    environment:
      - MUMBLE_ENABLED
    ports:
-      - "64738:64738/udp"
-      # note (3wc): see https://github.com/docker/compose/issues/7627
-      - "64737-64739:64737-64739/tcp"
+      - target: 64738
+        published: 64738
+        protocol: udp
+        mode: host
+      - target: 64738
+        published: 64738
+        protocol: tcp
+        mode: host
@@ -4,5 +4,11 @@ services:
    environment:
      - NEXTCLOUD_TALK_HPB_ENABLED
    ports:
-      - "3478:3478/udp"
-      - "3478:3478/tcp"
+      - target: 3478
+        published: 3478
+        protocol: udp
+        mode: host
+      - target: 3478
+        published: 3478
+        protocol: tcp
+        mode: host
@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: ingress
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: ingress
+    deploy:
+      endpoint_mode: vip
@@ -4,4 +4,7 @@ services:
    environment:
      - PEERTUBE_RTMP_ENABLED
    ports:
-      - "1935:1935"
+      - target: 1935
+        published: 1935
+        protocol: tcp
+        mode: host
@@ -0,0 +1,18 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PORKBUN_API_KEY_FILE=/run/secrets/pb_api_key
+      - PORKBUN_SECRET_API_KEY_FILE=/run/secrets/pb_s_api_key
+    secrets:
+      - pb_api_key
+      - pb_s_api_key
+
+secrets:
+  pb_api_key:
+    name: ${STACK_NAME}_pb_api_key_${SECRET_PORKBUN_API_KEY_VERSION}
+    external: true
+  pb_s_api_key:
+    name: ${STACK_NAME}_pb_s_api_key_${SECRET_PORKBUN_SECRET_API_KEY_VERSION}
+    external: true
@@ -6,4 +6,7 @@ services:
    environment:
      - SMTP_ENABLED
    ports:
-      - "587:587"
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host
@@ -4,4 +4,7 @@ services:
    environment:
      - SSB_MUXRPC_ENABLED
    ports:
-      - "8008:8008"
+      - target: 8008
+        published: 8008
+        protocol: tcp
+        mode: host
@@ -4,4 +4,7 @@ services:
    environment:
      - WEB_ALT_ENABLED
    ports:
-      - "8000:8000"
+      - target: 8000
+        published: 8000
+        protocol: tcp
+        mode: host
@@ -3,13 +3,19 @@ version: "3.8"

 services:
  app:
-    image: "traefik:v3.6.6"
+    image: "traefik:v3.7.5"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
    ports:
-      - "80:80"
-      - "443:443"
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
    volumes:
      - "letsencrypt:/etc/letsencrypt"
      - "file-providers:/etc/traefik/file-providers"
@@ -37,9 +43,10 @@ services:
    command: traefik
    entrypoint: /custom-entrypoint.sh
    deploy:
+      endpoint_mode: dnsrr
      update_config:
        failure_action: rollback
-        order: start-first
+        order: stop-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
@@ -48,12 +55,12 @@ services:
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=3.9.0+v3.6.5"
+        - "coop-cloud.${STACK_NAME}.version=5.1.1+v3.6.15"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"

  socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:3.2.10-r0-ls65
+    image: lscr.io/linuxserver/socket-proxy:3.4.0
    deploy:
      endpoint_mode: dnsrr
    environment:
@@ -84,6 +91,7 @@ services:
      - TASKS=1 # Needs access
      - VERSION=1 # Needs access
      - VOLUMES=0
+      - LOG_LEVEL=warning
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
@@ -30,6 +30,18 @@ http:
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: "31536000"
+  {{ if eq (env "METRICS_ENABLED") "1" }}
+  routers:
+    traefik-metrics:
+      rule: "Host(`{{ env "METRICS_FQDN" }}`)"
+      entrypoints:
+        - web-secure
+      tls:
+        certResolver: {{ env "LETS_ENCRYPT_ENV" }}
+      middlewares:
+        - basicauth@file
+      service: prometheus@internal
+  {{ end }}

 tls:
  options:
@@ -0,0 +1,10 @@
+Short summary of the latest changes:
+
+* Traefik has been upgraded with a patch release, no issues expected.
+* "CurveP256" has been included to the TLS options.
+* The default TIMEOUT value has been removed from the label directly.
+* Anubis support is here, try out `compose.anubis.yml` and see the README.md for more.
+* Onion services with Tor are not supported! See the README.md for more.
+* There are now officially 3 recipe maintainers for Traefik!
+
+All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/3.9.0+v3.6.5...master
@@ -0,0 +1,11 @@
+Short summary of the latest changes:
+
+ * Exposed ports have been switched to host-mode port publishing by default
+   This adds support for IPv6 ingress, which means that after deploying this
+   change, DNS AAAA records can be made to point to the relevant IPv6
+   address and Traefik will handle public IPv6 ingress traffic (including ACME
+   HTTP-01 challenges)
+
+   /!\ This is a breaking change. It is still possible to revert ports 80 and
+       443 to ingress-mode (the previous default) but keep in mind that there
+       is no longer an easy way to publish additional ports in ingress mode.
@@ -0,0 +1,10 @@
+/!\ BREAKING CHANGE: Change metrics endpoint to use https instead of http 8082
+                     to prevent sending BASIC_AUTH in plaintext
+
+The metrics endpoint changed from http on port 8082 to the web-secure
+endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is
+enabled you need to configure a FQDN for it by setting METRICS_FQDN in your
+.env. You should also update the scrape config files in prometheus for
+Traefik metrics from port 8082 to the new FQDN.
+
+All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/5.0.0+v3.6.10...4.0.0+v3.6.10
@@ -0,0 +1 @@
+Patched CVES: CVE-2026-32595 and CVE-2026-32305
@@ -0,0 +1 @@
+letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.
@@ -11,14 +11,14 @@ providers:
    endpoint: "tcp://socket-proxy:2375"
    exposedByDefault: false
    network: proxy
-  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
+  {{- if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
  file:
    directory: /etc/traefik/file-providers
    watch: true
-  {{ else }}
+  {{- else }}
  file:
    filename: /etc/traefik/file-provider.yml
-  {{ end }}
+  {{- end }}

 api:
  dashboard: {{ env "DASHBOARD_ENABLED" }}
@@ -42,86 +42,84 @@ entrypoints:
        allowEncodedPercent: true
        allowEncodedQuestionMark: true
        allowEncodedHash: true
-  {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
+  {{- if eq (env "GITEA_SSH_ENABLED") "1" }}
  gitea-ssh:
    address: ":2222"
-  {{ end }}
-  {{ if eq (env "P2PANDA_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "P2PANDA_ENABLED") "1" }}
  p2panda-udp-v4:
    address: ":2022/udp"
  p2panda-udp-v6:
    address: ":2023/udp"
-  {{ end }}
-  {{ if eq (env "GARAGE_RPC_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "GARAGE_RPC_ENABLED") "1" }}
  garage-rpc:
    address: ":3901"
-  {{ end }}
-  {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
  foodsoft-smtp:
    address: ":2525"
-  {{ end }}
-  {{ if eq (env "SMTP_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "SMTP_ENABLED") "1" }}
  smtp-submission:
    address: ":587"
-  {{ end }}
-  {{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
  peertube-rtmp:
    address: ":1935"
-  {{ end }}
-  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "WEB_ALT_ENABLED") "1" }}
  web-alt:
    address: ":8000"
-  {{ end }}
-  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "SSB_MUXRPC_ENABLED") "1" }}
  ssb-muxrpc:
    address: ":8008"
-  {{ end }}
-  {{ if eq (env "MSSQL_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "MSSQL_ENABLED") "1" }}
  mssql:
    address: ":1433"
-  {{ end }}
-  {{ if eq (env "MUMBLE_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "MUMBLE_ENABLED") "1" }}
  mumble:
    address: ":64738"
  mumble-udp:
    address: ":64738/udp"
-  {{ end }}
-  {{ if eq (env "COMPY_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "COMPY_ENABLED") "1" }}
  compy:
    address: ":9999"
-  {{ end }}
-  {{ if eq (env "IRC_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "IRC_ENABLED") "1" }}
  irc:
    address: ":6697"
-  {{ end }}
-  {{ if eq (env "METRICS_ENABLED") "1" }}
-  metrics:
-    address: ":8082"
-    http:
-      middlewares:
-        - basicauth@file
-  {{ end }}
-  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
  matrix-federation:
    address: ":9001"
-  {{ end }}
-  {{ if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
  nextcloud-talk-hpb:
    address: ":3478"
  nextcloud-talk-hpb-udp:
    address: ":3478/udp"
-  {{ end }}
+  {{- end }}
+  {{- if eq (env "ONION_ENABLED") "1" }}
+  onion:
+    address: ":9052"
+  {{- end }}

 ping:
  entryPoint: web

-{{ if eq (env "METRICS_ENABLED") "1" }}
+{{- if eq (env "METRICS_ENABLED") "1" }}
 metrics:
  prometheus:
-    entryPoint: metrics
+    entryPoint: web-secure
+    manualRouting: true
    addRoutersLabels: true
    addServicesLabels: true
-{{ end }}
+{{- end }}

 certificatesResolvers:
  staging:
@@ -129,25 +127,29 @@ certificatesResolvers:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/staging-acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      httpChallenge:
        entryPoint: web
-      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      {{- end }}
+      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
-      {{ end }}
+      {{- end }}
  production:
    acme:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/production-acme.json
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      httpChallenge:
        entryPoint: web
-      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      {{- end }}
+      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"
-      {{ end }}
+      {{- end }}
				`@@ -0,0 +1 @@`
				`Patched CVES: CVE-2026-32595 and CVE-2026-32305`
				`@@ -0,0 +1 @@`
				letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.