feat: error pages

See coop-cloud/organising#115 (comment).
2021-11-14 00:34:57 +01:00
39 changed files with 56 additions and 551 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,12 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: traefik
      networks:
        - proxy
      deploy_key:
        from_secret: drone_ssh_swarm_test
    environment:
@ -16,25 +14,19 @@ steps:
      STACK_NAME: traefik
      LETS_ENCRYPT_ENV: production
      LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v26
+      TRAEFIK_YML_VERSION: v4
-      FILE_PROVIDER_YML_VERSION: v10
+      FILE_PROVIDER_YML_VERSION: v3
-      ENTRYPOINT_VERSION: v4
+      ENTRYPOINT_VERSION: v1
 trigger:
  branch:
    - master
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
  - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
    settings:
-      server: https://build.coopcloud.tech
+      command: recipe traefik release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
      fork: true
      repositories:
        - toolshed/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,7 +1,4 @@
 TYPE=traefik
 #TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 ENABLE_BACKUPS=true
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@ -10,7 +7,6 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # DASHBOARD_ENABLED=true
 # WARN, INFO etc.
 LOG_LEVEL=WARN
 LOG_MAX_AGE=1
 # This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
@ -44,61 +40,18 @@ COMPOSE_FILE="compose.yml"
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
-#GANDI_API_KEY_ENABLED=1
+#GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 ## Gandi, https://gandi.net
 ## note: uses GandiV5 Personal Access Token
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
 #GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
 #SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
 ## DigitalOcean, https://digitalocean.com
 #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
 #DIGITALOCEAN_ENABLED=1
 #SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
 ## Azure, https://azure.com
 ## To insert your Azure client secret:
 ## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
 #AZURE_ENABLED=1
 #AZURE_TENANT_ID=
 #AZURE_CLIENT_ID=
 #AZURE_SUBSCRIPTION_ID=
 #AZURE_RESOURCE_GROUP=
 #SECRET_AZURE_SECRET_VERSION=v1
 #####################################################################
-# Manual wildcard certificate insertion                             #
+# Keycloak log-in                                                   #
 #####################################################################
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
 # abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
 # abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
 #####################################################################
 # Authentication                                                    #
 #####################################################################
 ## Enable Keycloak
 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
 #KEYCLOAK_MIDDLEWARE_ENABLED=1
 #KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 ## BASIC_AUTH
 ## Use httpasswd to generate the secret
 #COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
 #BASIC_AUTH=1
 #SECRET_USERSFILE_VERSION=v1
 #####################################################################
 # Prometheus metrics                                                #
@ -106,15 +59,8 @@ COMPOSE_FILE="compose.yml"
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
 #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
 #####################################################################
 # File provider directory configuration                             #
 # (Route bare metal and non-docker services on the machine!)        #
 #####################################################################
 #FILE_PROVIDER_DIRECTORY_ENABLED=1
 #####################################################################
 # Additional services                                               #
 #####################################################################
@ -123,18 +69,10 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SMTP_ENABLED=1
 ## Compy
 #COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
 #COMPY_ENABLED=1
 ## Gitea SSH
 # COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
 # GITEA_SSH_ENABLED=1
 ## P2Panda UDP
 # COMPOSE_FILE="$COMPOSE_FILE:compose.p2panda.yml"
 # P2PANDA_ENABLED=1
 ## Foodsoft SMTP
 # COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
 # FOODSOFT_SMTP_ENABLED=1
@ -154,34 +92,3 @@ COMPOSE_FILE="compose.yml"
 ## Mumble
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
 #MUMBLE_ENABLED=1
 ## Matrix
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
 ## "Web alt", an alternative web port
 # NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
 #COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
 #WEB_ALT_ENABLED=1
 ## Matrix
 #COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
 #IRC_ENABLED=1
 ## Garage
 #COMPOSE_FILE="$COMPOSE_FILE:compose.garage.yml"
 #GARAGE_RPC_ENABLED=1
 ## Nextcloud Talk HPB
 #COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
 #NEXTCLOUD_TALK_HPB_ENABLED=1
 ## Anubis
 #COMPOSE_FILE="$COMPOSE_FILE:compose.anubis.yml"
 #ANUBIS_COOKIE_DOMAIN=example.com
 #ANUBIS_DOMAIN=anubis.example.com
 #ANUBIS_REDIRECT_DOMAINS=
 #ANUBIS_OG_PASSTHROUGH=true
 #ANUBIS_OG_EXPIRY_TIME=1h
 #ANUBIS_OG_CACHE_CONSIDER_HOST=true
 #ANUBIS_SERVE_ROBOTS_TXT=true
--- a/.gitea/PULL_REQUEST_TEMPLATE.md
+++ b/.gitea/PULL_REQUEST_TEMPLATE.md
@ -1,15 +0,0 @@
 ---
 name: "Traefik pull request template"
 ---
 <!-- 
 Thank you for doing recipe maintenance work!
 Please mark all checklist items which are relevant for your changes.
 Please remove the checklist items which are not relevant for your changes.
 Feel free to remove this comment.
 -->
 * [ ] I have deployed and tested my changes
 * [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
 * [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
 * [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)
--- a/MAINTENANCE.md
+++ b/MAINTENANCE.md
@ -1,32 +0,0 @@
 # Traefik Recipe Maintenance
 All contributions should be made via a pull request. This is to ensure a
 certain quality and consistency, that others can rely on.
 ## Maintainer Responsibilities
 A recipe maintainer has the following responsibilities:
 - Respond to pull requests / issues within a week
 - Make image security updates within a day
 - Make image patch / minor updates within a week
 - Make image major updates within a month
 In order to fullfill these responsibilities a recipe maintainer:
 - Has to watch the repository (to get notifications)
 - Needs to make sure renovate is configured properly
 ## Pull Requests
 A pull request can be merged if it is approved by at least one maintainer. For
 pull requests opened by a maintainer they need to be approved by another
 maintainer. Even though it is okay to merge a pull request with one approval, it
 is always better if all maintainers looked at the pull request and approved it.
 ## Become a maintainer
 Everyone can apply to be a recipe maintainer:
 1. Watch the repository to always get updates
 2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
 3. Once the pull request gets merged you will be added to the [traefik maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/traefik-maintainers).
--- a/README.md
+++ b/README.md
@ -1,19 +1,17 @@
 # Traefik
-[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/traefik/status.svg)](https://build.coopcloud.tech/coop-cloud/traefik)
+[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/traefik/status.svg)](https://drone.autonomic.zone/coop-cloud/traefik)
 > https://docs.traefik.io
 <!-- metadata -->
 * **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico)
 * **Status**: `stable`
 * **Category**: Utilities
-* **Features**: ?
+* **Status**: ?
-* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
+* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
 * **Email**: N/A
-* **Tests**: 2
+* **Tests**: ❷💛
 * **SSO**: ? (Keycloak)
 <!-- endmetadata -->
@ -21,51 +19,8 @@
 1. Set up Docker Swarm and [`abra`]
 2. `abra app new traefik`
-3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
   your Docker swarm box
-4. `abra app deploy YOURAPPDOMAIN`
+4. `abra app YOURAPPDOMAIN deploy`
 ## Configuring basic auth
 1. Create the usersfile locally: `htpasswd -c usersfile <username>`
 2. Uncomment the Basic Auth section in your .env file
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`
 ## Configuring wildcard SSL using DNS
 Automatic certificate generation will Just Work™ for most recipes  which use a fixed
 number of subdomains. For some recipes which need to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
 [`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
 need to give Traefik access to your DNS provider so that it can carry out
 Letsencrypt DNS challenges.
 1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
 2. Run `abra app config YOURAPPDOMAIN`
 3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
   `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
   `gandiv5_api_key` and `SECRETVALUE` is the API key.
   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
     Access Token, in which case use compose.gandi-personal-access-token.yml.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 ## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)
 Uncomment the lines on the Anubis section of the configuration.  Set
 a domain name for the cookies and a domain that will serve Anubis
 redirection service.  Optionally and for [added
 security](https://anubis.techaro.lol/docs/admin/configuration/redirect-domains),
 set a list of the domain names for the apps that are going to be
 protected.
 After deploying these changes, go to each recipe that supports Anubis
 and follow the process there.  **Enabling Anubis here is not enough for
 protection your apps.**
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v28
+export TRAEFIK_YML_VERSION=v12
-export FILE_PROVIDER_YML_VERSION=v11
+export FILE_PROVIDER_YML_VERSION=v3
-export ENTRYPOINT_VERSION=v5
+export ENTRYPOINT_VERSION=v2
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,4 +0,0 @@
 matrix-synapse:
    uncomment:
        - compose.matrix.yml
        - MATRIX_FEDERATION_ENABLED
--- a/compose.anubis.yml
+++ b/compose.anubis.yml
@ -1,29 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    deploy:
      labels:
      - "traefik.http.middlewares.anubis.forwardauth.address=http://anubis:8080/.within.website/x/cmd/anubis/api/check"
  anubis:
    image: "ghcr.io/techarohq/anubis:v1.24.0"
    environment:
      BIND: ":8080"
      TARGET: " "
      REDIRECT_DOMAINS: "${ANUBIS_REDIRECT_DOMAINS}"
      COOKIE_DOMAIN: "${ANUBIS_COOKIE_DOMAIN}"
      PUBLIC_URL: "https://${ANUBIS_DOMAIN}"
      OG_PASSTHROUGH: "${ANUBIS_OG_PASSTHROUGH}"
      OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
      OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
      SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
    networks:
    - proxy
    deploy:
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.anubis.rule=Host(`${ANUBIS_DOMAIN}`)"
      - "traefik.http.routers.anubis.tls.certresolver=${LETS_ENCRYPT_ENV}"
      - "traefik.http.routers.anubis.entrypoints=web-secure"
      - "traefik.http.services.anubis.loadbalancer.server.port=8080"
      - "traefik.http.routers.anubis.service=anubis"
--- a/compose.azure.yml
+++ b/compose.azure.yml
@ -1,17 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - AZURE_TENANT_ID
      - AZURE_CLIENT_ID
      - AZURE_SUBSCRIPTION_ID
      - AZURE_RESOURCE_GROUP
      - AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
    secrets:
      - azure_secret
 secrets:
  azure_secret:
    name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
    external: true
--- a/compose.basicauth.yml
+++ b/compose.basicauth.yml
@ -1,12 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - BASIC_AUTH
    secrets:
      - usersfile
 secrets:
  usersfile:
    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
    external: true
--- a/compose.compy.yml
+++ b/compose.compy.yml
@ -1,7 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - COMPY_ENABLED
    ports:
      - "9999:9999"
--- a/compose.digitalocean.yml
+++ b/compose.digitalocean.yml
@ -1,15 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
    secrets:
      - digitalocean_auth_token
 secrets:
  digitalocean_auth_token:
    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
    external: true
--- a/compose.gandi-personal-access-token.yml
+++ b/compose.gandi-personal-access-token.yml
@ -1,15 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
    secrets:
      - gandiv5_pat
 secrets:
  gandiv5_pat:
    name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
    external: true
--- a/compose.gandi-api-key.yml
+++ b/compose.gandi-api-key.yml
--- a/compose.garage.yml
+++ b/compose.garage.yml
@ -1,7 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - GARAGE_RPC_ENABLED
    ports:
      - "3901:3901"
--- a/compose.headless.yml
+++ b/compose.headless.yml
@ -10,5 +10,6 @@ services:
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
+        - "traefik.http.routers.traefik.service=api@internal"
        - "coop-cloud.${STACK_NAME}.app.version=v2.4.9-be23e1f6"
--- a/compose.irc.yml
+++ b/compose.irc.yml
@ -1,7 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - IRC_ENABLED
    ports:
      - "6697:6697"
--- a/compose.keycloak.yml
+++ b/compose.keycloak.yml
@ -5,9 +5,7 @@ services:
  app:
    deploy:
      labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
+        - "traefik.http.routers.traefik.middlewares=keycloak@file"
    environment:
      - KEYCLOAK_MIDDLEWARE_ENABLED
      - KEYCLOAK_TFA_SERVICE
      - KEYCLOAK_MIDDLEWARE_2_ENABLED
      - KEYCLOAK_TFA_SERVICE_2
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -1,7 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - MATRIX_FEDERATION_ENABLED
    ports:
      - "8448:8448"
--- a/compose.metrics.yml
+++ b/compose.metrics.yml
@ -1,9 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - METRICS_ENABLED
    ports:
      - target: 8082
        published: 8082
        mode: host
--- a/compose.minio.yml
+++ b/compose.minio.yml
@ -1,9 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    environment:
      - MINIO_CONSOLE_ENABLED
    ports:
      - "9001:9001"
--- a/compose.nextcloud-talk-hpb.yml
+++ b/compose.nextcloud-talk-hpb.yml
@ -1,8 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - NEXTCLOUD_TALK_HPB_ENABLED
    ports:
      - "3478:3478/udp"
      - "3478:3478/tcp"
--- a/compose.p2panda.yml
+++ b/compose.p2panda.yml
@ -1,14 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - P2PANDA_ENABLED
    ports:
      - target: 2022
        published: 2022
        protocol: udp
        mode: host
      - target: 2023
        published: 2023
        protocol: udp
        mode: host
--- a/compose.web-alt.yml
+++ b/compose.web-alt.yml
@ -1,7 +0,0 @@
 version: "3.8"
 services:
  app:
    environment:
      - WEB_ALT_ENABLED
    ports:
      - "8000:8000"
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -1,16 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    secrets:
      - ssl_cert
      - ssl_key
 secrets:
  ssl_cert:
    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
    external: true
  ssl_key:
    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"
 services:
  app:
-    image: "traefik:v3.6.6"
+    image: "traefik:v2.5.2"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
@ -11,8 +11,8 @@ services:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "letsencrypt:/etc/letsencrypt"
      - "file-providers:/etc/traefik/file-providers"
    configs:
      - source: traefik_yml
        target: /etc/traefik/traefik.yml
@ -23,11 +23,9 @@ services:
        mode: 0555
    networks:
      - proxy
      - internal
    environment:
      - DASHBOARD_ENABLED
      - LOG_LEVEL
      - ${LOG_MAX_AGE:-0}
    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 30s
@ -42,57 +40,35 @@ services:
        order: start-first
      labels:
        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
+        - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.traefik.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
+        - "traefik.http.routers.traefik.tls.options=default@file"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
+        - "traefik.http.routers.traefik.service=api@internal"
-        - "coop-cloud.${STACK_NAME}.version=3.9.0+v3.6.5"
+        - "traefik.http.routers.traefik.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+v2.5.2"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
-  socket-proxy:
+  web:
-    image: lscr.io/linuxserver/socket-proxy:3.2.10-r0-ls65
+    image: tarampampam/error-pages:2.2.0
    deploy:
      endpoint_mode: dnsrr
    environment:
-      - ALLOW_START=0
+      - TEMPLATE_NAME=shuffle
      - ALLOW_STOP=0
      - ALLOW_RESTARTS=0
      - AUTH=0
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - CONTAINERS=1 # Needs access
      - DISABLE_IPV6=0
      - DISTRIBUTION=0
      - EVENTS=1 # Needs access
      - EXEC=0
      - IMAGES=0
      - INFO=0
      - NETWORKS=1 # Needs access
      - NODES=1
      - PING=1
      - POST=0
      - PLUGINS=0
      - SECRETS=0
      - SERVICES=1 # Needs access
      - SESSION=0
      - SWARM=1
      - SYSTEM=0
      - TASKS=1 # Needs access
      - VERSION=1 # Needs access
      - VOLUMES=0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
-      - internal
+      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.error-pages-service.loadbalancer.server.port=8080"
      - "traefik.http.routers.error-router.entrypoints=web-secure"
      - "traefik.http.routers.error-router.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.error-router.priority=10"
      - "traefik.http.routers.error-router.middlewares=error-pages-middleware@docker"
      - "traefik.http.middlewares.error-pages-middleware.errors.status=400-599"
      - "traefik.http.middlewares.error-pages-middleware.errors.service=error-pages-service@docker"
      - "traefik.http.middlewares.error-pages-middleware.errors.query=/{status}.html"
 networks:
  proxy:
    external: true
  internal:
 configs:
  traefik_yml:
@ -110,4 +86,3 @@ configs:
 volumes:
  letsencrypt:
  file-providers:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -7,12 +7,8 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
-{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
+{{ if eq (env "GANDI_ENABLED") "1" }}
-export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 {{ if eq (env "AZURE_ENABLED") "1" }}
 export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
 {{ end }}
 /entrypoint.sh "$@"
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -9,22 +9,10 @@ http:
        authResponseHeaders:
          - X-Forwarded-User
    {{ end }}
    {{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
    keycloak2:
      forwardAuth:
        address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - X-Forwarded-User
    {{ end }}
    {{ if eq (env "BASIC_AUTH") "1" }}
    basicauth:
      basicAuth:
        usersFile: "/run/secrets/usersfile"
    {{ end }}
    security:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
@ -43,10 +31,4 @@ tls:
      curvePreferences:
        - CurveP521
        - CurveP384
        - CurveP256
      sniStrict: true
  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
  certificates:
    - certFile: /run/secrets/ssl_cert
      keyFile: /run/secrets/ssl_key
  {{ end }}
--- a/release/2.8.0+v2.11.10
+++ b/release/2.8.0+v2.11.10
@ -1 +0,0 @@
 Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410
--- a/release/2.9.0+v2.11.14
+++ b/release/2.9.0+v2.11.14
@ -1 +0,0 @@
 Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg
--- a/release/2.9.1+v2.11.14
+++ b/release/2.9.1+v2.11.14
@ -1 +0,0 @@
 Reverts max log retention
--- a/release/3.0.0+v2.11.22
+++ b/release/3.0.0+v2.11.22
@ -1,2 +0,0 @@
 socket-proxy: switch to endpoint-mode dnsrr instead of vip
 See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.
--- a/release/3.3.0+v2.11.26
+++ b/release/3.3.0+v2.11.26
@ -1 +0,0 @@
 Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5
--- a/release/3.4.0+v3.4.4
+++ b/release/3.4.0+v3.4.4
@ -1 +0,0 @@
 Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax
--- a/release/3.4.2+v3.4.5
+++ b/release/3.4.2+v3.4.5
@ -1 +0,0 @@
 Bumps the TRAEFIK_YML_VERSION
--- a/release/3.5.0+v3.4.5
+++ b/release/3.5.0+v3.4.5
@ -1 +0,0 @@
 Add support to azure DNS-01 acme challenge
--- a/release/3.6.0+v3.4.5
+++ b/release/3.6.0+v3.4.5
@ -1 +0,0 @@
 Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.
--- a/renovate.json
+++ b/renovate.json
@ -1,6 +0,0 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ]
 }
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -1,24 +1,15 @@
 ---
 core:
  defaultRuleSyntax: v2
 log:
  level: {{ env "LOG_LEVEL" }}
  maxAge: {{ env "LOG_MAX_AGE" }}
 providers:
-  swarm:
+  docker:
-    endpoint: "tcp://socket-proxy:2375"
+    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxy
-  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
+    swarmMode: true
  file:
    directory: /etc/traefik/file-providers
    watch: true
  {{ else }}
  file:
    filename: /etc/traefik/file-provider.yml
  {{ end }}
 api:
  dashboard: {{ env "DASHBOARD_ENABLED" }}
@ -33,29 +24,10 @@ entrypoints:
          to: web-secure
  web-secure:
    address: ":443"
    http:
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedBackSlash: true
        allowEncodedNullCharacter: true
        allowEncodedSemicolon: true
        allowEncodedPercent: true
        allowEncodedQuestionMark: true
        allowEncodedHash: true
  {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
  gitea-ssh:
    address: ":2222"
  {{ end }}
  {{ if eq (env "P2PANDA_ENABLED") "1" }}
  p2panda-udp-v4:
    address: ":2022/udp"
  p2panda-udp-v6:
    address: ":2023/udp"
  {{ end }}
  {{ if eq (env "GARAGE_RPC_ENABLED") "1" }}
  garage-rpc:
    address: ":3901"
  {{ end }}
  {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
  foodsoft-smtp:
    address: ":2525"
@ -68,10 +40,6 @@ entrypoints:
  peertube-rtmp:
    address: ":1935"
  {{ end }}
  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
  web-alt:
    address: ":8000"
  {{ end }}
  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
  ssb-muxrpc:
    address: ":8008"
@ -86,30 +54,9 @@ entrypoints:
  mumble-udp:
    address: ":64738/udp"
  {{ end }}
  {{ if eq (env "COMPY_ENABLED") "1" }}
  compy:
    address: ":9999"
  {{ end }}
  {{ if eq (env "IRC_ENABLED") "1" }}
  irc:
    address: ":6697"
  {{ end }}
  {{ if eq (env "METRICS_ENABLED") "1" }}
  metrics:
    address: ":8082"
    http:
      middlewares:
        - basicauth@file
  {{ end }}
  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
  matrix-federation:
    address: ":9001"
  {{ end }}
  {{ if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
  nextcloud-talk-hpb:
    address: ":3478"
  nextcloud-talk-hpb-udp:
    address: ":3478/udp"
  {{ end }}
 ping:
@ -119,8 +66,6 @@ ping:
 metrics:
  prometheus:
    entryPoint: metrics
    addRoutersLabels: true
    addServicesLabels: true
 {{ end }}
 certificatesResolvers:
@ -149,5 +94,5 @@ certificatesResolvers:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
        resolvers:
          - "1.1.1.1:53"
-          - "9.9.9.9:53"
+          - "8.8.8.8:53"
      {{ end }}
		`@ -1 +0,0 @@`
			`Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410`
		`@ -1 +0,0 @@`
			`Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg`
		`@ -1,2 +0,0 @@`
			`socket-proxy: switch to endpoint-mode dnsrr instead of vip`
			`See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.`
		`@ -1 +0,0 @@`
			`Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5`
		`@ -1 +0,0 @@`
			`Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax`
		`@ -1 +0,0 @@`
			`Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.`