include anubis middleware address

Reviewed-on: #55
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.drone.yml

@@ -8,7 +8,7 @@ steps:
       host: swarm-test.autonomic.zone
       stack: traefik
       networks:
-       - proxy
+        - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -16,7 +16,7 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v21
+      TRAEFIK_YML_VERSION: v22
       FILE_PROVIDER_YML_VERSION: v10
       ENTRYPOINT_VERSION: v4
 trigger:

.env.sample

@@ -10,7 +10,7 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # DASHBOARD_ENABLED=true
 # WARN, INFO etc.
 LOG_LEVEL=WARN
-LOG_MAX_AGE=0
+LOG_MAX_AGE=1
 
 # This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
@@ -59,6 +59,17 @@ COMPOSE_FILE="compose.yml"
 #DIGITALOCEAN_ENABLED=1
 #SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
 
+## Azure, https://azure.com
+## To insert your Azure client secret:
+## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
+#AZURE_ENABLED=1
+#AZURE_TENANT_ID=
+#AZURE_CLIENT_ID=
+#AZURE_SUBSCRIPTION_ID=
+#AZURE_RESOURCE_GROUP=
+#SECRET_AZURE_SECRET_VERSION=v1
+
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
@@ -148,3 +159,7 @@ COMPOSE_FILE="compose.yml"
 # NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
 #COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
 #WEB_ALT_ENABLED=1
+
+## Matrix
+#COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
+#IRC_ENABLED=1

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v22
+export TRAEFIK_YML_VERSION=v24
 export FILE_PROVIDER_YML_VERSION=v10
 export ENTRYPOINT_VERSION=v4

compose.anubis.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+
+services:
+  app:
+    deploy:
+      labels:
+      - traefik.http.middlewares.anubis.forwardauth.address=http://anubis:8080/.within.website/x/cmd/anubis/api/check

compose.azure.yml

@@ -0,0 +1,17 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - AZURE_TENANT_ID
+      - AZURE_CLIENT_ID
+      - AZURE_SUBSCRIPTION_ID
+      - AZURE_RESOURCE_GROUP
+      - AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
+    secrets:
+      - azure_secret
+
+secrets:
+  azure_secret:
+    name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
+    external: true

compose.irc.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - IRC_ENABLED
+    ports:
+      - "6697:6697"

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.11.14"
+    image: "traefik:v3.4.5"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -27,7 +27,7 @@ services:
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
-      - LOG_MAX_AGE=${LOG_MAX_AGE:0}
+      - ${LOG_MAX_AGE:-0}
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
@@ -48,12 +48,14 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=3.1.0+v2.11.14"
+        - "coop-cloud.${STACK_NAME}.version=3.5.0+v3.4.5"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 
   socket-proxy:
     image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls30
+    deploy:
+      endpoint_mode: dnsrr
     environment:
       - ALLOW_START=0
       - ALLOW_STOP=0
@@ -77,7 +79,7 @@ services:
       - SECRETS=0
       - SERVICES=1 # Needs access
       - SESSION=0
-      - SWARM=0
+      - SWARM=1
       - SYSTEM=0
       - TASKS=1 # Needs access
       - VERSION=1 # Needs access

entrypoint.sh.tmpl

@@ -11,4 +11,8 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
 {{ end }}
 
+{{ if eq (env "AZURE_ENABLED") "1" }}
+export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"

release/2.9.1+v2.11.14

@@ -0,0 +1 @@
+Reverts max log retention

release/3.0.0+v2.11.22

@@ -0,0 +1,2 @@
+socket-proxy: switch to endpoint-mode dnsrr instead of vip
+See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.

release/3.1.0+v2.11.14

@@ -1 +0,0 @@
-Adds log retention configuration option

release/3.3.0+v2.11.26

@@ -0,0 +1 @@
+Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5

release/3.4.0+v3.4.4

@@ -0,0 +1 @@
+Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax

release/3.4.2+v3.4.5

@@ -0,0 +1 @@
+Bumps the TRAEFIK_YML_VERSION

release/3.5.0+v3.4.5

@@ -0,0 +1 @@
+Add support to azure DNS-01 acme challenge

release/3.6.0+v3.4.5

@@ -0,0 +1 @@
+Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.

traefik.yml.tmpl

@@ -1,15 +1,16 @@
 ---
+core:
+  defaultRuleSyntax: v2
+ 
 log:
   level: {{ env "LOG_LEVEL" }}
   maxAge: {{ env "LOG_MAX_AGE" }}
 
-
 providers:
-  docker:
+  swarm:
     endpoint: "tcp://socket-proxy:2375"
     exposedByDefault: false
     network: proxy
-    swarmMode: true
   {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
   file:
     directory: /etc/traefik/file-providers
@@ -70,6 +71,10 @@ entrypoints:
   compy:
     address: ":9999"
   {{ end }}
+  {{ if eq (env "IRC_ENABLED") "1" }}
+  irc:
+    address: ":6697"
+  {{ end }}
   {{ if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"