Compare commits

...

171 Commits

Author SHA1 Message Date
6c6b5c66ca chore: publish 3.6.1+v3.4.5 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-10-22 23:02:24 -04:00
993ed9cf09 Garage support .env addition
Some checks failed
continuous-integration/drone/push Build is failing
2025-10-22 21:09:23 -04:00
1c2302b288 Merge branch 'master' into HEAD
Some checks failed
continuous-integration/drone/push Build is failing
2025-10-22 21:03:58 -04:00
27d5c092de add support for Garage RPC port 2025-10-22 21:01:02 -04:00
88e1a67146 chore: publish 3.6.0+v3.4.5 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-08-28 18:01:23 -04:00
7e7422a593 Expose LOG_MAX_AGE
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #55
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
2025-08-28 18:05:27 +00:00
304915a396 Set default LOG_MAX_AGE
Some checks failed
continuous-integration/drone/pr Build is failing
2025-08-27 11:50:13 -04:00
a3ab012d55 revert f2e746344e
Some checks failed
continuous-integration/drone/push Build is failing
revert chore: publish 3.5.1+v3.4.5 release
2025-08-13 19:17:11 +00:00
f2e746344e chore: publish 3.5.1+v3.4.5 release 2025-08-13 19:10:53 +00:00
1ec509eee8 Fixed azure secret variable
Some checks failed
continuous-integration/drone/push Build is failing
2025-08-13 19:05:05 +00:00
52c2cbf7ec chore: publish 3.5.0+v3.4.5 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-08-13 05:27:39 -07:00
b8303290de Merge pull request 'feat: add azure DNS-01 challenge support' (#56) from ripclap/traefik:master into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #56
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
2025-08-12 19:16:42 +00:00
445feab87c Revert "Updated TRAEFIK_YML_VERSION"
Some checks failed
continuous-integration/drone/pr Build is failing
This reverts commit 2db1a03d94.
2025-08-12 09:44:59 -07:00
b8aa102a01 azure: update code to align with established conventions
Some checks failed
continuous-integration/drone/pr Build is failing
2025-08-12 01:21:56 -07:00
2db1a03d94 Updated TRAEFIK_YML_VERSION
Some checks failed
continuous-integration/drone/pr Build is failing
2025-08-11 17:37:22 -07:00
c7e510fbad Added Azure DNS 01-Challenge support
Some checks failed
continuous-integration/drone/pr Build is failing
2025-08-12 00:20:57 +00:00
f7087646b1 Added Azure DNS 01-Challenge support 2025-08-12 00:20:11 +00:00
8d7f9bd6a2 traefik_yml_version
Some checks failed
continuous-integration/drone/pr Build is failing
2025-08-08 22:17:46 -04:00
01c5b2a3a4 Update to Traefik v3
Some checks failed
continuous-integration/drone/pr Build is failing
2025-08-06 18:13:11 -04:00
810e1b0502 chore: publish 3.4.2+v3.4.5 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-07-28 14:33:50 +02:00
270af60ba4 chore: publish 3.4.1+v3.4.5 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-07-25 18:14:45 -04:00
27dfc1ae2c chore: publish 3.4.0+v3.4.4 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-07-23 23:14:01 -04:00
2ff2c0d59e Merge pull request 'update to traefik v3' (#54) from sixsmith/traefik:v3-update-only into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #54
2025-07-23 00:06:45 +00:00
60ec1191a8 v3: update Traefik
Some checks failed
continuous-integration/drone/pr Build is failing
2025-07-15 15:57:41 -07:00
ff351d4c7f fix drone
All checks were successful
continuous-integration/drone/push Build is passing
2025-07-01 20:02:30 +02:00
4a5cfddb4c chore: publish 3.3.0+v2.11.26 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-07-01 19:40:44 +02:00
3wc
ed8646001c chore: publish 3.2.0+v2.11.25 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-06-20 10:38:14 +01:00
3wc
45b168789e Merge branch 'master' into feature/irc 2025-06-20 10:37:27 +01:00
3wc
7835b585fd chore: publish 3.1.1+v2.11.25 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2025-06-11 18:23:53 +01:00
830559895e chore: publish 3.1.0+v2.11.24 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2025-04-22 15:28:32 +02:00
ac53e9debe chore: publish 3.0.0+v2.11.22 with release note
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2025-04-22 09:27:08 +02:00
acb4c6960a feat: Switch to endpoint-mode dnsrr instead of vip
The default docker swarm endpoint mode (vip) introduces unnecessary
indirection in the communication between services, namely the
docker-proxy and a dynamic haproxy endpoint container. This commit
switches the socket-proxy service to endpoint_mode: dnsrr by default and
the traefik service when using host-mode port publishing.

I would strongly recommend considering switching to host-mode port
publishing by default, especially as most coop-cloud deployments are
single-server.

See: toolshed/organising#648

Thanks to @mirsal. Rebased and merged from the following commit.
abbb3255f8
2025-04-22 09:04:43 +02:00
22578d1e8e chore: publish 2.10.0+v2.11.22 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2025-04-01 16:00:35 +02:00
55ad530fb7 chore: publish 2.9.1+v2.11.14 release 2025-02-21 18:42:22 +01:00
54fe45da2f Revert max log max log retention 2025-02-21 18:40:16 +01:00
e21dbc655a fix default values and breaking configuration for LOG_MAX_AGE change 2025-02-20 14:42:13 -05:00
b9d825b5c5 publish new version 2025-02-19 17:21:22 -05:00
74b3ee6716 chore: publish 3.1.0+v2.11.14 release
All checks were successful
continuous-integration/drone/tag Build is passing
2025-02-19 17:20:04 -05:00
14d5d79520 Merge pull request 'Expose max log retention in traefik.yml' (#51) from sixsmith/traefik:master into master
Reviewed-on: #51
Reviewed-by: marlon <marlon@riseup.net>
2025-02-19 22:15:04 +00:00
7185e6ab43 Configure max log retention 2025-02-19 16:09:01 -05:00
3wc
8fbcab6bea Initial support for IRC, port 6697 2025-02-06 13:54:28 -05:00
85d0c159b0 Update .drone.yml
All checks were successful
continuous-integration/drone/push Build is passing
2025-01-08 10:09:13 -08:00
6294944952 chore: publish 2.9.0+v2.11.14 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-12-03 19:33:59 +01:00
abbb3255f8 Switch to endpoint-mode dnsrr instead of vip
Some checks failed
continuous-integration/drone/pr Build is failing
The default docker swarm endpoint mode (vip) introduces unnecessary
indirection in the communication between services, namely the
docker-proxy and a dynamic haproxy endpoint container. This commit
switches the socket-proxy service to endpoint_mode: dnsrr by default and
the traefik service when using host-mode port publishing.

I would strongly recommend considering switching to host-mode port
publishing by default, especially as most coop-cloud deployments are
single-server.

See: toolshed/organising#648
2024-11-27 16:42:35 +00:00
b5824c89f1 fix drone runner
All checks were successful
continuous-integration/drone/push Build is passing
2024-10-24 13:33:04 +02:00
9c924f5d67 fix drone runner
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-24 13:30:35 +02:00
ed0945f59f add backupbot label
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-24 13:12:51 +02:00
0fac81d4e2 Merge pull request 'Update to handle gandiv5 personal access tokens' (#49) from gabi/traefik:gandiv5 into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #49
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
2024-10-21 07:52:38 +00:00
c8894b7ee7 Update secret length to follow length guidelines.
Some checks failed
continuous-integration/drone/pr Build is failing
2024-10-18 23:19:30 -07:00
e65bffe337 Update to handle gandiv5 personal access tokens
Some checks failed
continuous-integration/drone/pr Build is failing
2024-10-03 19:40:34 -04:00
8cce1b7ff7 chore: publish 2.8.0+v2.11.10 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-09-23 16:03:26 +02:00
b9cbc9ba92 Revert to 2.7.0+v2.11.8
Some checks failed
continuous-integration/drone/push Build is failing
2024-09-03 13:09:37 +02:00
d5f36255fe chore: publish 4.1.2+v3.1.2 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-26 18:20:13 +01:00
b836d441f5 chore: publish 4.1.1+v3.1.1 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-26 18:19:51 +01:00
8de23fd652 chore: publish 4.1.0+v3.1.0 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-26 18:19:14 +01:00
6133be7830 chore: publish 4.0.4+v3.0.4 release 2024-08-26 18:17:28 +01:00
5803d05532 chore: publish 4.0.3+v3.0.3 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-26 18:16:57 +01:00
0ace5037db chore: publish 4.0.2+v3.0.2 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-26 18:16:26 +01:00
9e2d000d12 chore: publish 4.0.1+v3.0.1 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-26 18:15:51 +01:00
d4f1c6b45c chore: publish 4.0.0+v3.0.0 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-26 18:14:56 +01:00
ca989e903c chore: publish 2.7.0+v2.11.8 release
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-07 16:08:18 +02:00
50cdb20a39 docker soket via socket proxy (#48)
Some checks failed
continuous-integration/drone/push Build is failing
Mounting the the docker socket directly is not recommended, because it is a security issue. Instead access it via a tcp socket proxy.

See https://doc.traefik.io/traefik/providers/docker/#docker-api-access

Reviewed-on: #48
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Co-authored-by: p4u1 <p4u1_f4u1@riseup.net>
Co-committed-by: p4u1 <p4u1_f4u1@riseup.net>
2024-07-06 18:28:26 +00:00
60b79b447a add alakazam matrix federation integration
Some checks failed
continuous-integration/drone/push Build is failing
2024-06-04 15:22:25 +02:00
f1b52916df Merge pull request 'fix: the command is "secret"' (#47) from fauno/traefik:master into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #47
2024-06-01 20:07:19 +00:00
f
35d435b4f6 fix: the command is "secret"
Some checks failed
continuous-integration/drone/pr Build is failing
2024-06-01 13:54:50 -03:00
b7ea50d6aa chore: publish 2.6.3+v2.11.2 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2024-04-14 21:38:48 +01:00
af33ec8510 chore: publish 2.6.2+v2.11.1 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2024-04-14 21:36:25 +01:00
685d32baf1 Merge pull request 'Add preliminary DigitalOcean DNS support' (#36) from digitalocean-dns into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #36
2024-04-06 18:00:38 +00:00
3wc
e76d61be00 Add preliminary DigitalOcean DNS support
Some checks failed
continuous-integration/drone/pr Build is failing
2024-04-06 15:00:06 -03:00
3wc
daec338066 Another Drone fix?
All checks were successful
continuous-integration/drone/push Build is passing
2024-04-06 14:53:41 -03:00
3wc
e92e76ac88 Fix Drone CI
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-06 14:52:55 -03:00
3wc
70d10587bc chore: publish 2.6.1+v2.11.0 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2024-04-06 14:36:21 -03:00
3wc
bdf84fcefd Reinstate missing HTTP->HTTPS redirect 2024-04-06 14:35:53 -03:00
3wc
2db2f71a80 chore: publish 2.6.0+v2.11.0 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2024-04-01 22:56:20 -03:00
3wc
c558e1dbdb Ditch DISABLE_HTTPS_REDIRECT 2024-04-01 22:53:56 -03:00
3wc
edc29f9594 Add "web-alt" entrypoint (mostly for Icecast)
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-01 19:49:23 -03:00
3wc
f7f77dc942 Add support for unencrypted HTTP apps (please don't use this 😢)
Some checks failed
continuous-integration/drone/push Build is failing
2024-03-30 17:59:48 -03:00
ecc12b2b68 chore: publish 2.5.0+v2.11.0 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2024-02-16 16:41:57 +01:00
a0e70f33be Merge pull request 'Add support for externally-sourced wildcard certificates' (#45) from wolcen/traefik:master into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #45
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
2024-01-12 20:48:03 +00:00
e3c1df83fa chore(security): update traefik to 2.10.7
Some checks failed
continuous-integration/drone/pr Build is failing
Addresses two CVE fixes from 2.10.6
2024-01-11 21:47:59 -05:00
998190f684 feat: add distinct version for wildcard key secret 2024-01-11 21:47:50 -05:00
cd92c909ba docs: correct secret insertion examples 2024-01-11 21:47:04 -05:00
64351c27d1 fix: deprecation warning - handled by redirect under web already 2024-01-11 21:47:04 -05:00
f4b05fd87f Bump file revisions for wildcard support 2024-01-11 21:45:32 -05:00
3c5333ba71 feat: add support for wildcard certs via secrets 2024-01-11 21:45:05 -05:00
3wc
5f2fd0bf37 chore: publish 2.4.3+v2.10.5 release
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-16 13:16:09 +01:00
3wc
ac3a47fe8c chore: publish 2.4.2+v2.10.4 release
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
2023-07-25 17:19:22 +01:00
1e02f358ed chore: publish 2.4.1+v2.10.3 release
All checks were successful
continuous-integration/drone/push Build is passing
2023-07-10 09:51:42 +02:00
6cdcc25384 chore: publish 2.4.0+v2.10.1 release
Some checks failed
continuous-integration/drone/push Build is failing
2023-05-25 13:40:08 +02:00
d2b7b671f5 feat: use host mode port networking
Some checks failed
continuous-integration/drone/pr Build is failing
continuous-integration/drone/push Build is failing
2023-05-25 13:34:35 +02:00
c9d80df34d feat: enable public facing metrics 2023-05-25 13:34:34 +02:00
aaa34c1ea8 chore: publish 2.3.1+v2.10.2 release
Some checks failed
continuous-integration/drone/push Build is failing
2023-05-24 11:36:27 +02:00
6dee438492 fix: increase config version
Some checks failed
continuous-integration/drone/push Build is failing
2023-05-24 11:33:31 +02:00
ff668b2266 chore: publish 2.3.0+v2.10.2 release
Some checks failed
continuous-integration/drone/push Build is failing
2023-05-24 11:31:20 +02:00
e2c16be2ff feat: adds basic auth middleware
Some checks failed
continuous-integration/drone/pr Build is failing
continuous-integration/drone/push Build is failing
2023-05-10 15:35:52 +02:00
3wc
892f3c3124 chore: publish 2.2.0+v2.10.2 release
Some checks failed
continuous-integration/drone/push Build is failing
2023-04-27 16:12:25 -04:00
3wc
4205f4911e Bump TRAEFIK_YML_VERSION 2023-04-27 16:12:03 -04:00
3wc
13eb4a782d chore: publish 2.2.0+v2.10.1 release 2023-04-27 15:58:01 -04:00
b00a65a890 feat: routing bare metal
Some checks failed
continuous-integration/drone/push Build is failing
2023-04-20 21:19:47 +02:00
a213094d46 add timeout label
All checks were successful
continuous-integration/drone/push Build is passing
2023-04-18 18:36:09 +02:00
8bb3adba81 add auto update and timeout env
All checks were successful
continuous-integration/drone/push Build is passing
2023-04-18 18:26:15 +02:00
a7bff09db6 chore: publish 2.1.0+v2.9.9 release
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing
2023-04-04 18:26:39 +02:00
3wc
6167d41588 Add DNS challenge / wildcard instructions to README.md
[ci skip]
2023-03-06 20:58:19 -05:00
31330d967b chore: publish 2.0.4+v2.9.6 release
All checks were successful
continuous-integration/drone/push Build is passing
2023-02-13 17:09:40 +01:00
f23357c9cd fix: remove invalid tls label
Some checks failed
continuous-integration/drone/pr Build is failing
continuous-integration/drone/push Build is passing
See coop-cloud/organising#412
2023-02-13 11:16:07 +01:00
3wc
b6bb286282 Switch to self-hosted stack-ssh-deploy image [mass update]
All checks were successful
continuous-integration/drone/push Build is passing
2023-01-21 11:49:56 -08:00
3wc
14a34c7b7f Fix CI by adding networks: [mass update]
All checks were successful
continuous-integration/drone/push Build is passing
2023-01-20 11:58:41 -08:00
3wc
39bfdb4c82 Automatically generate catalogue on release [mass update]
Some checks failed
continuous-integration/drone/push Build is failing
Re: coop-cloud/recipes-catalogue-json#4
2023-01-20 10:27:12 -08:00
3wc
1d43c68274 Update abra syntax in examples (finally) [mass update]
Some checks failed
continuous-integration/drone/push Build is failing
2023-01-19 16:02:28 -08:00
f1cfb814dd chore: publish 2.0.3+v2.9.6 release
Some checks failed
continuous-integration/drone/push Build is failing
2023-01-18 13:48:37 -08:00
ece8807959 chore: publish 2.0.2+v2.9.5 release
Some checks failed
continuous-integration/drone/push Build is failing
2022-12-02 11:09:17 +01:00
3wc
a1e75e8c8b Revert to traefik.example.com templating
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-16 20:35:34 -08:00
b62cb273ef Merge pull request 'Up versions to latest stable and one ping less to Google' (#38) from javielico/traefik:master into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #38
2022-11-11 19:32:15 +00:00
5f25a272cb One ping less to Google, swap for Quad9
Some checks failed
continuous-integration/drone/pr Build is failing
2022-11-11 17:02:09 +00:00
4c7a272838 Up version to 2.9.4 2022-11-11 16:59:00 +00:00
3wc
2e68186042 chore: publish 2.0.0+v2.9.1 release
Some checks failed
continuous-integration/drone/push Build is failing
2022-10-18 17:09:44 -04:00
3wc
975d8e01a4 Use $STACK_NAME for default router name..
Some checks failed
continuous-integration/drone/push Build is failing
..instead of hard-coded `traefik`
2022-10-18 17:06:11 -04:00
fcff3a2d6a syntax
Some checks failed
continuous-integration/drone/push Build is failing
minor
2022-10-13 16:51:46 +00:00
981d2a3808 chore: publish 1.1.1+v2.8.1 release
Some checks failed
continuous-integration/drone/push Build is failing
2022-07-14 10:47:58 +02:00
29eb1058cd chore: publish 1.1.0+v2.8.0 release
Some checks failed
continuous-integration/drone/push Build is failing
2022-07-01 11:35:28 +02:00
df49a1f3b2 use domain env var
Some checks failed
continuous-integration/drone/push Build is failing
2022-03-27 21:12:16 +02:00
3wc
099dcfaed0 Add compy support
Some checks failed
continuous-integration/drone/push Build is failing
2022-03-26 23:49:10 +02:00
1d7542cd5f fix: drop minio config changes for now
New version is hard to config, unsure if this is needed.
2022-01-06 11:12:47 +01:00
5e1604322e fix: bump vendored config 2022-01-06 10:06:04 +01:00
36707989d2 fix: add missing entrypoints (matrix, minio) 2022-01-06 10:01:52 +01:00
29f90fe409 feat: minio port 2022-01-06 09:50:35 +01:00
8a48c5e507 chore: publish 1.0.1+v2.5.6 release 2021-12-28 03:38:36 +01:00
612d0cc6cc feat: matrix federation 2021-12-13 13:56:36 +01:00
36c7b740ab Merge pull request 'Add a slot for a second traefik-forward-auth' (#31) from forward-auth-2 into master
Reviewed-on: #31
2021-11-24 15:10:53 +00:00
3wc
59b0f8d645 Make sure variable names align, fix template 2021-11-23 12:40:17 +02:00
3wc
556c448c05 Align traefik-forward-auth 2nd var name with existing 2021-11-23 12:40:17 +02:00
3wc
26fcaaea69 Add a slot for a second traefik-forward-auth instance 2021-11-23 12:40:17 +02:00
3wc
02ebb1412f Goodbye, emojis! 😢
[ci skip]
2021-11-23 12:23:23 +02:00
3wc
8e91a5a3ee Minuscule .env tweak
Some checks failed
continuous-integration/drone/push Build is failing
2021-10-14 00:44:40 +02:00
3048d09cd8 fix: support configurable tfa service
Some checks failed
continuous-integration/drone/push Build is failing
2021-10-14 00:43:56 +02:00
2c9e980809 chore: remove old file
Some checks failed
continuous-integration/drone/push Build is failing
2021-10-12 11:41:56 +02:00
ec47f5c9dd chore: first release 2021-10-12 11:41:53 +02:00
cf81dc543a chore: upgrade to 2.5.2 and add spaces
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-15 13:35:57 +02:00
48f03d8fcf Remove 2222 port from host networking
Some checks failed
continuous-integration/drone/push Build is failing
This was an old config for when we did host mode networking for gitea
ssh but now we use the SNI thing that seems to work.
2021-09-02 09:15:58 +02:00
8c6fe61e60 Merge pull request 'Allow prometheus metrics collection' (#28) from mirsal/traefik:prometheus-metrics into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #28
2021-08-10 06:19:46 +00:00
fc5aa70d27 Allow prometheus metrics collection
Some checks failed
continuous-integration/drone/pr Build is failing
This patch adds a METRICS_ENABLED configuration variables which,
when switched on, defines a metrics entrypoint and enables the
built-in prometheus metrics exporter. This allows the monitoring
stack to collect and show traefik metrics
2021-08-09 23:28:15 +00:00
9e123afb07 Merge pull request 'COMPOSE_FILE=$COMPOSE_FILE:`, to combine 'em easier' (#27) from rejig-compose-vars into master
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #27
2021-08-07 17:55:05 +00:00
3wc
baba7ff87d Add default COMPOSE_FILE
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/pr Build is failing
2021-08-07 19:49:29 +02:00
3wc
e856591c97 COMPOSE_FILE=$COMPOSE_FILE:, to combine 'em easier
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/pr Build is failing
Thanks, @mirsal
2021-08-07 17:03:52 +02:00
3wc
8bcd8f054e Add missing Mumble vars to .env.sample 2021-08-07 17:03:20 +02:00
3wc
a9a513e8da Add Mumble TCP/UDP ports
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-07 14:24:39 +02:00
3wc
46010aeb95 Enable Gandi DNS challenge for Letsencrypt
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone Build is failing
2021-07-18 16:30:22 +02:00
0421dd4747 Update traefik Docker tag to v2.4.11
Some checks failed
continuous-integration/drone/pr Build is failing
continuous-integration/drone/push Build is failing
2021-07-16 07:03:32 +00:00
eb69ba9309 Expose host mode networking for mssql
Some checks failed
continuous-integration/drone/push Build is failing
See https://github.com/WASHNote/washnote-apps/issues/17.
2021-07-07 15:58:08 +02:00
21cd25f3d6 Quote and version headless
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-27 20:19:04 +02:00
f9b3475086 Version v2.4.9; sync labels
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is failing
2021-06-27 20:18:21 +02:00
ef443bae50 Add "headless mode" config
Some checks failed
continuous-integration/drone/push Build is failing
Closes https://git.autonomic.zone/coop-cloud/traefik/issues/24.
2021-06-27 20:17:41 +02:00
aacf00309e Update traefik Docker tag to v2.4.9
Some checks failed
continuous-integration/drone/pr Build is failing
continuous-integration/drone/push Build is failing
2021-06-23 07:03:18 +00:00
f73e38d143 Use new image namespace
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-21 12:32:15 +02:00
661bec4727 Bump versions for CI
Some checks reported errors
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build encountered an error
2021-06-10 12:38:42 +02:00
7258b129c4 Support OVH configuration
Some checks failed
continuous-integration/drone/push Build is failing
See https://github.com/Autonomic-Cooperative/traefik/pull/1.
2021-06-10 12:36:54 +02:00
bbbdfc272d Merge pull request #1 from ahdinosaur/lets-encrypt-dns-challenge-ovh
add support for Let's Encrypt DNS-01 challenge (for wildcard domains)
2021-06-10 12:01:37 +02:00
2c81622d9a add support for Let's Encrypt DNS-01 challenge (for wildcard domains)
start with support for OVH provider, but in a way for others to be added in the future:

https://doc.traefik.io/traefik/https/acme/#dnschallenge
2021-06-10 14:53:17 +12:00
8ff2f3a294 Add missing env var
Some checks reported errors
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build encountered an error
2021-06-07 09:51:24 +02:00
2c745416fc Support mssql host mode connections
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is failing
2021-06-07 09:42:50 +02:00
d968028216 Push env vars to overriding configs
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-05 23:02:36 +02:00
3wc
8d309bc7bf Entrypoint for SSB MUXRPC
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-05 14:23:58 +02:00
18d8805c99 Remove trigger, we make the tags [ci skip] 2021-06-04 00:15:40 +02:00
bdff19882b Fix bad name in batch update script [ci skip] 2021-06-03 23:07:24 +02:00
fd9faeb021 Add release logic to CI [ci skip] 2021-06-03 23:01:32 +02:00
f26557bd40 Expose config var for RTMP port
Some checks failed
continuous-integration/drone/push Build is failing
2021-05-10 14:02:53 +02:00
2de31afe26 Use actual template language
Some checks failed
continuous-integration/drone/push Build is failing
2021-05-10 13:53:27 +02:00
028ad6ce62 Upgrade vendored config
Some checks failed
continuous-integration/drone/push Build is failing
2021-05-10 13:13:44 +02:00
ede226cea7 Add conditionl for peertube RMTP port
Some checks failed
continuous-integration/drone/push Build is failing
2021-05-10 13:04:53 +02:00
9a1dd29d01 Add RTMP optional port setup
All checks were successful
continuous-integration/drone/push Build is passing
2021-05-10 12:58:10 +02:00
2428f5fabd Make foodsoft/gitea ports optional
All checks were successful
continuous-integration/drone/push Build is passing
Closes https://git.autonomic.zone/coop-cloud/traefik/issues/23.
2021-04-07 14:22:22 +02:00
44 changed files with 685 additions and 98 deletions

View File

@ -3,10 +3,12 @@ kind: pipeline
name: deploy to swarm-test.autonomic.zone name: deploy to swarm-test.autonomic.zone
steps: steps:
- name: deployment - name: deployment
image: decentral1se/stack-ssh-deploy:latest image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
settings: settings:
host: swarm-test.autonomic.zone host: swarm-test.autonomic.zone
stack: traefik stack: traefik
networks:
- proxy
deploy_key: deploy_key:
from_secret: drone_ssh_swarm_test from_secret: drone_ssh_swarm_test
environment: environment:
@ -14,8 +16,25 @@ steps:
STACK_NAME: traefik STACK_NAME: traefik
LETS_ENCRYPT_ENV: production LETS_ENCRYPT_ENV: production
LETS_ENCRYPT_EMAIL: helo@autonomic.zone LETS_ENCRYPT_EMAIL: helo@autonomic.zone
TRAEFIK_YML_VERSION: v3 TRAEFIK_YML_VERSION: v22
FILE_PROVIDER_YML_VERSION: v2 FILE_PROVIDER_YML_VERSION: v10
ENTRYPOINT_VERSION: v4
trigger: trigger:
branch: branch:
- master - master
---
kind: pipeline
name: generate recipe catalogue
steps:
- name: release a new version
image: plugins/downstream
settings:
server: https://build.coopcloud.tech
token:
from_secret: drone_abra-bot_token
fork: true
repositories:
- toolshed/auto-recipes-catalogue-json
trigger:
event: tag

View File

@ -1,4 +1,7 @@
TYPE=traefik TYPE=traefik
TIMEOUT=300
ENABLE_AUTO_UPDATE=true
ENABLE_BACKUPS=true
DOMAIN=traefik.example.com DOMAIN=traefik.example.com
LETS_ENCRYPT_ENV=production LETS_ENCRYPT_ENV=production
@ -7,20 +10,160 @@ LETS_ENCRYPT_EMAIL=certs@example.com
# DASHBOARD_ENABLED=true # DASHBOARD_ENABLED=true
# WARN, INFO etc. # WARN, INFO etc.
LOG_LEVEL=WARN LOG_LEVEL=WARN
LOG_MAX_AGE=1
# This is here so later lines can extend it; you likely don't wanna edit
COMPOSE_FILE="compose.yml"
#####################################################################
# General settings #
#####################################################################
## Host-mode networking
#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
## "Headless mode" (no domain configured)
#COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
#####################################################################
# Automatic DNS set-up for Letsencrypt #
#####################################################################
## Enable dns challenge (for wildcard domains)
## https://doc.traefik.io/traefik/https/acme/#dnschallenge
#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
## OVH, https://ovh.com
#COMPOSE_FILE="$COMPOSE_FILE:compose.ovh.yml"
#OVH_ENABLED=1
#OVH_APPLICATION_KEY=
#OVH_ENDPOINT=
#SECRET_OVH_APP_SECRET_VERSION=v1
#SECRET_OVH_CONSUMER_KEY=v1
## Gandi, https://gandi.net
## note(3wc): only "V5" (new) API is supported, so far
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
#GANDI_API_KEY_ENABLED=1
#SECRET_GANDIV5_API_KEY_VERSION=v1
## Gandi, https://gandi.net
## note: uses GandiV5 Personal Access Token
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
## DigitalOcean, https://digitalocean.com
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
#DIGITALOCEAN_ENABLED=1
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
## Azure, https://azure.com
## To insert your Azure client secret:
## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
#AZURE_ENABLED=1
#AZURE_TENANT_ID=
#AZURE_CLIENT_ID=
#AZURE_SUBSCRIPTION_ID=
#AZURE_RESOURCE_GROUP=
#SECRET_AZURE_SECRET_VERSION=v1
#####################################################################
# Manual wildcard certificate insertion #
#####################################################################
# Set wildcards = 1, and uncomment compose_file to enable.
# Create your certs elsewhere and add them like:
# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
#WILDCARDS_ENABLED=1
#SECRET_WILDCARD_CERT_VERSION=v1
#SECRET_WILDCARD_KEY_VERSION=v1
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
#####################################################################
# Authentication #
#####################################################################
## Enable Keycloak ## Enable Keycloak
#COMPOSE_FILE="compose.yml:compose.keycloak.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
#KEYCLOAK_MIDDLEWARE_ENABLED=1 #KEYCLOAK_MIDDLEWARE_ENABLED=1
#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
## BASIC_AUTH
## Use httpasswd to generate the secret
#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
#BASIC_AUTH=1
#SECRET_USERSFILE_VERSION=v1
#####################################################################
# Prometheus metrics #
#####################################################################
## Enable prometheus metrics collection
## used used by the coop-cloud monitoring stack
#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
#METRICS_ENABLED=1
#####################################################################
# File provider directory configuration #
# (Route bare metal and non-docker services on the machine!) #
#####################################################################
#FILE_PROVIDER_DIRECTORY_ENABLED=1
#####################################################################
# Additional services #
#####################################################################
## SMTP port 587 ## SMTP port 587
#COMPOSE_FILE="compose.yml:compose.smtp.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
#SMTP_ENABLED=1 #SMTP_ENABLED=1
## Compy
#COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
#COMPY_ENABLED=1
## Gitea SSH ## Gitea SSH
# COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
# GITEA_SSH_ENABLED=1 # GITEA_SSH_ENABLED=1
## Foodsoft SMTP ## Foodsoft SMTP
# COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
# FOODSOFT_SMTP_ENABLED=1 # FOODSOFT_SMTP_ENABLED=1
## Host-mode networking ## Peertube RTMP
#COMPOSE_FILE="compose.yml:compose.host.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.peertube.yml"
#PEERTUBE_RTMP_ENABLED=1
## Secure Scuttlebutt MUXRPC
#COMPOSE_FILE="$COMPOSE_FILE:compose.ssb.yml"
#SSB_MUXRPC_ENABLED=1
## MSSQL
#COMPOSE_FILE="$COMPOSE_FILE:compose.mssql.yml"
#MSSQL_ENABLED=1
## Mumble
#COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
#MUMBLE_ENABLED=1
## Matrix
#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
#MATRIX_FEDERATION_ENABLED=1
## "Web alt", an alternative web port
# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
#WEB_ALT_ENABLED=1
## Matrix
#COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
#IRC_ENABLED=1
## Garage
#COMPOSE_FILE="$COMPOSE_FILE:compose.garage.yml"
#GARAGE_RPC_ENABLED=1

View File

@ -7,11 +7,11 @@
<!-- metadata --> <!-- metadata -->
* **Category**: Utilities * **Category**: Utilities
* **Status**: ? * **Status**: ?
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream * **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
* **Healthcheck**: Yes * **Healthcheck**: Yes
* **Backups**: No * **Backups**: No
* **Email**: N/A * **Email**: N/A
* **Tests**: ❷💛 * **Tests**: 2
* **SSO**: ? (Keycloak) * **SSO**: ? (Keycloak)
<!-- endmetadata --> <!-- endmetadata -->
@ -19,8 +19,31 @@
1. Set up Docker Swarm and [`abra`] 1. Set up Docker Swarm and [`abra`]
2. `abra app new traefik` 2. `abra app new traefik`
3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to 3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
your Docker swarm box your Docker swarm box
4. `abra app YOURAPPDOMAIN deploy` 4. `abra app deploy YOURAPPDOMAIN`
## Configuring wildcard SSL using DNS
Automatic certificate generation will Just Work™ for most recipes which use a fixed
number of subdomains. For some recipes which need to work across arbitrary
subdomains, like
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
need to give Traefik access to your DNS provider so that it can carry out
Letsencrypt DNS challenges.
1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
2. Run `abra app config YOURAPPDOMAIN`
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
`SECRET_GANDIV5_API_KEY_VERSION`
4. Generate an API key for your provider
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
`SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
`gandiv5_api_key` and `SECRETVALUE` is the API key.
- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
Access Token, in which case use compose.gandi-personal-access-token.yml.
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

View File

@ -1,2 +1,3 @@
export TRAEFIK_YML_VERSION=v5 export TRAEFIK_YML_VERSION=v24
export FILE_PROVIDER_YML_VERSION=v1 export FILE_PROVIDER_YML_VERSION=v10
export ENTRYPOINT_VERSION=v4

4
alaconnect.yml Normal file
View File

@ -0,0 +1,4 @@
matrix-synapse:
uncomment:
- compose.matrix.yml
- MATRIX_FEDERATION_ENABLED

17
compose.azure.yml Normal file
View File

@ -0,0 +1,17 @@
version: "3.8"
services:
app:
environment:
- AZURE_TENANT_ID
- AZURE_CLIENT_ID
- AZURE_SUBSCRIPTION_ID
- AZURE_RESOURCE_GROUP
- AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
secrets:
- azure_secret
secrets:
azure_secret:
name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
external: true

12
compose.basicauth.yml Normal file
View File

@ -0,0 +1,12 @@
version: "3.8"
services:
app:
environment:
- BASIC_AUTH
secrets:
- usersfile
secrets:
usersfile:
name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
external: true

7
compose.compy.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- COMPY_ENABLED
ports:
- "9999:9999"

15
compose.digitalocean.yml Normal file
View File

@ -0,0 +1,15 @@
version: "3.8"
services:
app:
environment:
- DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
secrets:
- digitalocean_auth_token
secrets:
digitalocean_auth_token:
name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
external: true

7
compose.foodsoft.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- FOODSOFT_SMTP_ENABLED
ports:
- "2525:2525"

15
compose.gandi-api-key.yml Normal file
View File

@ -0,0 +1,15 @@
version: "3.8"
services:
app:
environment:
- GANDIV5_API_KEY_FILE=/run/secrets/gandiv5_api_key
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
secrets:
- gandiv5_api_key
secrets:
gandiv5_api_key:
name: ${STACK_NAME}_gandiv5_api_key_${SECRET_GANDIV5_API_KEY_VERSION}
external: true

View File

@ -0,0 +1,15 @@
version: "3.8"
services:
app:
environment:
- GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
secrets:
- gandiv5_pat
secrets:
gandiv5_pat:
name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
external: true

7
compose.garage.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- GARAGE_RPC_ENABLED
ports:
- "3901:3901"

7
compose.gitea.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- GITEA_SSH_ENABLED
ports:
- "2222:2222"

14
compose.headless.yml Normal file
View File

@ -0,0 +1,14 @@
---
version: "3.8"
services:
app:
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=web"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.service=api@internal"

View File

@ -13,6 +13,3 @@ services:
- target: 443 - target: 443
published: 443 published: 443
mode: host mode: host
- target: 2222
published: 2222
mode: host

7
compose.irc.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- IRC_ENABLED
ports:
- "6697:6697"

View File

@ -5,6 +5,9 @@ services:
app: app:
deploy: deploy:
labels: labels:
- "traefik.http.routers.traefik.middlewares=keycloak@file" - "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
environment: environment:
- KEYCLOAK_MIDDLEWARE_ENABLED - KEYCLOAK_MIDDLEWARE_ENABLED
- KEYCLOAK_TFA_SERVICE
- KEYCLOAK_MIDDLEWARE_2_ENABLED
- KEYCLOAK_TFA_SERVICE_2

7
compose.matrix.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- MATRIX_FEDERATION_ENABLED
ports:
- "8448:8448"

9
compose.metrics.yml Normal file
View File

@ -0,0 +1,9 @@
version: "3.8"
services:
app:
environment:
- METRICS_ENABLED
ports:
- target: 8082
published: 8082
mode: host

9
compose.minio.yml Normal file
View File

@ -0,0 +1,9 @@
---
version: "3.8"
services:
app:
environment:
- MINIO_CONSOLE_ENABLED
ports:
- "9001:9001"

10
compose.mssql.yml Normal file
View File

@ -0,0 +1,10 @@
version: "3.8"
services:
app:
environment:
- MSSQL_ENABLED
ports:
- target: 1433
published: 1433
protocol: tcp
mode: host

9
compose.mumble.yml Normal file
View File

@ -0,0 +1,9 @@
version: "3.8"
services:
app:
environment:
- MUMBLE_ENABLED
ports:
- "64738:64738/udp"
# note (3wc): see https://github.com/docker/compose/issues/7627
- "64737-64739:64737-64739/tcp"

21
compose.ovh.yml Normal file
View File

@ -0,0 +1,21 @@
version: "3.8"
services:
app:
environment:
- OVH_APPLICATION_KEY
- OVH_APPLICATION_SECRET_FILE=/run/secrets/ovh_app_secret
- OVH_CONSUMER_KEY_FILE=/run/secrets/ovh_consumer_key
- OVH_ENABLED
- OVH_ENDPOINT
secrets:
- ovh_app_secret
- ovh_consumer_key
secrets:
ovh_app_secret:
name: ${STACK_NAME}_ovh_app_secret_${SECRET_OVH_APP_SECRET_VERSION}
external: true
ovh_consumer_key:
name: ${STACK_NAME}_ovh_consumer_key_${SECRET_OVH_CONSUMER_KEY}
external: true

7
compose.peertube.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- PEERTUBE_RTMP_ENABLED
ports:
- "1935:1935"

View File

@ -3,5 +3,7 @@ version: "3.8"
services: services:
app: app:
environment:
- SMTP_ENABLED
ports: ports:
- "587:587" - "587:587"

7
compose.ssb.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- SSB_MUXRPC_ENABLED
ports:
- "8008:8008"

7
compose.web-alt.yml Normal file
View File

@ -0,0 +1,7 @@
version: "3.8"
services:
app:
environment:
- WEB_ALT_ENABLED
ports:
- "8000:8000"

16
compose.wildcard.yml Normal file
View File

@ -0,0 +1,16 @@
---
version: "3.8"
services:
app:
secrets:
- ssl_cert
- ssl_key
secrets:
ssl_cert:
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
external: true
ssl_key:
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
external: true

View File

@ -1,58 +1,113 @@
---
version: "3.8" version: "3.8"
services: services:
app: app:
image: "traefik:v2.4.8" image: "traefik:v3.4.5"
# Note(decentral1se): *please do not* add any additional ports here.
# Doing so could break new installs with port conflicts. Please use
# the usual `compose.$app.yml` approach for any additional ports
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
- "2222:2222"
- "2525:2525"
volumes: volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "letsencrypt:/etc/letsencrypt" - "letsencrypt:/etc/letsencrypt"
- "file-providers:/etc/traefik/file-providers"
configs: configs:
- source: traefik_yml - source: traefik_yml
target: /etc/traefik/traefik.yml target: /etc/traefik/traefik.yml
- source: file_provider_yml - source: file_provider_yml
target: /etc/traefik/file-provider.yml target: /etc/traefik/file-provider.yml
- source: entrypoint
target: /custom-entrypoint.sh
mode: 0555
networks: networks:
- proxy - proxy
- internal
environment: environment:
- DASHBOARD_ENABLED - DASHBOARD_ENABLED
- FOODSOFT_SMTP_ENABLED
- GITEA_SSH_ENABLED
- LOG_LEVEL - LOG_LEVEL
- SMTP_ENABLED - ${LOG_MAX_AGE:-0}
healthcheck: healthcheck:
test: ["CMD", "traefik", "healthcheck"] test: ["CMD", "traefik", "healthcheck"]
interval: 30s interval: 30s
timeout: 10s timeout: 10s
retries: 10 retries: 10
start_period: 1m start_period: 1m
command: traefik
entrypoint: /custom-entrypoint.sh
deploy: deploy:
update_config: update_config:
failure_action: rollback failure_action: rollback
order: start-first order: start-first
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=web" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
- "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.traefik.tls.options=default@file" - "traefik.http.routers.${STACK_NAME}.service=api@internal"
- "traefik.http.routers.traefik.service=api@internal" - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
- "traefik.http.routers.traefik.middlewares=security@file" - "coop-cloud.${STACK_NAME}.version=3.6.1+v3.4.5"
- coop-cloud.${STACK_NAME}.app.version=v2.4.8-d7d63b0d - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
- "backupbot.backup=${ENABLE_BACKUPS:-true}"
socket-proxy:
image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls30
deploy:
endpoint_mode: dnsrr
environment:
- ALLOW_START=0
- ALLOW_STOP=0
- ALLOW_RESTARTS=0
- AUTH=0
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Needs access
- DISABLE_IPV6=0
- DISTRIBUTION=0
- EVENTS=1 # Needs access
- EXEC=0
- IMAGES=0
- INFO=0
- NETWORKS=1 # Needs access
- NODES=0
- PING=0
- POST=0
- PLUGINS=0
- SECRETS=0
- SERVICES=1 # Needs access
- SESSION=0
- SWARM=1
- SYSTEM=0
- TASKS=1 # Needs access
- VERSION=1 # Needs access
- VOLUMES=0
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- internal
networks: networks:
proxy: proxy:
external: true external: true
internal:
configs: configs:
traefik_yml: traefik_yml:
name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION} name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
file: traefik.yml file: traefik.yml.tmpl
template_driver: golang template_driver: golang
file_provider_yml: file_provider_yml:
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION} name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
file: file-provider.yml file: file-provider.yml.tmpl
template_driver: golang
entrypoint:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
volumes: volumes:
letsencrypt: letsencrypt:
file-providers:

18
entrypoint.sh.tmpl Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
set -e
{{ if eq (env "OVH_ENABLED") "1" }}
export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
{{ end }}
{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
{{ end }}
{{ if eq (env "AZURE_ENABLED") "1" }}
export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
{{ end }}
/entrypoint.sh "$@"

View File

@ -4,15 +4,27 @@ http:
{{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }} {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
keycloak: keycloak:
forwardAuth: forwardAuth:
address: "http://traefik-forward-auth:4181" address: "http://{{ env "KEYCLOAK_TFA_SERVICE" }}:4181"
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-Forwarded-User - X-Forwarded-User
{{ end }} {{ end }}
{{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
keycloak2:
forwardAuth:
address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
{{ end }}
{{ if eq (env "BASIC_AUTH") "1" }}
basicauth:
basicAuth:
usersFile: "/run/secrets/usersfile"
{{ end }}
security: security:
headers: headers:
frameDeny: true frameDeny: true
sslRedirect: true
browserXssFilter: true browserXssFilter: true
contentTypeNosniff: true contentTypeNosniff: true
stsIncludeSubdomains: true stsIncludeSubdomains: true
@ -32,3 +44,8 @@ tls:
- CurveP521 - CurveP521
- CurveP384 - CurveP384
sniStrict: true sniStrict: true
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
certificates:
- certFile: /run/secrets/ssl_cert
keyFile: /run/secrets/ssl_key
{{ end }}

1
release/2.8.0+v2.11.10 Normal file
View File

@ -0,0 +1 @@
Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

1
release/2.9.0+v2.11.14 Normal file
View File

@ -0,0 +1 @@
Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg

1
release/2.9.1+v2.11.14 Normal file
View File

@ -0,0 +1 @@
Reverts max log retention

2
release/3.0.0+v2.11.22 Normal file
View File

@ -0,0 +1,2 @@
socket-proxy: switch to endpoint-mode dnsrr instead of vip
See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.

1
release/3.3.0+v2.11.26 Normal file
View File

@ -0,0 +1 @@
Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5

1
release/3.4.0+v3.4.4 Normal file
View File

@ -0,0 +1 @@
Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax

1
release/3.4.2+v3.4.5 Normal file
View File

@ -0,0 +1 @@
Bumps the TRAEFIK_YML_VERSION

1
release/3.5.0+v3.4.5 Normal file
View File

@ -0,0 +1 @@
Add support to azure DNS-01 acme challenge

1
release/3.6.0+v3.4.5 Normal file
View File

@ -0,0 +1 @@
Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.

View File

@ -1,6 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}

View File

@ -1,56 +0,0 @@
---
log:
level: {{ env "LOG_LEVEL" }}
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: proxy
swarmMode: true
file:
filename: /etc/traefik/file-provider.yml
api:
dashboard: {{ env "DASHBOARD_ENABLED" }}
debug: false
entrypoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: web-secure
web-secure:
address: ":443"
{{ if eq (env "GITEA_SSH_ENABLED") "1" }}
gitea-ssh:
address: ":2222"
{{ end }}
{{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
foodsoft-smtp:
address: ":2525"
{{ end }}
{{ if eq (env "SMTP_ENABLED") "1" }}
smtp-submission:
address: ":587"
{{ end }}
ping:
entryPoint: web
certificatesResolvers:
staging:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/staging-acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
production:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/production-acme.json
httpChallenge:
entryPoint: web

132
traefik.yml.tmpl Normal file
View File

@ -0,0 +1,132 @@
---
core:
defaultRuleSyntax: v2
log:
level: {{ env "LOG_LEVEL" }}
maxAge: {{ env "LOG_MAX_AGE" }}
providers:
swarm:
endpoint: "tcp://socket-proxy:2375"
exposedByDefault: false
network: proxy
{{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
file:
directory: /etc/traefik/file-providers
watch: true
{{ else }}
file:
filename: /etc/traefik/file-provider.yml
{{ end }}
api:
dashboard: {{ env "DASHBOARD_ENABLED" }}
debug: false
entrypoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: web-secure
web-secure:
address: ":443"
{{ if eq (env "GITEA_SSH_ENABLED") "1" }}
gitea-ssh:
address: ":2222"
{{ end }}
{{ if eq (env "GARAGE_RPC_ENABLED") "1" }}
garage-rpc:
address: ":3901"
{{ end }}
{{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
foodsoft-smtp:
address: ":2525"
{{ end }}
{{ if eq (env "SMTP_ENABLED") "1" }}
smtp-submission:
address: ":587"
{{ end }}
{{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
peertube-rtmp:
address: ":1935"
{{ end }}
{{ if eq (env "WEB_ALT_ENABLED") "1" }}
web-alt:
address: ":8000"
{{ end }}
{{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
ssb-muxrpc:
address: ":8008"
{{ end }}
{{ if eq (env "MSSQL_ENABLED") "1" }}
mssql:
address: ":1433"
{{ end }}
{{ if eq (env "MUMBLE_ENABLED") "1" }}
mumble:
address: ":64738"
mumble-udp:
address: ":64738/udp"
{{ end }}
{{ if eq (env "COMPY_ENABLED") "1" }}
compy:
address: ":9999"
{{ end }}
{{ if eq (env "IRC_ENABLED") "1" }}
irc:
address: ":6697"
{{ end }}
{{ if eq (env "METRICS_ENABLED") "1" }}
metrics:
address: ":8082"
http:
middlewares:
- basicauth@file
{{ end }}
{{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
matrix-federation:
address: ":9001"
{{ end }}
ping:
entryPoint: web
{{ if eq (env "METRICS_ENABLED") "1" }}
metrics:
prometheus:
entryPoint: metrics
addRoutersLabels: true
addServicesLabels: true
{{ end }}
certificatesResolvers:
staging:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/staging-acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
dnsChallenge:
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
{{ end }}
production:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/production-acme.json
httpChallenge:
entryPoint: web
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
dnsChallenge:
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
resolvers:
- "1.1.1.1:53"
- "9.9.9.9:53"
{{ end }}