Zigzagill
b2b311fef4
Some checks failed
continuous-integration/drone/push Build is failing
<!-- Thank you for doing recipe maintenance work! Please mark all checklist items which are relevant for your changes. Please remove the checklist items which are not relevant for your changes. Feel free to remove this comment. --> Apologies for submitting changes and then immediately undoing some of them. I made a mistake previously by assuming that letsdebug.net tests were sufficient to confirm that this setup was working. But, it turns out that my site was still failing to get valid SSL certs. After digging into the Lego docs I realized I needed to be using different environment variables, which I added here. Once I deployed these changes to a fresh VPS on a different domain with a more straightforward configuration, I confirmed that HTTPS connections to the Traefik dashboard worked just fine. Please let me know if there's anything else I can do to verify these fixes so I can be extra-super-sure that it's good to go. I'm still new to a lot of this and clearly have lots to learn. As a treat, I also added `generate=false` flags to the DNS secrets for other providers, as discussed in my previous PR. Cheers! * [x] I have deployed and tested my changes Deployed on a fresh VPS, confirmed that HTTPS connections work after deploying these changes * [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash) No version update needed * [x] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes) This does remove the two environment variables that I introduced in my prior PR. Since those haven't been picked up in a release, I'm hoping this is an acceptable regression. Those two variables are both perfectly valid, they just require an account-wide API token which is unnecessarily risky in my opinion. But if we want to keep them in, I'm happy to put things back as they were :) * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes) Not necessary Reviewed-on: #104 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Co-authored-by: Zigzagill <zigzagill@proton.me> Co-committed-by: Zigzagill <zigzagill@proton.me>
Traefik
- Maintainer: @p4u1, @decentral1se, @javielico, Local-IT: @moritz, @msimon, @carla
- Status:
stable - Category: Utilities
- Features: ?
- Image:
traefik, 4, upstream - Healthcheck: Yes
- Backups: No
- Email: N/A
- Tests: 2
- SSO: ? (Keycloak)
Basic usage
- Set up Docker Swarm and
abra abra app new traefikabra app config YOURAPPDOMAIN- be sure to changeDOMAINto something that resolves to your Docker swarm boxabra app deploy YOURAPPDOMAIN
Configuring basic auth
- Create the usersfile locally:
htpasswd -c usersfile <username> - Uncomment the Basic Auth section in your .env file
- Insert the secret: `abra app secret insert usersfile v1 -f usersfile
- Redploy your app:
abra app deploy -f <domain>
Configuring SSL using DNS
Automatic certificate generation will Just Work™ for most recipes which use a
fixed number of subdomains. If your server can't be reached from the Internet,
or if you're deploying a recipe that needs to work across arbitrary
subdomains, like
federatedwiki and
go-ssb-room (requiring
the use of wildcard certificates,) you can give Traefik access to your DNS provider
so that it can carry out Letsencrypt DNS challenges.
- Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
can be easily added, see
the
legodocs. - Run
abra app config YOURAPPDOMAIN - Uncomment e.g.
ENABLE_GANDIand the relatedSECRET_.._VERSIONline, e.g.SECRET_GANDIV5_API_KEY_VERSION - Set
LETS_ENCRYPT_DNS_CHALLENGE_PROVIDERto your provider, e.g.gandi - Generate an API key for your provider, probably using their web interface.
- Run
abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE, whereSECRETNAMEis from the compose file (e.g.compose.gandi-api-key.yml) e.g.gandiv5_api_keyandSECRETVALUEis the API key.- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal Access Token, in which case use compose.gandi-personal-access-token.yml.
- See comments for each provider in your env file for specific instructions
- Redeploy Traefik, using e.g.
abra app deploy YOURAPPDOMAIN -f
Blocking scrapers with Anubis
Uncomment the lines on the Anubis section of the configuration. Set a domain name for the cookies and a domain that will serve Anubis redirection service. Optionally and for added security, set a list of the domain names for the apps that are going to be protected.
After deploying these changes, go to each recipe that supports Anubis and follow the process there. Enabling Anubis here is not enough for protection your apps.
Enabling onion service
Uncomment the line in the config setting ONION_ENABLED=1. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the onion recipe.