# Traefik

[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/traefik/status.svg)](https://build.coopcloud.tech/coop-cloud/traefik)

> https://docs.traefik.io

<!-- metadata -->
* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico), Local-IT: [@moritz](https://git.coopcloud.tech/moritz), [@msimon](https://git.coopcloud.tech/simon), [@carla](https://git.coopcloud.tech/carla)
* **Status**: `stable`
* **Category**: Utilities
* **Features**: ?
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
* **Healthcheck**: Yes
* **Backups**: No
* **Email**: N/A
* **Tests**: 2
* **SSO**: ? (Keycloak)
<!-- endmetadata -->

## Basic usage

1. Set up Docker Swarm and [`abra`]
2. `abra app new traefik`
3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
   your Docker swarm box
4. `abra app deploy YOURAPPDOMAIN`

## Configuring basic auth

1. Create the usersfile locally: `htpasswd -c usersfile <username>`
2. Uncomment the Basic Auth section in your .env file
3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
4. Redploy your app: `abra app deploy -f <domain>`

## Configuring SSL using DNS

Automatic certificate generation will Just Work™ for most recipes which use a
fixed number of subdomains. If your server can't be reached from the Internet,
or if you're deploying a recipe that needs to work across arbitrary
subdomains, like
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
the use of wildcard certificates,) you can give Traefik access to your DNS provider
so that it can carry out Letsencrypt DNS challenges.

1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
   can be easily added, see
   [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
2. Run `abra app config YOURAPPDOMAIN`
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
   `SECRET_GANDIV5_API_KEY_VERSION`
4. Set `LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER` to your provider, e.g. `gandi`
4. Generate an API key for your provider, probably using their web interface.
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
   `gandiv5_api_key` and `SECRETVALUE` is the API key.
   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
     Access Token, in which case use compose.gandi-personal-access-token.yml.
   - See comments for each provider in your env file for specific instructions
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`

## Blocking scrapers with [Anubis](https://anubis.techaro.lol/)

Uncomment the lines on the Anubis section of the configuration.  Set
a domain name for the cookies and a domain that will serve Anubis
redirection service.  Optionally and for [added
security](https://anubis.techaro.lol/docs/admin/configuration/redirect-domains),
set a list of the domain names for the apps that are going to be
protected.

After deploying these changes, go to each recipe that supports Anubis
and follow the process there.  **Enabling Anubis here is not enough for
protection your apps.**

## Enabling onion service

Uncomment the line in the config setting `ONION_ENABLED=1`. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the [onion recipe](https://recipes.coopcloud.tech/onion).

[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra