Remove abbreviation 'pat' for consistency.

chore: publish 2.8.0+v2.11.10 release
Revert to 2.7.0+v2.11.8
2024-10-03 12:30:23 -04:00 · 2024-09-23 16:03:26 +02:00 · 2024-09-03 13:09:37 +02:00 · 2024-08-26 18:20:13 +01:00 · 2024-08-26 18:19:51 +01:00 · 2024-08-26 18:19:14 +01:00
15 changed files with 161 additions and 20 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -16,8 +16,8 @@ steps:
      STACK_NAME: traefik
      LETS_ENCRYPT_ENV: production
      LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v4
+      TRAEFIK_YML_VERSION: v5
-      FILE_PROVIDER_YML_VERSION: v3
+      FILE_PROVIDER_YML_VERSION: v4
      ENTRYPOINT_VERSION: v1
 trigger:
  branch:
--- a/.env.sample
+++ b/.env.sample
@ -42,12 +42,36 @@ COMPOSE_FILE="compose.yml"
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
-#GANDI_ENABLED=1
+#GANDI_API_KEY_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 ## Gandi, https://gandi.net
 ## note: uses GandiV5 Personal Access Token
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
 #GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
 #SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
 ## DigitalOcean, https://digitalocean.com
 #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
 #DIGITALOCEAN_ENABLED=1
 #SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
 #####################################################################
-# Keycloak log-in                                                   #
+# Manual wildcard certificate insertion                             #
 #####################################################################
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
 # abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
 # abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
 #####################################################################
 # Authentication                                                    #
 #####################################################################
 ## Enable Keycloak
@ -57,6 +81,12 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 ## BASIC_AUTH
 ## Use httpasswd to generate the secret
 #COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
 #BASIC_AUTH=1
 #SECRET_USERSFILE_VERSION=v1
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################
@ -112,8 +142,7 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
-## BASIC_AUTH
+## "Web alt", an alternative web port
-## Use httpasswd to generate the secret
+# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
-#BASIC_AUTH=1
+#WEB_ALT_ENABLED=1
 #SECRET_USERSFILE_VERSION=v1
--- a/README.md
+++ b/README.md
@ -40,8 +40,10 @@ Letsencrypt DNS challenges.
   `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
   `gandiv5_api_key` and `SECRETVALUE` is the API key.
   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
     Access Token, in which case use compose.gandi-personal-access-token.yml.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v17
+export TRAEFIK_YML_VERSION=v21
-export FILE_PROVIDER_YML_VERSION=v8
+export FILE_PROVIDER_YML_VERSION=v10
-export ENTRYPOINT_VERSION=v2
+export ENTRYPOINT_VERSION=v3
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -0,0 +1,4 @@
 matrix-synapse:
    uncomment:
        - compose.matrix.yml
        - MATRIX_FEDERATION_ENABLED
--- a/compose.digitalocean.yml
+++ b/compose.digitalocean.yml
@ -0,0 +1,15 @@
 version: "3.8"
 services:
  app:
    environment:
      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
    secrets:
      - digitalocean_auth_token
 secrets:
  digitalocean_auth_token:
    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
    external: true
--- a/compose.gandi-api-key.yml
+++ b/compose.gandi-api-key.yml
--- a/compose.gandi-personal-access-token.yml
+++ b/compose.gandi-personal-access-token.yml
@ -0,0 +1,15 @@
 version: "3.8"
 services:
  app:
    environment:
      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_personal_access_token
      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
    secrets:
      - gandiv5_personal_access_token
 secrets:
  gandiv5_personal_access_token:
    name: ${STACK_NAME}_gandiv5_personal_access_token_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
    external: true
--- a/compose.web-alt.yml
+++ b/compose.web-alt.yml
@ -0,0 +1,7 @@
 version: "3.8"
 services:
  app:
    environment:
      - WEB_ALT_ENABLED
    ports:
      - "8000:8000"
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -0,0 +1,16 @@
 ---
 version: "3.8"
 services:
  app:
    secrets:
      - ssl_cert
      - ssl_key
 secrets:
  ssl_cert:
    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
    external: true
  ssl_key:
    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"
 services:
  app:
-    image: "traefik:v2.10.3"
+    image: "traefik:v2.11.10"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
@ -11,7 +11,6 @@ services:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "letsencrypt:/etc/letsencrypt"
      - "file-providers:/etc/traefik/file-providers"
    configs:
@ -24,6 +23,7 @@ services:
        mode: 0555
    networks:
      - proxy
      - internal
    environment:
      - DASHBOARD_ENABLED
      - LOG_LEVEL
@ -47,12 +47,48 @@ services:
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.4.1+v2.10.3"
+        - "coop-cloud.${STACK_NAME}.version=2.8.0+v2.11.10"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
  socket-proxy:
    image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls26
    environment:
      - ALLOW_START=0
      - ALLOW_STOP=0
      - ALLOW_RESTARTS=0
      - AUTH=0
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - CONTAINERS=1 # Needs access
      - DISABLE_IPV6=0
      - DISTRIBUTION=0
      - EVENTS=1 # Needs access
      - EXEC=0
      - IMAGES=0
      - INFO=0
      - NETWORKS=1 # Needs access
      - NODES=0
      - PING=0
      - POST=0
      - PLUGINS=0
      - SECRETS=0
      - SERVICES=1 # Needs access
      - SESSION=0
      - SWARM=0
      - SYSTEM=0
      - TASKS=1 # Needs access
      - VERSION=1 # Needs access
      - VOLUMES=0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - internal
 networks:
  proxy:
    external: true
  internal:
 configs:
  traefik_yml:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -7,8 +7,16 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
-{{ if eq (env "GANDI_ENABLED") "1" }}
+{{ if eq (env "GANDI_API_KEY_ENABLED") "1" }}
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 {{ if eq (env "GANDI_PERSONAL_ACCESS_TOKEN_ENABLED") "1" }}
 export GANDIV5_PERSONAL_ACCESS_TOKEN=$(cat "$GANDIV5_PERSONAL_ACCESS_TOKEN_FILE")
 {{ end }}
 {{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
 export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
 {{ end }}
 /entrypoint.sh "$@"
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -25,7 +25,6 @@ http:
    security:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
@ -45,3 +44,8 @@ tls:
        - CurveP521
        - CurveP384
      sniStrict: true
  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
  certificates:
    - certFile: /run/secrets/ssl_cert
      keyFile: /run/secrets/ssl_key
  {{ end }}
--- a/release/2.8.0+v2.11.10
+++ b/release/2.8.0+v2.11.10
@ -0,0 +1 @@
 Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -4,7 +4,7 @@ log:
 providers:
  docker:
-    endpoint: "unix:///var/run/docker.sock"
+    endpoint: "tcp://socket-proxy:2375"
    exposedByDefault: false
    network: proxy
    swarmMode: true
@ -46,6 +46,10 @@ entrypoints:
  peertube-rtmp:
    address: ":1935"
  {{ end }}
  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
  web-alt:
    address: ":8000"
  {{ end }}
  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
  ssb-muxrpc:
    address: ":8008"
Author	SHA1	Message	Date
Gabriel Schubiner	51099c5ca0	Remove abbreviation 'pat' for consistency.	2024-10-03 12:30:23 -04:00
Moritz	8cce1b7ff7	chore: publish 2.8.0+v2.11.10 release	2024-09-23 16:03:26 +02:00
iexos	b9cbc9ba92	Revert to 2.7.0+v2.11.8	2024-09-03 13:09:37 +02:00
Javielico	d5f36255fe	chore: publish 4.1.2+v3.1.2 release	2024-08-26 18:20:13 +01:00
Javielico	b836d441f5	chore: publish 4.1.1+v3.1.1 release	2024-08-26 18:19:51 +01:00
Javielico	8de23fd652	chore: publish 4.1.0+v3.1.0 release	2024-08-26 18:19:14 +01:00
Javielico	6133be7830	chore: publish 4.0.4+v3.0.4 release	2024-08-26 18:17:28 +01:00
Javielico	5803d05532	chore: publish 4.0.3+v3.0.3 release	2024-08-26 18:16:57 +01:00
Javielico	0ace5037db	chore: publish 4.0.2+v3.0.2 release	2024-08-26 18:16:26 +01:00
Javielico	9e2d000d12	chore: publish 4.0.1+v3.0.1 release	2024-08-26 18:15:51 +01:00
Javielico	d4f1c6b45c	chore: publish 4.0.0+v3.0.0 release	2024-08-26 18:14:56 +01:00
Moritz	ca989e903c	chore: publish 2.7.0+v2.11.8 release	2024-08-07 16:08:18 +02:00
p4u1	50cdb20a39	docker soket via socket proxy (#48 ) Mounting the the docker socket directly is not recommended, because it is a security issue. Instead access it via a tcp socket proxy. See https://doc.traefik.io/traefik/providers/docker/#docker-api-access Reviewed-on: coop-cloud/traefik#48 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Co-authored-by: p4u1 <p4u1_f4u1@riseup.net> Co-committed-by: p4u1 <p4u1_f4u1@riseup.net>	2024-07-06 18:28:26 +00:00
Moritz	60b79b447a	add alakazam matrix federation integration	2024-06-04 15:22:25 +02:00
3wordchant	f1b52916df	Merge pull request 'fix: the command is "secret"' (#47 ) from fauno/traefik:master into master Reviewed-on: coop-cloud/traefik#47	2024-06-01 20:07:19 +00:00
f	35d435b4f6	fix: the command is "secret"	2024-06-01 13:54:50 -03:00
Javielico	b7ea50d6aa	chore: publish 2.6.3+v2.11.2 release	2024-04-14 21:38:48 +01:00
Javielico	af33ec8510	chore: publish 2.6.2+v2.11.1 release	2024-04-14 21:36:25 +01:00
3wordchant	685d32baf1	Merge pull request 'Add preliminary DigitalOcean DNS support' (#36 ) from digitalocean-dns into master Reviewed-on: coop-cloud/traefik#36	2024-04-06 18:00:38 +00:00
3wc	e76d61be00	Add preliminary DigitalOcean DNS support	2024-04-06 15:00:06 -03:00
3wc	daec338066	Another Drone fix?	2024-04-06 14:53:41 -03:00
3wc	e92e76ac88	Fix Drone CI	2024-04-06 14:52:55 -03:00
3wc	70d10587bc	chore: publish 2.6.1+v2.11.0 release	2024-04-06 14:36:21 -03:00
3wc	bdf84fcefd	Reinstate missing HTTP->HTTPS redirect	2024-04-06 14:35:53 -03:00
3wc	2db2f71a80	chore: publish 2.6.0+v2.11.0 release	2024-04-01 22:56:20 -03:00
3wc	c558e1dbdb	Ditch DISABLE_HTTPS_REDIRECT	2024-04-01 22:53:56 -03:00
3wc	edc29f9594	Add "web-alt" entrypoint (mostly for Icecast)	2024-04-01 19:49:23 -03:00
3wc	f7f77dc942	Add support for unencrypted HTTP apps (please don't use this 😢)	2024-03-30 17:59:48 -03:00
p4u1	ecc12b2b68	chore: publish 2.5.0+v2.11.0 release	2024-02-16 16:41:57 +01:00
decentral1se	a0e70f33be	Merge pull request 'Add support for externally-sourced wildcard certificates' (#45 ) from wolcen/traefik:master into master Reviewed-on: coop-cloud/traefik#45 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>	2024-01-12 20:48:03 +00:00
Chris (wolcen) Thompson	e3c1df83fa	chore(security): update traefik to 2.10.7 Addresses two CVE fixes from 2.10.6	2024-01-11 21:47:59 -05:00
Chris (wolcen) Thompson	998190f684	feat: add distinct version for wildcard key secret	2024-01-11 21:47:50 -05:00
Chris (wolcen) Thompson	cd92c909ba	docs: correct secret insertion examples	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	64351c27d1	fix: deprecation warning - handled by redirect under web already	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	f4b05fd87f	Bump file revisions for wildcard support	2024-01-11 21:45:32 -05:00
Chris (wolcen) Thompson	3c5333ba71	feat: add support for wildcard certs via secrets	2024-01-11 21:45:05 -05:00
3wc	5f2fd0bf37	chore: publish 2.4.3+v2.10.5 release	2023-10-16 13:16:09 +01:00
3wc	ac3a47fe8c	chore: publish 2.4.2+v2.10.4 release	2023-07-25 17:19:22 +01:00
		`@ -0,0 +1 @@`
							`Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410`