Remove abbreviation 'pat' for consistency.

Mounting the the docker socket directly is not recommended, because it is a security issue. Instead access it via a tcp socket proxy.

See https://doc.traefik.io/traefik/providers/docker/#docker-api-access

Reviewed-on: coop-cloud/traefik#48
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Co-authored-by: p4u1 <p4u1_f4u1@riseup.net>
Co-committed-by: p4u1 <p4u1_f4u1@riseup.net>

.drone.yml

@@ -3,10 +3,12 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: traefik
+      networks:
+       - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -14,19 +16,25 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v4
-      FILE_PROVIDER_YML_VERSION: v3
+      TRAEFIK_YML_VERSION: v5
+      FILE_PROVIDER_YML_VERSION: v4
       ENTRYPOINT_VERSION: v1
 trigger:
   branch:
     - master
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: thecoopcloud/drone-abra:latest
+    image: plugins/downstream
     settings:
-      command: recipe traefik release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,4 +1,6 @@
 TYPE=traefik
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@@ -40,12 +42,36 @@ COMPOSE_FILE="compose.yml"
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
-#GANDI_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
+#GANDI_API_KEY_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## Gandi, https://gandi.net
+## note: uses GandiV5 Personal Access Token
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
+#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
+
+## DigitalOcean, https://digitalocean.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
+#DIGITALOCEAN_ENABLED=1
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+
 #####################################################################
-# Keycloak log-in                                                   #
+# Manual wildcard certificate insertion                             #
+#####################################################################
+
+# Set wildcards = 1, and uncomment compose_file to enable.
+# Create your certs elsewhere and add them like:
+# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+#WILDCARDS_ENABLED=1
+#SECRET_WILDCARD_CERT_VERSION=v1
+#SECRET_WILDCARD_KEY_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
+
+#####################################################################
+# Authentication                                                    #
 #####################################################################
 
 ## Enable Keycloak
@@ -55,14 +81,27 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 
+## BASIC_AUTH
+## Use httpasswd to generate the secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#BASIC_AUTH=1
+#SECRET_USERSFILE_VERSION=v1
+
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################
 
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
 
+#####################################################################
+# File provider directory configuration                             #
+# (Route bare metal and non-docker services on the machine!)        #
+#####################################################################
+#FILE_PROVIDER_DIRECTORY_ENABLED=1
+
 #####################################################################
 # Additional services                                               #
 #####################################################################
@@ -102,3 +141,8 @@ COMPOSE_FILE="compose.yml"
 ## Matrix
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
+
+## "Web alt", an alternative web port
+# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
+#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
+#WEB_ALT_ENABLED=1

README.md

@@ -19,8 +19,31 @@
 
 1. Set up Docker Swarm and [`abra`]
 2. `abra app new traefik`
-3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
    your Docker swarm box
 4. `abra app deploy YOURAPPDOMAIN`
 
+## Configuring wildcard SSL using DNS
+
+Automatic certificate generation will Just Work™ for most recipes  which use a fixed
+number of subdomains. For some recipes which need to work across arbitrary
+subdomains, like
+[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
+need to give Traefik access to your DNS provider so that it can carry out
+Letsencrypt DNS challenges.
+
+1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
+   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
+2. Run `abra app config YOURAPPDOMAIN`
+3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
+   `SECRET_GANDIV5_API_KEY_VERSION`
+4. Generate an API key for your provider
+5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
+   `gandiv5_api_key` and `SECRETVALUE` is the API key.
+   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
+     Access Token, in which case use compose.gandi-personal-access-token.yml.
+6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
+
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v15
-export FILE_PROVIDER_YML_VERSION=v6
-export ENTRYPOINT_VERSION=v2
+export TRAEFIK_YML_VERSION=v21
+export FILE_PROVIDER_YML_VERSION=v10
+export ENTRYPOINT_VERSION=v3

alaconnect.yml

@@ -0,0 +1,4 @@
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_FEDERATION_ENABLED

compose.basicauth.yml

@@ -0,0 +1,12 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - BASIC_AUTH
+    secrets:
+      - usersfile
+
+secrets:
+  usersfile:
+    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
+    external: true

compose.digitalocean.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - digitalocean_auth_token
+
+secrets:
+  digitalocean_auth_token:
+    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
+    external: true

compose.gandi-personal-access-token.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_personal_access_token
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - gandiv5_personal_access_token
+
+secrets:
+  gandiv5_personal_access_token:
+    name: ${STACK_NAME}_gandiv5_personal_access_token_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
+    external: true

compose.metrics.yml

@@ -0,0 +1,9 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - METRICS_ENABLED
+    ports:
+      - target: 8082
+        published: 8082
+        mode: host

compose.web-alt.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - WEB_ALT_ENABLED
+    ports:
+      - "8000:8000"

compose.wildcard.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ssl_cert
+      - ssl_key
+
+secrets:
+  ssl_cert:
+    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
+  ssl_key:
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.9.6"
+    image: "traefik:v2.11.10"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -11,8 +11,8 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
+      - "file-providers:/etc/traefik/file-providers"
     configs:
       - source: traefik_yml
         target: /etc/traefik/traefik.yml
@@ -23,6 +23,7 @@ services:
         mode: 0555
     networks:
       - proxy
+      - internal
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
@@ -44,14 +45,50 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.tls.options=default@file"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.0.3+v2.9.6"
+        - "coop-cloud.${STACK_NAME}.version=2.8.0+v2.11.10"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls26
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1 # Needs access
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1 # Needs access
+      - EXEC=0
+      - IMAGES=0
+      - INFO=0
+      - NETWORKS=1 # Needs access
+      - NODES=0
+      - PING=0
+      - POST=0
+      - PLUGINS=0
+      - SECRETS=0
+      - SERVICES=1 # Needs access
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=0
+      - TASKS=1 # Needs access
+      - VERSION=1 # Needs access
+      - VOLUMES=0
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - internal
 
 networks:
   proxy:
     external: true
+  internal:
 
 configs:
   traefik_yml:
@@ -69,3 +106,4 @@ configs:
 
 volumes:
   letsencrypt:
+  file-providers:

entrypoint.sh.tmpl

@@ -7,8 +7,16 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
-{{ if eq (env "GANDI_ENABLED") "1" }}
+{{ if eq (env "GANDI_API_KEY_ENABLED") "1" }}
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 
+{{ if eq (env "GANDI_PERSONAL_ACCESS_TOKEN_ENABLED") "1" }}
+export GANDIV5_PERSONAL_ACCESS_TOKEN=$(cat "$GANDIV5_PERSONAL_ACCESS_TOKEN_FILE")
+{{ end }}
+
+{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
+export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -17,10 +17,14 @@ http:
         authResponseHeaders:
           - X-Forwarded-User
     {{ end }}
+    {{ if eq (env "BASIC_AUTH") "1" }}
+    basicauth:
+      basicAuth:
+        usersFile: "/run/secrets/usersfile"
+    {{ end }}
     security:
       headers:
         frameDeny: true
-        sslRedirect: true
         browserXssFilter: true
         contentTypeNosniff: true
         stsIncludeSubdomains: true
@@ -40,3 +44,8 @@ tls:
         - CurveP521
         - CurveP384
       sniStrict: true
+  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
+  certificates:
+    - certFile: /run/secrets/ssl_cert
+      keyFile: /run/secrets/ssl_key
+  {{ end }}

release/2.8.0+v2.11.10

@@ -0,0 +1 @@
+Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

traefik.yml.tmpl

@@ -4,12 +4,18 @@ log:
 
 providers:
   docker:
-    endpoint: "unix:///var/run/docker.sock"
+    endpoint: "tcp://socket-proxy:2375"
     exposedByDefault: false
     network: proxy
     swarmMode: true
+  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
+  file:
+    directory: /etc/traefik/file-providers
+    watch: true
+  {{ else }}
   file:
     filename: /etc/traefik/file-provider.yml
+  {{ end }}
 
 api:
   dashboard: {{ env "DASHBOARD_ENABLED" }}
@@ -40,6 +46,10 @@ entrypoints:
   peertube-rtmp:
     address: ":1935"
   {{ end }}
+  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
+  web-alt:
+    address: ":8000"
+  {{ end }}
   {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
   ssb-muxrpc:
     address: ":8008"
@@ -61,6 +71,9 @@ entrypoints:
   {{ if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"
+    http:
+      middlewares:
+        - basicauth@file
   {{ end }}
   {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
@@ -74,6 +87,8 @@ ping:
 metrics:
   prometheus:
     entryPoint: metrics
+    addRoutersLabels: true
+    addServicesLabels: true
 {{ end }}
 
 certificatesResolvers: