feat: anubis log levels (#110)

<!--
Thank you for doing recipe maintenance work!
Please mark all checklist items which are relevant for your changes.
Please remove the checklist items which are not relevant for your changes.
Feel free to remove this comment.
-->

* [x] I have deployed and tested my changes
* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
* [x] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

Reviewed-on: coop-cloud/traefik#110
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Co-authored-by: f <f@sutty.nl>
Co-committed-by: f <f@sutty.nl>

.env.sample

@@ -86,6 +86,15 @@ COMPOSE_FILE="compose.yml"
 #SECRET_PORKBUN_API_KEY_VERSION=v1
 #SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
 
+## Cloudflare, htps://cloudflare.com
+## To insert your secrets:
+## abra app secret insert {myapp.example.coop} cf_email v1 "<CLOUDFLARE_EMAIL>"
+## abra app secret insert {myapp.example.coop} cf_api_key v1 "<CLOUDFLARE_API_KEY>"
+## cf_api_key is an account API key from Cloudflare that has DNS read + edit permission
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
+#SECRET_CLOUDFLARE_EMAIL_VERSION=v1 # generate=false
+#SECRET_CLOUDFLARE_API_KEY_VERSION=v1 # generate=false
+
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
@@ -122,8 +131,10 @@ COMPOSE_FILE="compose.yml"
 
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+## BASIC_AUTH should also be enabled
 #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
+#METRICS_FQDN=metrics.traefik.example.com
 
 #####################################################################
 # File provider directory configuration                             #
@@ -201,6 +212,7 @@ COMPOSE_FILE="compose.yml"
 #ANUBIS_OG_EXPIRY_TIME=1h
 #ANUBIS_OG_CACHE_CONSIDER_HOST=true
 #ANUBIS_SERVE_ROBOTS_TXT=true
+#ANUBIS_SLOG_LEVEL=INFO
 
 ## Enable onion service support
 #ONION_ENABLED=1

MAINTENANCE.md

@@ -7,10 +7,9 @@ certain quality and consistency, that others can rely on.
 
 A recipe maintainer has the following responsibilities:
 
-- Respond to pull requests / issues within a week
-- Make image security updates within a day
-- Make image patch / minor updates within a week
-- Make image major updates within a month
+- Respond to pull requests / issues within two weeks
+- Make image security updates within a week
+- Make image major updates every three months
 
 In order to fullfill these responsibilities a recipe maintainer:
 

README.md

@@ -5,7 +5,7 @@
 > https://docs.traefik.io
 
 <!-- metadata -->
-* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico)
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico), Local-IT: [@moritz](https://git.coopcloud.tech/moritz), [@msimon](https://git.coopcloud.tech/simon), [@carla](https://git.coopcloud.tech/carla)
 * **Status**: `stable`
 * **Category**: Utilities
 * **Features**: ?

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v29
-export FILE_PROVIDER_YML_VERSION=v11
+export TRAEFIK_YML_VERSION=v30
+export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5

compose.anubis.yml

@@ -17,6 +17,7 @@ services:
       OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
       OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
       SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
+      SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
     networks:
     - proxy
     deploy:

compose.cloudflare.yml

@@ -0,0 +1,18 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cf_email
+      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cf_api_key
+    secrets:
+      - cf_email
+      - cf_api_key
+  
+secrets:
+  cf_email:
+    name: ${STACK_NAME}_cf_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+    external: true
+  cf_api_key:
+    name: ${STACK_NAME}_cf_api_key_${SECRET_CLOUDFLARE_API_KEY_VERSION}
+    external: true

compose.garage.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - GARAGE_RPC_ENABLED
     ports:
-      - "3901:3901"
+      - target: 3901
+        published: 3901
+        protocol: tcp
+        mode: host

compose.metrics.yml

@@ -3,7 +3,3 @@ services:
   app:
     environment:
       - METRICS_ENABLED
-    ports:
-      - target: 8082
-        published: 8082
-        mode: host

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v3.6.10"
+    image: "traefik:v3.6.15"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -55,12 +55,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=4.0.0+v3.6.10"
+        - "coop-cloud.${STACK_NAME}.version=5.1.1+v3.6.15"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 
   socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:3.2.10-r0-ls65
+    image: lscr.io/linuxserver/socket-proxy:3.2.19
     deploy:
       endpoint_mode: dnsrr
     environment:

file-provider.yml.tmpl

@@ -30,6 +30,18 @@ http:
         stsIncludeSubdomains: true
         stsPreload: true
         stsSeconds: "31536000"
+  {{ if eq (env "METRICS_ENABLED") "1" }}
+  routers:
+    traefik-metrics:
+      rule: "Host(`{{ env "METRICS_FQDN" }}`)"
+      entrypoints:
+        - web-secure
+      tls:
+        certResolver: {{ env "LETS_ENCRYPT_ENV" }}
+      middlewares:
+        - basicauth@file
+      service: prometheus@internal
+  {{ end }}
 
 tls:
   options:

release/5.0.0+v3.6.10

@@ -0,0 +1,10 @@
+/!\ BREAKING CHANGE: Change metrics endpoint to use https instead of http 8082
+                     to prevent sending BASIC_AUTH in plaintext
+
+The metrics endpoint changed from http on port 8082 to the web-secure
+endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is
+enabled you need to configure a FQDN for it by setting METRICS_FQDN in your
+.env. You should also update the scrape config files in prometheus for
+Traefik metrics from port 8082 to the new FQDN.
+
+All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/5.0.0+v3.6.10...4.0.0+v3.6.10

release/5.1.0+v3.6.11

@@ -0,0 +1 @@
+Patched CVES: CVE-2026-32595 and CVE-2026-32305

traefik.yml.tmpl

@@ -94,13 +94,6 @@ entrypoints:
   irc:
     address: ":6697"
   {{- end }}
-  {{- if eq (env "METRICS_ENABLED") "1" }}
-  metrics:
-    address: ":8082"
-    http:
-      middlewares:
-        - basicauth@file
-  {{- end }}
   {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
     address: ":9001"
@@ -122,7 +115,8 @@ ping:
 {{- if eq (env "METRICS_ENABLED") "1" }}
 metrics:
   prometheus:
-    entryPoint: metrics
+    entryPoint: web-secure
+    manualRouting: true
     addRoutersLabels: true
     addServicesLabels: true
 {{- end }}