chore: publish 3.10.0+v3.6.7 release

Reviewed-on: coop-cloud/traefik#80
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>

.env.sample

@@ -1,5 +1,5 @@
 TYPE=traefik
-TIMEOUT=300
+#TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 ENABLE_BACKUPS=true
 
@@ -185,3 +185,6 @@ COMPOSE_FILE="compose.yml"
 #ANUBIS_OG_EXPIRY_TIME=1h
 #ANUBIS_OG_CACHE_CONSIDER_HOST=true
 #ANUBIS_SERVE_ROBOTS_TXT=true
+
+## Enable onion service support
+#ONION_ENABLED=1

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+---
+name: "Traefik pull request template"
+about: "Traefik pull request template"
+---
+
+<!-- 
+Thank you for doing recipe maintenance work!
+Please mark all checklist items which are relevant for your changes.
+Please remove the checklist items which are not relevant for your changes.
+Feel free to remove this comment.
+-->
+
+* [ ] I have deployed and tested my changes
+* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
+* [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
+* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

MAINTENANCE.md

@@ -1,24 +1,32 @@
 # Traefik Recipe Maintenance
 
-All contributions should be made via a pull request. This is to ensure a certain quality / consistency, that others can rely on.
-
+All contributions should be made via a pull request. This is to ensure a
+certain quality and consistency, that others can rely on.
 
 ## Maintainer Responsibilities
 
 A recipe maintainer has the following responsibilities:
-- respond to pull requests / issues within a week
-- make image security updates within a day
-- make image patch / minor updates within a week
-- make image major updates within a month
+
+- Respond to pull requests / issues within a week
+- Make image security updates within a day
+- Make image patch / minor updates within a week
+- Make image major updates within a month
 
 In order to fullfill these responsibilities a recipe maintainer:
-- has to watch the repository (to get notifications)
-- needs to make sure renovate is configured properly
 
-## Merge rules
+- Has to watch the repository (to get notifications)
+- Needs to make sure renovate is configured properly
 
-A pull request can be merged if it is approved by at least one maintainer. For pull requests opened by a maintainer they need to be approved by another maintainer.
+## Pull Requests
 
-## Becoming a maintainer
+A pull request can be merged if it is approved by at least one maintainer. For
+pull requests opened by a maintainer they need to be approved by another
+maintainer. Even though it is okay to merge a pull request with one approval, it
+is always better if all maintainers looked at the pull request and approved it.
 
-Everyone can apply to be a recipe maintainer. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
+## Become a maintainer
+
+Everyone can apply to be a recipe maintainer:
+1. Watch the repository to always get updates
+2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
+3. Once the pull request gets merged you will be added to the [traefik maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/traefik-maintainers).

README.md

@@ -5,7 +5,7 @@
 > https://docs.traefik.io
 
 <!-- metadata -->
-* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1)
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@javielico](https://git.coopcloud.tech/javielico)
 * **Status**: `stable`
 * **Category**: Utilities
 * **Features**: ?
@@ -68,4 +68,8 @@ After deploying these changes, go to each recipe that supports Anubis
 and follow the process there.  **Enabling Anubis here is not enough for
 protection your apps.**
 
+## Enabling onion service
+
+Uncomment the line in the config setting `ONION_ENABLED=1`. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the [onion recipe](https://recipes.coopcloud.tech/onion).
+
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v28
-export FILE_PROVIDER_YML_VERSION=v10
+export TRAEFIK_YML_VERSION=v29
+export FILE_PROVIDER_YML_VERSION=v11
 export ENTRYPOINT_VERSION=v5

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v3.6.5"
+    image: "traefik:v3.6.7"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -48,8 +48,8 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=3.9.0+v3.6.5"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=3.10.0+v3.6.7"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 
   socket-proxy:

file-provider.yml.tmpl

@@ -43,6 +43,7 @@ tls:
       curvePreferences:
         - CurveP521
         - CurveP384
+        - CurveP256
       sniStrict: true
   {{ if eq (env "WILDCARDS_ENABLED") "1" }}
   certificates:

release/3.10.0+v3.6.7

@@ -0,0 +1,10 @@
+Short summary of the latest changes:
+
+* Traefik has been upgraded with a patch release, no issues expected.
+* "CurveP256" has been included to the TLS options.
+* The default TIMEOUT value has been removed from the label directly.
+* Anubis support is here, try out `compose.anubis.yml` and see the README.md for more.
+* Onion services with Tor are not supported! See the README.md for more.
+* There are now officially 3 recipe maintainers for Traefik!
+
+All changes: https://git.coopcloud.tech/coop-cloud/traefik/compare/3.9.0+v3.6.5...master

traefik.yml.tmpl

@@ -11,14 +11,14 @@ providers:
     endpoint: "tcp://socket-proxy:2375"
     exposedByDefault: false
     network: proxy
-  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
+  {{- if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
   file:
     directory: /etc/traefik/file-providers
     watch: true
-  {{ else }}
+  {{- else }}
   file:
     filename: /etc/traefik/file-provider.yml
-  {{ end }}
+  {{- end }}
 
 api:
   dashboard: {{ env "DASHBOARD_ENABLED" }}
@@ -42,86 +42,90 @@ entrypoints:
         allowEncodedPercent: true
         allowEncodedQuestionMark: true
         allowEncodedHash: true
-  {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
+  {{- if eq (env "GITEA_SSH_ENABLED") "1" }}
   gitea-ssh:
     address: ":2222"
-  {{ end }}
-  {{ if eq (env "P2PANDA_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "P2PANDA_ENABLED") "1" }}
   p2panda-udp-v4:
     address: ":2022/udp"
   p2panda-udp-v6:
     address: ":2023/udp"
-  {{ end }}
-  {{ if eq (env "GARAGE_RPC_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "GARAGE_RPC_ENABLED") "1" }}
   garage-rpc:
     address: ":3901"
-  {{ end }}
-  {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
   foodsoft-smtp:
     address: ":2525"
-  {{ end }}
-  {{ if eq (env "SMTP_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "SMTP_ENABLED") "1" }}
   smtp-submission:
     address: ":587"
-  {{ end }}
-  {{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
   peertube-rtmp:
     address: ":1935"
-  {{ end }}
-  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "WEB_ALT_ENABLED") "1" }}
   web-alt:
     address: ":8000"
-  {{ end }}
-  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "SSB_MUXRPC_ENABLED") "1" }}
   ssb-muxrpc:
     address: ":8008"
-  {{ end }}
-  {{ if eq (env "MSSQL_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "MSSQL_ENABLED") "1" }}
   mssql:
     address: ":1433"
-  {{ end }}
-  {{ if eq (env "MUMBLE_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "MUMBLE_ENABLED") "1" }}
   mumble:
     address: ":64738"
   mumble-udp:
     address: ":64738/udp"
-  {{ end }}
-  {{ if eq (env "COMPY_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "COMPY_ENABLED") "1" }}
   compy:
     address: ":9999"
-  {{ end }}
-  {{ if eq (env "IRC_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "IRC_ENABLED") "1" }}
   irc:
     address: ":6697"
-  {{ end }}
-  {{ if eq (env "METRICS_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"
     http:
       middlewares:
         - basicauth@file
-  {{ end }}
-  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
     address: ":9001"
-  {{ end }}
-  {{ if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
+  {{- end }}
+  {{- if eq (env "NEXTCLOUD_TALK_HPB_ENABLED") "1" }}
   nextcloud-talk-hpb:
     address: ":3478"
   nextcloud-talk-hpb-udp:
     address: ":3478/udp"
-  {{ end }}
+  {{- end }}
+  {{- if eq (env "ONION_ENABLED") "1" }}
+  onion:
+    address: ":9052"
+  {{- end }}
 
 ping:
   entryPoint: web
 
-{{ if eq (env "METRICS_ENABLED") "1" }}
+{{- if eq (env "METRICS_ENABLED") "1" }}
 metrics:
   prometheus:
     entryPoint: metrics
     addRoutersLabels: true
     addServicesLabels: true
-{{ end }}
+{{- end }}
 
 certificatesResolvers:
   staging:
@@ -131,23 +135,23 @@ certificatesResolvers:
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       httpChallenge:
         entryPoint: web
-      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
-      {{ end }}
+      {{- end }}
   production:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
       httpChallenge:
         entryPoint: web
-      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "9.9.9.9:53"
-      {{ end }}
+      {{- end }}