feat: support UDP proxy of port 2022 and 2023 for P2Panda apps (#70)

# Support P2P communication between P2Panda Apps

Apps built with the set of [P2Panda](https://p2panda.org/) libraries perform P2P communication over two UDP ports. The default ports for these are 2022 and 2023.

There aren't really a lot (any?) P2Panda web apps out there, most are desktop or mobile apps.

So, this change is being specifically request by the [LoRes Tech](https://lores.tech/) project in order to support our [LoRes Node](https://github.com/local-resilience-tech/lores-node/) app. We have a recipe drafted for this [here](https://codeberg.org/lores/lores-node-coop-cloud-recipe) and we will push that to the catalogue once this change is in.

It seems better to make this kiwix change as general as possible, which is why we called the flag `P2PANDA_ENABLED` rather than `LORES_NODE_ENABLED`. In practice if there was a larger ecosystem of such apps, we'd probably need to make the actual port numbers configurable.

Reviewed-on: coop-cloud/traefik#70
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>
Co-authored-by: Jade Ambrose <jade@noreply.git.coopcloud.tech>
Co-committed-by: Jade Ambrose <jade@noreply.git.coopcloud.tech>

.drone.yml

@@ -8,7 +8,7 @@ steps:
       host: swarm-test.autonomic.zone
       stack: traefik
       networks:
-       - proxy
+        - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -16,9 +16,9 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v4
-      FILE_PROVIDER_YML_VERSION: v3
-      ENTRYPOINT_VERSION: v1
+      TRAEFIK_YML_VERSION: v26
+      FILE_PROVIDER_YML_VERSION: v10
+      ENTRYPOINT_VERSION: v4
 trigger:
   branch:
     - master
@@ -34,7 +34,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,6 +1,7 @@
 TYPE=traefik
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
+ENABLE_BACKUPS=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@@ -9,6 +10,7 @@ LETS_ENCRYPT_EMAIL=certs@example.com
 # DASHBOARD_ENABLED=true
 # WARN, INFO etc.
 LOG_LEVEL=WARN
+LOG_MAX_AGE=1
 
 # This is here so later lines can extend it; you likely don't wanna edit
 COMPOSE_FILE="compose.yml"
@@ -42,12 +44,47 @@ COMPOSE_FILE="compose.yml"
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
-#GANDI_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
+#GANDI_API_KEY_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## Gandi, https://gandi.net
+## note: uses GandiV5 Personal Access Token
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
+#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
+
+## DigitalOcean, https://digitalocean.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
+#DIGITALOCEAN_ENABLED=1
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+
+## Azure, https://azure.com
+## To insert your Azure client secret:
+## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
+#AZURE_ENABLED=1
+#AZURE_TENANT_ID=
+#AZURE_CLIENT_ID=
+#AZURE_SUBSCRIPTION_ID=
+#AZURE_RESOURCE_GROUP=
+#SECRET_AZURE_SECRET_VERSION=v1
+
 #####################################################################
-# Keycloak log-in                                                   #
+# Manual wildcard certificate insertion                             #
+#####################################################################
+
+# Set wildcards = 1, and uncomment compose_file to enable.
+# Create your certs elsewhere and add them like:
+# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+#WILDCARDS_ENABLED=1
+#SECRET_WILDCARD_CERT_VERSION=v1
+#SECRET_WILDCARD_KEY_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
+
+#####################################################################
+# Authentication                                                    #
 #####################################################################
 
 ## Enable Keycloak
@@ -57,12 +94,19 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
 
+## BASIC_AUTH
+## Use httpasswd to generate the secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#BASIC_AUTH=1
+#SECRET_USERSFILE_VERSION=v1
+
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################
 
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
 
 #####################################################################
@@ -87,6 +131,10 @@ COMPOSE_FILE="compose.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
 # GITEA_SSH_ENABLED=1
 
+## P2Panda UDP
+# COMPOSE_FILE="$COMPOSE_FILE:compose.p2panda.yml"
+# P2PANDA_ENABLED=1
+
 ## Foodsoft SMTP
 # COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
 # FOODSOFT_SMTP_ENABLED=1
@@ -111,8 +159,15 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1
 
-## BASIC_AUTH
-## Use httpasswd to generate the secret
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
-#BASIC_AUTH=1
-#SECRET_USERSFILE_VERSION=v1
+## "Web alt", an alternative web port
+# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
+#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
+#WEB_ALT_ENABLED=1
+
+## Matrix
+#COMPOSE_FILE="$COMPOSE_FILE:compose.irc.yml"
+#IRC_ENABLED=1
+
+## Garage
+#COMPOSE_FILE="$COMPOSE_FILE:compose.garage.yml"
+#GARAGE_RPC_ENABLED=1

MAINTENANCE.md

@@ -0,0 +1,24 @@
+# Traefik Recipe Maintenance
+
+All contributions should be made via a pull request. This is to ensure a certain quality / consistency, that others can rely on.
+
+
+## Maintainer Responsibilities
+
+A recipe maintainer has the following responsibilities:
+- respond to pull requests / issues within a week
+- make image security updates within a day
+- make image patch / minor updates within a week
+- make image major updates within a month
+
+In order to fullfill these responsibilities a recipe maintainer:
+- has to watch the repository (to get notifications)
+- needs to make sure renovate is configured properly
+
+## Merge rules
+
+A pull request can be merged if it is approved by at least one maintainer. For pull requests opened by a maintainer they need to be approved by another maintainer.
+
+## Becoming a maintainer
+
+Everyone can apply to be a recipe maintainer. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.

README.md

@@ -1,12 +1,14 @@
 # Traefik
 
-[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/traefik/status.svg)](https://drone.autonomic.zone/coop-cloud/traefik)
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/traefik/status.svg)](https://build.coopcloud.tech/coop-cloud/traefik)
 
 > https://docs.traefik.io
 
 <!-- metadata -->
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1)
+* **Status**: `stable`
 * **Category**: Utilities
-* **Status**: ?
+* **Features**: ?
 * **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
@@ -23,6 +25,13 @@
    your Docker swarm box
 4. `abra app deploy YOURAPPDOMAIN`
 
+## Configuring basic auth
+
+1. Create the usersfile locally: `htpasswd -c usersfile <username>`
+2. Uncomment the Basic Auth section in your .env file
+3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
+4. Redploy your app: `abra app deploy -f <domain>`
+
 ## Configuring wildcard SSL using DNS
 
 Automatic certificate generation will Just Work™ for most recipes  which use a fixed
@@ -40,8 +49,10 @@ Letsencrypt DNS challenges.
    `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
    `gandiv5_api_key` and `SECRETVALUE` is the API key.
+   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
+     Access Token, in which case use compose.gandi-personal-access-token.yml.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v16
-export FILE_PROVIDER_YML_VERSION=v8
-export ENTRYPOINT_VERSION=v2
+export TRAEFIK_YML_VERSION=v26
+export FILE_PROVIDER_YML_VERSION=v10
+export ENTRYPOINT_VERSION=v5

alaconnect.yml

@@ -0,0 +1,4 @@
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_FEDERATION_ENABLED

compose.azure.yml

@@ -0,0 +1,17 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - AZURE_TENANT_ID
+      - AZURE_CLIENT_ID
+      - AZURE_SUBSCRIPTION_ID
+      - AZURE_RESOURCE_GROUP
+      - AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
+    secrets:
+      - azure_secret
+
+secrets:
+  azure_secret:
+    name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_SECRET_VERSION}
+    external: true

compose.digitalocean.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - digitalocean_auth_token
+
+secrets:
+  digitalocean_auth_token:
+    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
+    external: true

compose.gandi-personal-access-token.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - gandiv5_pat
+
+secrets:
+  gandiv5_pat:
+    name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
+    external: true

compose.garage.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - GARAGE_RPC_ENABLED
+    ports:
+      - "3901:3901"

compose.irc.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - IRC_ENABLED
+    ports:
+      - "6697:6697"

compose.metrics.yml

@@ -0,0 +1,9 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - METRICS_ENABLED
+    ports:
+      - target: 8082
+        published: 8082
+        mode: host

compose.p2panda.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - P2PANDA_ENABLED
+    ports:
+      - target: 2022
+        published: 2022
+        protocol: udp
+        mode: host
+      - target: 2023
+        published: 2023
+        protocol: udp
+        mode: host

compose.web-alt.yml

@@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - WEB_ALT_ENABLED
+    ports:
+      - "8000:8000"

compose.wildcard.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ssl_cert
+      - ssl_key
+
+secrets:
+  ssl_cert:
+    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
+  ssl_key:
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.10.1"
+    image: "traefik:v3.6.2"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -11,7 +11,6 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
     configs:
@@ -24,9 +23,11 @@ services:
         mode: 0555
     networks:
       - proxy
+      - internal
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
+      - ${LOG_MAX_AGE:-0}
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
@@ -47,12 +48,51 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.3.1+v2.10.2"
+        - "coop-cloud.${STACK_NAME}.version=3.7.0+v3.6.2"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:3.2.8-r0-ls61
+    deploy:
+      endpoint_mode: dnsrr
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1 # Needs access
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1 # Needs access
+      - EXEC=0
+      - IMAGES=0
+      - INFO=0
+      - NETWORKS=1 # Needs access
+      - NODES=1
+      - PING=1
+      - POST=0
+      - PLUGINS=0
+      - SECRETS=0
+      - SERVICES=1 # Needs access
+      - SESSION=0
+      - SWARM=1
+      - SYSTEM=0
+      - TASKS=1 # Needs access
+      - VERSION=1 # Needs access
+      - VOLUMES=0
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - internal
 
 networks:
   proxy:
     external: true
+  internal:
 
 configs:
   traefik_yml:

entrypoint.sh.tmpl

@@ -7,8 +7,12 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
-{{ if eq (env "GANDI_ENABLED") "1" }}
-export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
+{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
+export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+{{ end }}
+
+{{ if eq (env "AZURE_ENABLED") "1" }}
+export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
 {{ end }}
 
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -25,7 +25,6 @@ http:
     security:
       headers:
         frameDeny: true
-        sslRedirect: true
         browserXssFilter: true
         contentTypeNosniff: true
         stsIncludeSubdomains: true
@@ -45,3 +44,8 @@ tls:
         - CurveP521
         - CurveP384
       sniStrict: true
+  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
+  certificates:
+    - certFile: /run/secrets/ssl_cert
+      keyFile: /run/secrets/ssl_key
+  {{ end }}

release/2.8.0+v2.11.10

@@ -0,0 +1 @@
+Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

release/2.9.0+v2.11.14

@@ -0,0 +1 @@
+Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg

release/2.9.1+v2.11.14

@@ -0,0 +1 @@
+Reverts max log retention

release/3.0.0+v2.11.22

@@ -0,0 +1,2 @@
+socket-proxy: switch to endpoint-mode dnsrr instead of vip
+See https://git.coopcloud.tech/coop-cloud/traefik/pulls/50.

release/3.3.0+v2.11.26

@@ -0,0 +1 @@
+Fix CVE: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5

release/3.4.0+v3.4.4

@@ -0,0 +1 @@
+Updates Traefik from v2 to v3. Migration notes here: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#configuration-details-for-migrating-from-traefik-v2-to-v3 By default, syntax for Traefik rules in recipes still use v2 syntax. To upgrade a recipe to use v3 label syntax, set the ruleSyntax label in the recipe per: https://doc.traefik.io/traefik/reference/routing-configuration/http/router/rules-and-priority/#rulesyntax

release/3.4.2+v3.4.5

@@ -0,0 +1 @@
+Bumps the TRAEFIK_YML_VERSION

release/3.5.0+v3.4.5

@@ -0,0 +1 @@
+Add support to azure DNS-01 acme challenge

release/3.6.0+v3.4.5

@@ -0,0 +1 @@
+Expose log_max_age option. This option controls Traefik's maximum retention for log files in number of days. By default (when LOG_MAX_AGE=0), files are not removed based on age.

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

traefik.yml.tmpl

@@ -1,13 +1,16 @@
 ---
+core:
+  defaultRuleSyntax: v2
+
 log:
   level: {{ env "LOG_LEVEL" }}
+  maxAge: {{ env "LOG_MAX_AGE" }}
 
 providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
+  swarm:
+    endpoint: "tcp://socket-proxy:2375"
     exposedByDefault: false
     network: proxy
-    swarmMode: true
   {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
   file:
     directory: /etc/traefik/file-providers
@@ -34,6 +37,16 @@ entrypoints:
   gitea-ssh:
     address: ":2222"
   {{ end }}
+  {{ if eq (env "P2PANDA_ENABLED") "1" }}
+  p2panda-udp-v4:
+    address: ":2022/udp"
+  p2panda-udp-v6:
+    address: ":2023/udp"
+  {{ end }}
+  {{ if eq (env "GARAGE_RPC_ENABLED") "1" }}
+  garage-rpc:
+    address: ":3901"
+  {{ end }}
   {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
   foodsoft-smtp:
     address: ":2525"
@@ -46,6 +59,10 @@ entrypoints:
   peertube-rtmp:
     address: ":1935"
   {{ end }}
+  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
+  web-alt:
+    address: ":8000"
+  {{ end }}
   {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
   ssb-muxrpc:
     address: ":8008"
@@ -64,9 +81,16 @@ entrypoints:
   compy:
     address: ":9999"
   {{ end }}
+  {{ if eq (env "IRC_ENABLED") "1" }}
+  irc:
+    address: ":6697"
+  {{ end }}
   {{ if eq (env "METRICS_ENABLED") "1" }}
   metrics:
     address: ":8082"
+    http:
+      middlewares:
+        - basicauth@file
   {{ end }}
   {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
@@ -80,6 +104,8 @@ ping:
 metrics:
   prometheus:
     entryPoint: metrics
+    addRoutersLabels: true
+    addServicesLabels: true
 {{ end }}
 
 certificatesResolvers: