15 changed files with 409 additions and 109 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,5 @@
 .env.local
-_traefik.dynamic/tls
-_traefik.dynamic/shared/acme.json
+_copy_to_traefik/tls
+_copy_to_traefik/shared/acme.json
 **/app.env
 ddns-updater/config.json
--- a/_bin/runtipictl
+++ b/_bin/runtipictl
@ -58,8 +58,8 @@ dls() {
    local base='{{.Status}}\t{{.ID}}\t{{.Names}}\t{{.Image}}' #'\t{{.Networks}}\t{{.Ports}}\t{{.Mounts}}'
    local compose='{{.Label "com.docker.compose.project"}}\t{{.Label "com.docker.compose.service"}}'
    local format="table $compose\t$base"
-    ROOT_EXEC=1 QUIET=${QUIET:-0} jlmkr-exec \
-        docker "container ls --all --format '$format' | ( sed -u '1s/.*/\U&/; q'; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )"
+    ROOT_EXEC=1 jlmkr-exec \
+        docker "container ls --all --format '$format' | ( sed -u 1q ; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )"
 }

 case "${1}" in
@ -67,7 +67,7 @@ case "${1}" in
        runtipi-cli "${@:2}"
        ;;
    log)
-        jlmkr-exec "POSTGRES_PASSWORD=_ TIPI_VERSION=_ LOCAL_DOMAIN=_ DOMAIN=_" docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"}
+        jlmkr-exec docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"}
        ;;
    start)
        runtipi-cli start --env-file user-config/.env.local --no-permissions
@ -108,7 +108,6 @@ case "${1}" in
            "" "" "" \
            "" "cli"        "runtipi-cli" \
            "" "dcoapp"     "docker compose for runtipi apps" \
-            "" "dls"        "stylized docker ls" \
            "" "docker"     "docker" \
            "" "dockge"     "dokcer compose for dockge stacks" \
            "" "exec"       "execute within the shell, START_DIR env applies" \
--- a/_copy_to_traefik/dynamic/dynamic.yml
+++ b/_copy_to_traefik/dynamic/dynamic.yml
@ -2,7 +2,6 @@ http:
  serversTransports:
    insecuretransport:
      insecureSkipVerify: true
-      
  middlewares:
    secureHeaders:
      headers:
--- a/_copy_to_traefik/dynamic/fwd-auth-sysmgr.yml
+++ b/_copy_to_traefik/dynamic/fwd-auth-sysmgr.yml
@ -0,0 +1,18 @@
+http:
+  middlewares:
+    authentik_sysmgr:
+      forwardAuth:
+        address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
--- a/_copy_to_traefik/dynamic/ha.yml
+++ b/_copy_to_traefik/dynamic/ha.yml
--- a/_copy_to_traefik/dynamic/kasm-workspaces.yml
+++ b/_copy_to_traefik/dynamic/kasm-workspaces.yml
--- a/_copy_to_traefik/dynamic/kateryna_apps.yml
+++ b/_copy_to_traefik/dynamic/kateryna_apps.yml
@ -1,12 +1,23 @@
 # http routing section
 http:
  routers:
+    to-auth:
+      rule: "Host(`auth.lksz.me`)"
+      entrypoints:
+      - websecure
+      service: kateryna-traefik
+      tls:
+        certresolver: myresolver
+    to-syncthing:
+      rule: "Host(`sync.lksz.me`)" 
+      entrypoints:
+      - websecure
+      service: kateryna-traefik
+      tls:
+        certresolver: myresolver
    to-kateryna:
      rule: "Host(`kateryna.szk.li`)
        || Host(`kateryna.lksz.me`)
-        || Host(`m.lksz.me`)
-        || Host(`auth.lksz.me`)
-        || Host(`sync.lksz.me`)
        || Host(`radarr.lksz.me`)
        || Host(`sonarr.lksz.me`)
        || Host(`prowlarr.lksz.me`)
--- a/_copy_to_traefik/shared/acme.json
+++ b/_copy_to_traefik/shared/acme.json
--- a/_copy_to_traefik/traefik.yml
+++ b/_copy_to_traefik/traefik.yml
@ -14,10 +14,6 @@ providers:
 entryPoints:
  web:
    address: ':80'
-    forwardedHeaders:
-      trustedIPs:
-        - "127.0.0.1/32"
-        - "172.16.0.0/12"
    http:
      redirections:
        entryPoint:
@ -25,10 +21,6 @@ entryPoints:
          scheme: 'https'
  websecure:
    address: ':443'
-    forwardedHeaders:
-      trustedIPs:
-        - "127.0.0.1/32"
-        - "172.16.0.0/12"

 certificatesResolvers:
  httpresolver:
--- a/_template/app.env
+++ b/_template/app.env
@ -1,2 +1,2 @@
-# VARIABLE=value #comment
-APP_ROUTE_OPTIONAL=${LEGACY_ROOT_DOMAIN:+ || Host(`example.${LEGACY_ROOT_DOMAIN}`)}
+# VARIABLE=value #comment# VARIABLE=value #comment
+# APP_ROUTE_OPTIONAL=" || Host(`www.example.com`)"
--- a/_template/docker-compose.yml
+++ b/_template/docker-compose.yml
@ -2,8 +2,6 @@ services:
  <service-name>:
    hostname: <service-name>.docker
    environment:
-      PUID: "${SZ_USER_UID}"
-      PGID: "${SZ_USER_GID}"
      # RUNTIPI Environment
      RUNTIPI_APP_PORT: "${APP_PORT}"
      RUNTIPI_APP_ID: "${APP_ID}"
@ -14,6 +12,8 @@ services:
      RUNTIPI_LOCAL_DOMAIN: "${LOCAL_DOMAIN}"
      RUNTIPI_DOMAIN: "${DOMAIN}"
      RUNTIPI_ROOT_DOMAIN: "${ROOT_DOMAIN}"
+      PUID: "${SZ_USER_UID}"
+      PGID: "${SZ_USER_GID}"
    # volumes_from:
    # - "container:vols-dl"
    # - "container:vols-personal-media"
--- a/_traefik.dynamic/dynamic/fwd-auth-sysmgr.yml
+++ b/_traefik.dynamic/dynamic/fwd-auth-sysmgr.yml
@ -1,19 +0,0 @@
-http:
-  middlewares:
-    authentik_sysmgr:
-      forwardAuth:
-        address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
-        # authResponseHeaders:
-        #   - X-authentik-username
-        #   - X-authentik-groups
-        #   - X-authentik-email
-        #   - X-authentik-name
-        #   - X-authentik-uid
-        #   - X-authentik-jwt
-        #   - X-authentik-meta-jwks
-        #   - X-authentik-meta-outpost
-        #   - X-authentik-meta-provider
-        #   - X-authentik-meta-app
-        #   - X-authentik-meta-version
--- a/ddns-updater/docker-compose.yml
+++ b/ddns-updater/docker-compose.yml
@ -3,49 +3,33 @@ services:
    environment:
      USER_UID: "${SZ_USER_UID}"
      USER_GID: "${SZ_USER_GID}"
+    # user: "${SZ_USER_UID}"

-      ### Configuration
-      # DATADIR: "/updater/data"
-      # CONFIG_FILEPATH: "/updater/data/config.json"
-      # CONFIG: ""
-      # PERIOD: "5m"
-      
-      # UPDATE_COOLDOWN_PERIOD: "5m"
-      # PUBLICIP_FETCHERS: "all"
-      # PUBLICIP_HTTP_PROVIDERS: "all"
-      # PUBLICIPV4_HTTP_PROVIDERS: "all"
-      # PUBLICIPV6_HTTP_PROVIDERS: "all"
-      # PUBLICIP_DNS_PROVIDERS: "all"
-      # PUBLICIP_DNS_TIMEOUT: "3s"
-      # HTTP_TIMEOUT: "10s"
+    # environment:
+    #   - CONFIG=
+    #   - PERIOD=5m
+    #   - UPDATE_COOLDOWN_PERIOD=5m
+    #   - PUBLICIP_FETCHERS=all
+    #   - PUBLICIP_HTTP_PROVIDERS=all
+    #   - PUBLICIPV4_HTTP_PROVIDERS=all
+    #   - PUBLICIPV6_HTTP_PROVIDERS=all
+    #   - PUBLICIP_DNS_PROVIDERS=all
+    #   - PUBLICIP_DNS_TIMEOUT=3s
+    #   - HTTP_TIMEOUT=10s

-      # RESOLVER_ADDRESS: ""
-      # RESOLVER_TIMEOUT: "5s"
+    #   # Web UI
+    #   - LISTENING_ADDRESS=:8000
+    #   - ROOT_URL=/

-      ### Web UI
-      # SERVER_ENABLED: "yes"
-      # LISTENING_ADDRESS: ":8000"
-      # ROOT_URL: "/"
+    #   # Backup
+    #   - BACKUP_PERIOD=0 # 0 to disable
+    #   - BACKUP_DIRECTORY=/updater/data

-      ### Backup
-      # BACKUP_PERIOD: "0"
-      # BACKUP_DIRECTORY: "/updater/data"
-
-      ### Other
-      # LOG_LEVEL: "info"
-      # LOG_CALLER: "hidden"
-
-      ### SHOUTRRR
-      # SHOUTRRR_ADDRESSES: ""
-      # SHOUTRRR_DEFAULT_TITLE: "DDNS Updater"
-      
-      ### Health Check
-      # HEALTH_SERVER_ADDRESS: "127.0.0.1:9999"
-      # HEALTH_HEALTHCHECKSIO_BASE_URL: "https://hc-ping.com"
-      # HEALTH_HEALTHCHECKSIO_UUID: ""
-    labels:
-      traefik.http.routers.ddns-updater.rule: Host(`ddns.${ROOT_DOMAIN}`)
-      traefik.http.routers.ddns-updater.middlewares: authentik_sysmgr@file
+    #   # Other
+    #   - LOG_LEVEL=info
+    #   - LOG_CALLER=hidden
+    #   - SHOUTRRR_ADDRESSES=
+    # restart: always

    volumes:
    #- dummy:/updater/data:ro
--- a/forgejo/docker-compose.yml
+++ b/forgejo/docker-compose.yml
@ -1,18 +0,0 @@
-services:
-  forgejo:
-    environment:
-      USER_UID: "${SZ_USER_UID}"
-      USER_GID: "${SZ_USER_GID}"
-
-      FORGEJO__server__DOMAIN: "code.${ALT_ROOT_DOMAIN}"
-      FORGEJO__server__ROOT_URL: "https://code.${ALT_ROOT_DOMAIN}"
-      FORGEJO__server__SSH_DOMAIN: "code.${ALT_ROOT_DOMAIN}"
-
-    labels:
-    # Websecure
-      traefik.http.routers.forgejo-more.rule: Host(`code.${ROOT_DOMAIN}`)${APP_ROUTE_OPTIONAL:-}
-      traefik.http.routers.forgejo-more.entrypoints: websecure
-      traefik.http.routers.forgejo-more.service: forgejo
-    # traefik.http.routers.forgejo-more.middlewares: authentik_sysmgr@file
-      traefik.http.routers.forgejo-more.tls: true
-      traefik.http.routers.forgejo-more.tls.certresolver: myresolver
--- a/tipi-compose.yml
+++ b/tipi-compose.yml
@ -4,20 +4,11 @@ services:
      - 8080:8080
    command: 
      - '--providers.docker'
-      - '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic'
+      - '--providers.file.directory=/srv/runtipi/traefik/dynamic'
      - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
      - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json'
-      - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare'
+      - '--certificatesresolvers.myresolver.acme.dnshallenge.entrypoint=cloudflare'
    environment:
      CF_API_EMAIL: "${ACME_EMAIL}"
      CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"
-    networks:
-    - tipi_main_network
-    - tipi_internal_network
-
-networks:
-  tipi_internal_network:
-    internal: true
-    attachable: true
-    name: runtipi_internal_network