dynamic traefik configuration improvements

turned out that --providers.file.directory cli switch didn't override the file settings, and so, remapping the /etc/traefik dirs was a better approach.

.gitignore

@@ -1,5 +1,5 @@
 .env.local
-_traefik.dynamic/tls
-_traefik.dynamic/shared/acme.json
+_traefik/tls
+_traefik/shared
 **/app.env
 ddns-updater/config.json

_bin/checkver.sh

@@ -0,0 +1,49 @@
+#! /usr/bin/env bash
+SCRIPT_DIR=${SCRIPT_DIR:-"$( cd -- "$( dirname -- "$0" )" &> /dev/null && pwd )"}
+ 
+# Function to compare semantic versions
+compare_major_version() {
+    local major_version1=$(echo $1 | cut -d. -f1)
+    local major_version2=$(echo $2 | cut -d. -f1)
+ 
+    if [[ "$major_version1" == "$major_version2" ]]; then
+        return 0
+    else
+        return 1
+    fi
+}
+ 
+# Get Current Version of Runtipi
+runtipi_path=${RUNTIPI_DIR:-"$(cd -- "${SCRIPT_DIR}/../.." &> /dev/null && pwd )"}
+[ -r "$runtipi_path/VERSION" ] || runtipi_path=${RUNTIPI_DIR:-"$(cd -- "${SCRIPT_DIR}/../../_" &> /dev/null && pwd )"}
+current_version=$(cat "$runtipi_path/VERSION")
+ 
+# Get the latest release information from GitHub API
+latest_release=$(curl -sL \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/repos/runtipi/runtipi/releases/latest)
+ 
+# Extract the tag name from the release information
+tag_name=$(echo "$latest_release" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4)
+ 
+printf 'current: %-10s online: %-10s\n' "$current_version" "$tag_name" >&2
+# Compare major version numbers
+compare_major_version "$tag_name" "$current_version"
+# major_version_match=$?
+#  
+# # Check if major versions are the same and if the latest release is newer than the current version
+# if [[ $major_version_match -eq 0 ]] && [[ "$tag_name" > "$current_version" ]]; then
+#     echo "A new release is available: $tag_name"
+#     cd $runtipi_path
+#     echo "Backing up current version"
+#     if [ ! -d "$runtipi_path/backups" ]; then
+#         mkdir -p $runtipi_path/backups
+#     fi
+#     tar -czvf runtipi-backup-$current_version.tar.gz --exclude=media --exclude=backups *
+#     mv runtipi-backup-$current_version.tar.gz $runtipi_path/backups
+#     echo "Starting update"
+#     echo $runtipi_path/runtipi-cli update latest
+# else
+#     echo "No new release found or major version mismatch"
+# fi

_bin/runtipictl

@@ -6,6 +6,12 @@ jlmkr () {
 
 JAIL_UID=${JAIL_UID:-${UID}}
 
+jlmkr-shell() {
+    if jlmkr exec runtipi true; then
+         jlmkr shell --uid "${JAIL_UID}" runtipi
+    fi
+}
+
 jlmkr-exec () {
     local set_x=" set -x; pwd; id; "
     [ -z "$QUIET" ] || set_x=""
@@ -83,6 +89,9 @@ case "${1}" in
         _ERROR_MSG="ERROR: failed to invoke a command inside the runtipi jail and can't start the jail." \
         runtipi-cli start --env-file user-config/.env.local --no-permissions
         ;;
+    shell)
+        jlmkr-shell
+        ;;
     exec)
         jlmkr-exec "${@:2}"
         ;;
@@ -124,6 +133,7 @@ case "${1}" in
             "" "" "" \
             "misc." "" ""\
             "" "exec"       "execute within the shell, START_DIR env applies" \
+            "" "shell"      "enter an insteractive shell" \
             "" "" "" \
             "" "setup"      "setup runtipictl in user's .local/bin dir"
 

_traefik.dynamic/dynamic/kasm-workspaces.yml

@@ -1,42 +0,0 @@
-# http routing section
-http:
-  routers:
-    # Define a connection between requests and services
-    "to-kasm-main":
-      rule: "Host(`k.szk.li`)" 
-      entrypoints:
-      - websecure
-    # # If the rule matches, applies the middleware
-      middlewares:
-      - authentik_sysmgr
-    # - test-user
-      # If the rule matches, forward to the whoami service (declared below)
-      service: kasm-main
-      tls:
-        certresolver: myresolver
-
-    # Define a connection between requests and services
-    "to-kasm-setup":
-      rule: "Host(`ksetup.szk.li`)" 
-      entrypoints:
-      - websecure
-    # # If the rule matches, applies the middleware
-      middlewares:
-      - authentik_sysmgr
-    # - test-user
-      # If the rule matches, forward to the whoami service (declared below)
-      service: kasm-setup
-      tls:
-        certresolver: myresolver
-
-
-  services:
-    # Define how to reach an existing service on our infrastructure
-    kasm-main:
-      loadBalancer:      
-        servers:
-        - url: "https://kasm-workspaces:8744"
-    kasm-setup:
-      loadBalancer:      
-        servers:
-        - url: "https://kasm-workspaces:8743"

_traefik.dynamic/dynamic/kateryna_apps.yml

@@ -1,29 +0,0 @@
-# http routing section
-http:
-  routers:
-    to-kateryna:
-      rule: "Host(`kateryna.szk.li`)
-        || Host(`kateryna.lksz.me`)
-        || Host(`m.lksz.me`)
-        || Host(`auth.lksz.me`)
-        || Host(`sync.lksz.me`)
-        || Host(`radarr.lksz.me`)
-        || Host(`sonarr.lksz.me`)
-        || Host(`prowlarr.lksz.me`)
-        || Host(`req.lksz.me`)
-        || Host(`jd.lksz.me`)
-        || Host(`nzb.lksz.me`)
-        || Host(`stats.player.lksz.me`)
-        "
-      entrypoints:
-      - websecure
-      service: kateryna-traefik
-      tls:
-        certresolver: myresolver
-
-  services:
-    # Define how to reach an existing service on our infrastructure
-    kateryna-traefik:
-      loadBalancer:
-        servers:
-        - url: https://kateryna.lksz.me

_traefik/dynamic/http.yml

@@ -0,0 +1,4 @@
+http:
+  serversTransports:
+    insecuretransport:
+      insecureSkipVerify: true

_traefik/dynamic/mw.lan-only.yml

@@ -0,0 +1,8 @@
+# Accepts request from defined IP
+http:
+  middlewares:
+    lan-only:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.0.0/16"

_traefik/dynamic/mw.secureHeaders.yml

@@ -1,8 +1,4 @@
 http:
-  serversTransports:
-    insecuretransport:
-      insecureSkipVerify: true
-      
   middlewares:
     secureHeaders:
       headers:
@@ -18,14 +14,3 @@ http:
         permissionsPolicy: "camera=(), microphone=(), geolocation=()"
         customResponseHeaders:
           X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
-
-tls:
-  stores:
-    default:
-      defaultCertificate:
-        certFile: /etc/traefik/tls/cert.pem
-        keyFile: /etc/traefik/tls/key.pem
-  certificates:
-    - certFile: /etc/traefik/tls/cert.pem
-      keyFile: /etc/traefik/tls/key.pem
-

_traefik/dynamic/tls.yml

@@ -0,0 +1,9 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/traefik/tls/cert.pem
+        keyFile: /etc/traefik/tls/key.pem
+  certificates:
+    - certFile: /etc/traefik/tls/cert.pem
+      keyFile: /etc/traefik/tls/key.pem

_traefik/traefik.yml

@@ -4,7 +4,7 @@ api:
 
 providers:
   docker:
-    endpoint: 'unix:///var/run/docker.sock'
+    endpoint: "unix:///var/run/docker.sock"
     watch: true
     exposedByDefault: false
   file:
@@ -31,12 +31,18 @@ entryPoints:
         - "172.16.0.0/12"
 
 certificatesResolvers:
-  httpresolver:
+  myresolver:
     acme:
-#     email: acme@thisprops.com
+      email: acme@thisprops.com
       storage: /shared/acme.json
-      httpChallenge:
-        entryPoint: web
+      # httpChallenge:
+      #   entryPoint: web
+      #logging: true
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+        - 1.1.1.1:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[0]=1.1.1.1:53
+        - 8.8.8.8:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[1]=8.8.8.8:53
 
 log:
-  level: ERROR
+  level: INFO

tipi-compose.yml

@@ -4,16 +4,35 @@ services:
       - 8080:8080
     command: 
       - '--providers.docker'
-      - '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic'
+      - '--providers.file.directory=/etc/traefik/dynamic'
       - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
       - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json'
       - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare'
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
+      - '--log.level=INFO'
     environment:
-      CF_API_EMAIL: "${ACME_EMAIL}"
-      CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"
+      CF_API_EMAIL: "${ACME_EMAIL:?}"
+      CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN:?}"
     networks:
     - tipi_main_network
     - tipi_internal_network
+    volumes:
+    - type: bind
+      source: ./traefik/shared
+      target: /shared
+      read_only: false
+    - type: bind
+      source: ./traefik
+      target: /etc/traefik
+      read_only: false
+    - type: bind
+      source: ./user-config/_traefik/dynamic/      
+      target: /etc/traefik/dynamic/
+      read_only: true
+    - type: bind
+      source: ./user-config/_traefik/traefik.yml
+      target: /etc/traefik/traefik.yml
+      read_only: true
 
 networks:
   tipi_internal_network: