bump forgejo

Reviewed-on: #201

.ci/requirements.txt

@@ -1 +1 @@
-pyyaml==6.0.2
+pyyaml==6.0.3

compute-1-mep/forgejo/docker-compose.yaml

@@ -9,7 +9,7 @@ volumes:
 
 services:
   server:
-    image: codeberg.org/forgejo/forgejo:10.0.1
+    image: codeberg.org/forgejo/forgejo:13.0.2
     restart: always
     container_name: forgejo
     env_file:
@@ -82,7 +82,7 @@ services:
     depends_on:
       - cache
   cache:
-    image: "redis:7-alpine"
+    image: "redis:8-alpine"
     restart: always
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]

compute-1-mep/renovate/docker-compose.yaml

@@ -4,7 +4,7 @@ networks:
 
 services:
   renovate:
-    image: ghcr.io/renovatebot/renovate:39.185.0-full
+    image: ghcr.io/renovatebot/renovate:41.125.3-full
     restart: always
     environment:
       - LOG_LEVEL=info

compute-1-mep/restic/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   backup:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
     hostname: docker
     restart: unless-stopped
     environment:
@@ -31,7 +31,7 @@ services:
       - ./ssh:/run/secrets/.ssh:ro
 
   prune:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
     hostname: docker
     restart: unless-stopped
     environment:

compute-1-mep/searx/docker-compose.yaml

@@ -8,7 +8,7 @@ volumes:
 
 services:
   server:
-    image: "searxng/searxng:2025.1.6-6dab7fe78"
+    image: "searxng/searxng:2025.4.24-c6c6d3027"
     depends_on:
       - "redis"
     environment:
@@ -37,7 +37,7 @@ services:
       - "traefik.http.routers.searx.rule=Host(`searx.gnous.eu`)"
       - "traefik.http.routers.searx.middlewares=proxyHeader@file,proxyError@file"
   redis:
-    image: "redis:7.4-alpine"
+    image: "redis:8.0-alpine"
     command: 'redis-server --save "" --appendonly "no"'
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]

compute-1-mep/traefik-kop/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   traefik-kop:
-    image: "ghcr.io/jittering/traefik-kop:0.14"
+    image: "ghcr.io/jittering/traefik-kop:0.19"
     restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock

compute-1-mep/wallabag/docker-compose.yaml

@@ -8,7 +8,7 @@ volumes:
 
 services:
   wallabag:
-    image: wallabag/wallabag:2.6.10
+    image: wallabag/wallabag:2.6.14
     restart: unless-stopped
     environment:
       - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql

compute-2-mep/gitlab/docker-compose.yaml

@@ -12,7 +12,7 @@ volumes:
 
 services:
   gitlab:
-    image: gitlab/gitlab-ce:17.9.1-ce.0
+    image: gitlab/gitlab-ce:18.4.0-ce.0
     container_name: gitlab
     restart: always
     hostname: "gitlab.gnous.eu"

compute-2-mep/mastodon/.env.production

@@ -19,7 +19,7 @@ SMTP_FROM_ADDRESS=Mastodon <service@gnous.eu>
 S3_ENABLED=true
 S3_BUCKET=gnoustoot
 S3_REGION=fr-par
-S3_HOSTNAME=obiwan.gnous.eu
+S3_HOSTNAME=cdn.gnous.eu
 S3_ENDPOINT=https://s3.fr-par.scw.cloud
 
 ES_ENABLED=false

compute-2-mep/mastodon/docker-compose.yaml

@@ -5,7 +5,7 @@ networks:
 
 services:
   redis:
-    image: redis:7-alpine
+    image: redis:8-alpine
     restart: always
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
@@ -13,7 +13,7 @@ services:
       - mastodon
 
   web:
-    image: ghcr.io/mastodon/mastodon:v4.3.4
+    image: ghcr.io/mastodon/mastodon:v4.4.8
     restart: always
     env_file:
       - path: .env.production
@@ -42,7 +42,7 @@ services:
       - "ofelia.job-exec.clean-account.command=tootctl accounts cull"
 
   streaming:
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.4
+    image: ghcr.io/mastodon/mastodon-streaming:v4.4.8
     restart: always
     env_file:
       - path: .env.production
@@ -65,7 +65,7 @@ services:
       - "traefik.http.routers.mastodon-streaming.middlewares=proxyHeader@file,proxyError@file"
 
   sidekiq:
-    image: ghcr.io/mastodon/mastodon:v4.3.4
+    image: ghcr.io/mastodon/mastodon:v4.4.8
     restart: always
     env_file:
       - path: .env.production

compute-2-mep/restic/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   backup:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
     hostname: docker
     restart: unless-stopped
     environment:
@@ -28,7 +28,7 @@ services:
       - ./ssh:/run/secrets/.ssh:ro
 
   prune:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
     hostname: docker
     restart: unless-stopped
     environment:

compute-2-mep/traefik-kop/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   traefik-kop:
-    image: "ghcr.io/jittering/traefik-kop:0.14"
+    image: "ghcr.io/jittering/traefik-kop:0.19"
     restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock

compute-2-mep/vaultwarden/docker-compose.yaml

@@ -8,7 +8,7 @@ volumes:
 
 services:
   vaultwarden:
-    image: vaultwarden/server:1.33.2
+    image: vaultwarden/server:1.34.3
     container_name: vaultwarden
     environment:
       - WEBSOCKET_ENABLED=true # Enable WebSocket notifications.

compute-2-mep/woodpecker/docker-compose.yaml

@@ -9,7 +9,7 @@ volumes:
 
 services:
   server:
-    image: woodpeckerci/woodpecker-server:v3.2.0
+    image: woodpeckerci/woodpecker-server:v3.11.0
     container_name: woodpecker_server
     environment:
       - WOODPECKER_OPEN=true

compute-gra/traefik/.env

@@ -0,0 +1,20 @@
+TRAEFIK_KOP_REDIS_ADDR=[[TRAEFIK_KOP_REDIS_ADDR]]
+TRAEFIK_KOP_REDIS_PASS=[[TRAEFIK_KOP_REDIS_PASS]]
+
+# TRACS3 ENV 
+TRACS_AWS_REGION=[[TRACS_AWS_REGION]]
+TRACS_S3_ENDPOINT=[[TRACS_S3_ENDPOINT]]
+TRACS_S3_ACCESS_KEY_ID=[[TRACS_S3_ACCESS_KEY_ID]]
+TRACS_S3_SECRET=[[TRACS_S3_SECRET]]
+TRACS_CLOSET_BUCKET=[[TRACS_CLOSET_BUCKET]]
+TRACS_CLOSET_PASSWORD=[[TRACS_CLOSET_PASSWORD]]
+AWS_CONFIGURE_PLUGINS=awscli_plugin_endpoint
+AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED
+AWS_S3_SIGNATURE_VERSION=s3v4
+TRAEFIK_LOCAL_STORE=/certificates/
+TRAEFIK_OUTPUT_FILE=/configs/certificates.toml
+TRAEFIK_CERTIFICATE_DIR=/certificates/
+
+# TRACING
+OLTP_HTTP_ENDPOINT=[[OLTP_HTTP_ENDPOINT]]
+OLTP_HTTP_BASIC_AUTH=[[OLTP_HTTP_BASIC_AUTH]]

compute-gra/traefik/docker-compose.yaml

@@ -0,0 +1,110 @@
+services:
+  traefik:
+    image: "traefik:v3.6.1"
+    container_name: "traefik"
+    command:
+      - "--log.level=info"
+      - "--log.maxsize=100"
+      - "--log.maxage=3"
+
+      - "--metrics.prometheus=true"
+
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entryPoint.to=webpublic"
+      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+      - "--entryPoints.web.http.redirections.entryPoint.permanent=true"
+      - "--entryPoints.web.allowACMEByPass=true"
+      - "--entryPoints.websecure.address=:446"
+      - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.0.0.0/8"
+      - "--entryPoints.webpublic.address=:443"
+      - "--entryPoints.webpublic.http.tls=true"
+      - "--entryPoints.webpublic.forwardedHeaders.trustedIPs=172.0.0.0/8"
+      - "--entryPoints.ssh.address=:2222"
+      - "--entryPoints.sshgitlab.address=:2223"
+
+      - "--providers.file.directory=/traefik"
+      - "--providers.redis.endpoints=${TRAEFIK_KOP_REDIS_ADDR}"
+      - "--providers.redis.password=${TRAEFIK_KOP_REDIS_PASS}"
+
+      - "--tracing=true"
+      - "--tracing.otlp=true"
+      - "--tracing.otlp.http=true"
+      - "--tracing.serviceName=traefik"
+      - "--tracing.sampleRate=0.2"
+      - "--tracing.otlp.http.endpoint=${OLTP_HTTP_ENDPOINT}"
+      - "--tracing.otlp.http.headers.Authorization=Basic ${OLTP_HTTP_BASIC_AUTH}"
+    restart: always
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/etc/traefik/sites:/traefik"
+      - "certificates:/certificates"
+    network_mode: host
+
+  epee:
+    image: "git.gnous.eu/enpls/epee-service:stable"
+    restart: always
+    container_name: "epee"
+    ports:
+      - "5900:5900"
+    networks:
+      - traefik_internal
+
+  varnish:
+    image: varnish:7.7.1
+    restart: always
+    command: -F -a :445,PROXY -f /etc/varnish/default.vcl -T 127.0.0.1:6082 -t 120 -p thread_pool_min=50 -p thread_pool_max=1000 -p thread_pool_timeout=120 -i varnish -s malloc,2048M -n varnish
+    ports:
+      - 445:445
+    volumes:
+      - /etc/varnish:/etc/varnish
+      - "workdir:/var/lib/varnish"
+
+
+  tracs3:
+    image: ghcr.io/outout14/traefik-acme-s3:main
+    env_file:
+      - tracs3.env
+    command:
+      - "sync"
+    volumes:
+      - "/etc/traefik/sites:/configs"
+      - "certificates:/certificates"
+    network_mode: "host"
+    environment:
+      - AWS_REGION=${TRACS_AWS_REGION}
+      - AWS_DEFAULT_REGION=${TRACS_AWS_REGION}
+      - AWS_ENDPOINT_URL=${TRACS_S3_ENDPOINT}
+      - AWS_S3_ENDPOINT=${TRACS_S3_ENDPOINT}
+      - AWS_S3API_ENDPOINT=${TRACS_S3_ENDPOINT}
+
+      - AWS_ACCESS_KEY_ID=${TRACS_S3_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${TRACS_S3_SECRET}
+
+      - CLOSET_BUCKET=${TRACS_CLOSET_BUCKET}
+      - CLOSET_PASSWORD=${TRACS_CLOSET_PASSWORD}
+
+  tracs3-certificate-sync:
+    image: mcuadros/ofelia:latest
+    restart: always
+    depends_on:
+      tracs3:
+        condition: service_completed_successfully
+    command: daemon --docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      ofelia.job-run.certificate-rotate.schedule: "@every 10m"
+      ofelia.job-run.certificate-rotate.command:  "sh -c 'docker restart front-http-par-tracs3-1'"
+      ofelia.job-run.certificate-rotate.image:  "docker:cli"
+      ofelia.job-run.certificate-rotate.volume:  "/var/run/docker.sock:/var/run/docker.sock"
+
+volumes:
+  certificates:
+  workdir:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+networks:
+  traefik_internal:
+    enable_ipv6: true

compute-vel/traefik/.env

@@ -14,3 +14,7 @@ AWS_S3_SIGNATURE_VERSION=s3v4
 TRAEFIK_LOCAL_STORE=/certificates/
 TRAEFIK_OUTPUT_FILE=/configs/certificates.toml
 TRAEFIK_CERTIFICATE_DIR=/certificates/
+
+# TRACING
+OLTP_HTTP_ENDPOINT=[[OLTP_HTTP_ENDPOINT]]
+OLTP_HTTP_BASIC_AUTH=[[OLTP_HTTP_BASIC_AUTH]]

compute-vel/traefik/docker-compose.yaml

@@ -1,10 +1,7 @@
 services:
   traefik:
-    image: "traefik:v3.3"
+    image: "traefik:v3.6.1"
     container_name: "traefik"
-    depends_on:
-      tracs3:
-        condition: service_completed_successfully
     command:
       - "--log.level=info"
       - "--log.maxsize=100"
@@ -12,57 +9,57 @@ services:
 
       - "--metrics.prometheus=true"
 
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-
       - "--entryPoints.web.address=:80"
-      - "--entryPoints.name.allowACMEByPass=true"
+      - "--entryPoints.web.http.redirections.entryPoint.to=webpublic"
-      - "--entryPoints.websecure.address=:443"
+      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
-      - "--entryPoints.websecure.http3"
+      - "--entryPoints.web.http.redirections.entryPoint.permanent=true"
-      - "--entryPoints.websecure.http.tls=true"
+      - "--entryPoints.web.allowACMEByPass=true"
+      - "--entryPoints.websecure.address=:446"
+      - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.0.0.0/8"
+      - "--entryPoints.webpublic.address=:443"
+      - "--entryPoints.webpublic.http.tls=true"
+      - "--entryPoints.webpublic.forwardedHeaders.trustedIPs=172.0.0.0/8"
       - "--entryPoints.ssh.address=:2222"
       - "--entryPoints.sshgitlab.address=:2223"
 
-      - "--providers.docker=true"
       - "--providers.file.directory=/traefik"
       - "--providers.redis.endpoints=${TRAEFIK_KOP_REDIS_ADDR}"
       - "--providers.redis.password=${TRAEFIK_KOP_REDIS_PASS}"
-    ports:
+
-      - target: 80
+      - "--tracing=true"
-        published: 80
+      - "--tracing.otlp=true"
-        protocol: tcp
+      - "--tracing.otlp.http=true"
-        mode: host
+      - "--tracing.serviceName=traefik"
-      - target: 443
+      - "--tracing.sampleRate=0.2"
-        published: 443
+      - "--tracing.otlp.http.endpoint=${OLTP_HTTP_ENDPOINT}"
-        protocol: tcp
+      - "--tracing.otlp.http.headers.Authorization=Basic ${OLTP_HTTP_BASIC_AUTH}"
-        mode: host
+    restart: always
-      - target: 443
-        published: 443
-        protocol: udp
-        mode: host
-      - target: 2222
-        published: 2222
-        protocol: tcp
-        mode: host
-      - target: 2223
-        published: 2223
-        protocol: tcp
-        mode: host
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "/etc/traefik/sites:/traefik"
       - "certificates:/certificates"
-    networks:
+    network_mode: host
-      - traefik_internal
 
   epee:
     image: "git.gnous.eu/enpls/epee-service:stable"
+    restart: always
     container_name: "epee"
     ports:
       - "5900:5900"
     networks:
       - traefik_internal
 
+  varnish:
+    image: varnish:7.7.1
+    restart: always
+    command: -F -a :445,PROXY -f /etc/varnish/default.vcl -T 127.0.0.1:6082 -t 120 -p thread_pool_min=50 -p thread_pool_max=1000 -p thread_pool_timeout=120 -i varnish -s malloc,2048M -n varnish
+    ports:
+      - 445:445
+    volumes:
+      - /etc/varnish:/etc/varnish
+      - "workdir:/var/lib/varnish"
+
+
   tracs3:
     image: ghcr.io/outout14/traefik-acme-s3:main
     env_file:
@@ -103,6 +100,11 @@ services:
 
 volumes:
   certificates:
+  workdir:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
 networks:
   traefik_internal:
     enable_ipv6: true

internals/semaphore/docker-compose.yaml

@@ -15,7 +15,7 @@ services:
     restart: unless-stopped
     ports:
       - 8085:3000
-    image: semaphoreui/semaphore:v2.12.14
+    image: semaphoreui/semaphore:v2.16.45
     env_file:
       - path: .env
         required: false

internals/traefik-kop/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   traefik-kop:
-    image: "ghcr.io/jittering/traefik-kop:0.14"
+    image: "ghcr.io/jittering/traefik-kop:0.19"
     restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock

internals/wikijs/docker-compose.yaml

@@ -11,7 +11,7 @@ services:
       - db-data:/var/lib/postgresql/data
 
   server:
-    image: ghcr.io/requarks/wiki:2.5.306
+    image: ghcr.io/requarks/wiki:2.5.308
     depends_on:
       - db
     environment:

internals/woodpecker/docker-compose.yaml

@@ -10,7 +10,7 @@ volumes:
 
 services:
   server:
-    image: woodpeckerci/woodpecker-server:v3.2.0
+    image: woodpeckerci/woodpecker-server:v3.11.0
     container_name: woodpecker_server
     environment:
       - WOODPECKER_OPEN=false