Merge pull request 'Update ghcr.io/jittering/traefik-kop Docker tag to v0.17' (#169 ) from renovate/ghcr.io-jittering-traefik-kop-0.x into main

Reviewed-on: #169
Merge pull request 'Update woodpeckerci/woodpecker-server Docker tag to v3.8.0' (#161 ) from renovate/woodpeckerci-woodpecker-server-3.x into main
2025-07-25 14:07:55 +02:00 · 2025-07-25 14:06:39 +02:00 · 2025-07-25 14:06:25 +02:00 · 2025-07-25 14:06:07 +02:00 · 2025-07-25 14:06:04 +02:00 · 2025-07-25 14:05:56 +02:00
40 changed files with 425 additions and 86 deletions
--- a/.ci/lint.sh
+++ b/.ci/lint.sh
@ -1,7 +1,20 @@
-for i in $(find . -name "docker-compose.yaml" -exec sh -c 'docker-compose -f {} config -q; echo {}:$?' \;); do
-    conf=$(echo $i | cut -d: -f1)
-    return_code=$(echo $i | cut -d: -f2)
-    if [ $return_code -ne "0" ]; then
-        echo $conf return code : $return_code && exit $return_code
+#!/bin/sh
+
+find . -name "docker-compose.yaml" | while read -r compose_file; do
+    dir=$(dirname "$compose_file")
+
+    echo "Checking directory: $dir"
+
+    # Source .env if it exists
+    if [ -f "$dir/.env" ]; then
+        set -o allexport
+        . "$dir/.env"
+        set +o allexport
    fi
-done
+
+    # Run docker-compose config check
+    if ! docker-compose -f "$compose_file" config -q; then
+        echo "$compose_file return code: 1"
+        exit 1
+    fi
+done
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 .vscode
 .env.priv
-.venv
+.venv
+**/.env
--- a/.woodpecker/lint.yml
+++ b/.woodpecker/lint.yml
@ -20,7 +20,7 @@ steps:
      - rm -rf output.txt
      - apt-get update
      - apt-get install -y curl
-      - curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
+      - curl -SL https://github.com/docker/compose/releases/download/v2.33.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
      - chmod +x /usr/local/bin/docker-compose
      - bash .ci/lint_wrap.sh
  comment_2:
--- a/cicd-worker-pub-mep/woodpecker-runner/docker-compose.yaml
+++ b/cicd-worker-pub-mep/woodpecker-runner/docker-compose.yaml
@ -8,7 +8,7 @@ volumes:

 services:
  agent:
-    image: woodpeckerci/woodpecker-agent:latest
+    image: woodpeckerci/woodpecker-agent:next
    container_name: woodpecker_agent
    environment:
      - WOODPECKER_SERVER=grpc.cicd.gnous.eu:443
@ -16,7 +16,8 @@ services:
      - WOODPECKER_GRPC_SECURE=true
      - WOODPECKER_GRPC_VERIFY=true
    env_file:
-      - .env
+      - path: .env
+        required: false
    restart: always
    volumes:
      - agent:/etc/woodpecker
--- a/compute-1-mep/forgejo/docker-compose.yaml
+++ b/compute-1-mep/forgejo/docker-compose.yaml
@ -9,11 +9,12 @@ volumes:

 services:
  server:
-    image: codeberg.org/forgejo/forgejo:10.0.0
+    image: codeberg.org/forgejo/forgejo:12.0.1
    restart: always
    container_name: forgejo
    env_file:
-      - .env
+      - path: .env
+        required: false
    environment:
      - USER_UID=1000
      - USER_GID=1000
@ -70,8 +71,6 @@ services:
      # web server
      - "traefik.http.services.forgejo-service-gnous.loadbalancer.server.port=3001"
      - "traefik.http.routers.forgejognous.rule=(Host(`git.gnous.eu`)  && !Path(`/metrics`))"
-      - "traefik.http.routers.forgejognous.tls=true"
-      - "traefik.http.routers.forgejognous.tls.certresolver=defaultacme"
      - "traefik.http.routers.forgejognous.entrypoints=websecure"
      - "traefik.http.routers.forgejognous.service=forgejo-service-gnous"
      - "traefik.http.routers.forgejognous.middlewares=proxyHeader@file,proxyError@file"
@ -83,7 +82,7 @@ services:
    depends_on:
      - cache
  cache:
-    image: "redis:7-alpine"
+    image: "redis:8-alpine"
    restart: always
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
--- a/compute-1-mep/freshrss/docker-compose.yaml
+++ b/compute-1-mep/freshrss/docker-compose.yaml
@ -25,8 +25,6 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.freshrss.entryPoints=websecure"
      - "traefik.http.routers.freshrss.rule=Host(`rss.gnous.eu`)"
-      - "traefik.http.routers.freshrss.tls=true"
-      - "traefik.http.routers.freshrss.tls.certresolver=defaultacme"
      - "traefik.http.routers.freshrss.middlewares=proxyHeader@file,proxyError@file"
    env_file:
      - path: .env
--- a/compute-1-mep/haste/docker-compose.yaml
+++ b/compute-1-mep/haste/docker-compose.yaml
@ -18,8 +18,6 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.gnoushaste.entryPoints=websecure"
      - "traefik.http.routers.gnoushaste.rule=Host(`haste.gnous.eu`)"
-      - "traefik.http.routers.gnoushaste.tls=true"
-      - "traefik.http.routers.gnoushaste.tls.certresolver=defaultacme"
      - "traefik.http.routers.gnoushaste.middlewares=proxyHeader@file,proxyError@file"
    env_file:
      - path: .env
--- a/compute-1-mep/renovate/.env
+++ b/compute-1-mep/renovate/.env
@ -0,0 +1,2 @@
+RENOVATE_TOKEN=[[RENOVATE_TOKEN]]
+GITHUB_COM_TOKEN=[[RENOVATE_GH_TOKEN]]
--- a/compute-1-mep/renovate/docker-compose.yaml
+++ b/compute-1-mep/renovate/docker-compose.yaml
@ -4,7 +4,7 @@ networks:

 services:
  renovate:
-    image: ghcr.io/renovatebot/renovate:39.156.0-full
+    image: ghcr.io/renovatebot/renovate:41.43.2-full
    restart: always
    environment:
      - LOG_LEVEL=info
@ -14,4 +14,5 @@ services:
      - RENOVATE_GIT_AUTHOR=Renovate bot <renovate@gnous.eu>
      - RENOVATE_TOKEN=${RENOVATE_TOKEN}
    env_file:
-      - .env
+      - path: .env
+        required: false
--- a/compute-1-mep/restic/.env
+++ b/compute-1-mep/restic/.env
@ -0,0 +1,2 @@
+RESTIC_BASE_URL=[[RESTIC_BASE_URL]]
+RESTIC_PASSWORD=[[RESTIC_PASSWORD]]
--- a/compute-1-mep/restic/docker-compose.yaml
+++ b/compute-1-mep/restic/docker-compose.yaml
@ -1,6 +1,6 @@
 services:
  backup:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
    hostname: docker
    restart: unless-stopped
    environment:
@ -31,7 +31,7 @@ services:
      - ./ssh:/run/secrets/.ssh:ro

  prune:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
    hostname: docker
    restart: unless-stopped
    environment:
--- a/compute-1-mep/searx/docker-compose.yaml
+++ b/compute-1-mep/searx/docker-compose.yaml
@ -8,7 +8,7 @@ volumes:

 services:
  server:
-    image: "searxng/searxng:2025.1.6-6dab7fe78"
+    image: "searxng/searxng:2025.4.24-c6c6d3027"
    depends_on:
      - "redis"
    environment:
@ -35,11 +35,9 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.searx.entryPoints=websecure"
      - "traefik.http.routers.searx.rule=Host(`searx.gnous.eu`)"
-      - "traefik.http.routers.searx.tls=true"
-      - "traefik.http.routers.searx.tls.certresolver=defaultacme"
      - "traefik.http.routers.searx.middlewares=proxyHeader@file,proxyError@file"
  redis:
-    image: "redis:7.4-alpine"
+    image: "redis:8.0-alpine"
    command: 'redis-server --save "" --appendonly "no"'
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
--- a/compute-1-mep/traefik-kop/docker-compose.yaml
+++ b/compute-1-mep/traefik-kop/docker-compose.yaml
@ -1,10 +1,11 @@
 services:
  traefik-kop:
-    image: "ghcr.io/jittering/traefik-kop:0.14"
+    image: "ghcr.io/jittering/traefik-kop:0.17"
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    env_file:
-      - .env
+      - path: .env
+        required: false
    environment:
      - BIND_IP=10.100.2.2
--- a/compute-1-mep/wallabag/.env
+++ b/compute-1-mep/wallabag/.env
@ -0,0 +1,7 @@
+MEP_DB_HOST_IP=[[MEP_DB_HOST_IP]]
+WALLABAG_DB_NAME=[[WALLABAG_DB_NAME]]
+WALLABAG_DB_PASS=[[WALLABAG_DB_PASS]]
+WALLABAG_DB_USER=[[WALLABAG_DB_USER]]
+SMTP_PASS=[[SMTP_PASS]]
+SMTP_HOST=[[SMTP_HOST]]
+WALLABAG_SECRET=[[WALLABAG_SECRET]]
--- a/compute-1-mep/wallabag/docker-compose.yaml
+++ b/compute-1-mep/wallabag/docker-compose.yaml
@ -8,7 +8,7 @@ volumes:

 services:
  wallabag:
-    image: wallabag/wallabag:2.6.10
+    image: wallabag/wallabag:2.6.13
    restart: unless-stopped
    environment:
      - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
@ -48,8 +48,6 @@ services:
      # web server
      - "traefik.http.services.wallabag-service-gnous.loadbalancer.server.port=3009"
      - "traefik.http.routers.wallabaggnous.rule=Host(`bag.gnous.eu`)"
-      - "traefik.http.routers.wallabaggnous.tls=true"
-      - "traefik.http.routers.wallabaggnous.tls.certresolver=defaultacme"
      - "traefik.http.routers.wallabaggnous.entrypoints=websecure"
      - "traefik.http.routers.wallabaggnous.service=wallabag-service-gnous"
      - "traefik.http.routers.wallabaggnous.middlewares=proxyHeader@file,proxyError@file"
--- a/compute-1-mep/wiki/docker-compose.yaml
+++ b/compute-1-mep/wiki/docker-compose.yaml
@ -12,7 +12,5 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.wiki.entryPoints=websecure"
      - "traefik.http.routers.wiki.rule=Host(`wiki.gnous.eu`)"
-      - "traefik.http.routers.wiki.tls=true"
-      - "traefik.http.routers.wiki.tls.certresolver=defaultacme"
      - "traefik.http.routers.wiki.middlewares=proxyHeader@file,proxyError@file"

--- a/compute-2-mep/gitlab/.env
+++ b/compute-2-mep/gitlab/.env
@ -0,0 +1,3 @@
+SMTP_HOST=[[SMTP_HOST]]
+SMTP_PASS=[[SMTP_PASS]]
+SMTP_USER=[[SMTP_USER]]
--- a/compute-2-mep/gitlab/docker-compose.yaml
+++ b/compute-2-mep/gitlab/docker-compose.yaml
@ -12,7 +12,7 @@ volumes:

 services:
  gitlab:
-    image: gitlab/gitlab-ce:17.8.1-ce.0
+    image: gitlab/gitlab-ce:18.2.1-ce.0
    container_name: gitlab
    restart: always
    hostname: "gitlab.gnous.eu"
@ -48,16 +48,12 @@ services:
      # Web
      - "traefik.http.services.gitlab-gnous.loadbalancer.server.port=3005"
      - "traefik.http.routers.gitlabgnous.rule=Host(`gitlab.gnous.eu`)"
-      - "traefik.http.routers.gitlabgnous.tls=true"
-      - "traefik.http.routers.gitlabgnous.tls.certresolver=defaultacme"
      - "traefik.http.routers.gitlabgnous.entrypoints=websecure"
      - "traefik.http.routers.gitlabgnous.service=gitlab-gnous"
      - "traefik.http.routers.gitlabgnous.middlewares=proxyHeader@file,proxyError@file"
      # Registry
      - "traefik.http.services.registry-gnous.loadbalancer.server.port=3006"
      - "traefik.http.routers.registrygnous.rule=Host(`pkg.gnous.eu`)"
-      - "traefik.http.routers.registrygnous.tls=true"
-      - "traefik.http.routers.registrygnous.tls.certresolver=defaultacme"
      - "traefik.http.routers.registrygnous.entrypoints=websecure"
      - "traefik.http.routers.registrygnous.service=registry-gnous"
      - "traefik.http.routers.registrygnous.middlewares=proxyHeader@file,proxyError@file"
@ -65,4 +61,4 @@ services:
      - "traefik.tcp.routers.gitlabssh.entrypoints=sshgitlab"
      - "traefik.tcp.routers.gitlabssh.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.gitlabssh.service=gitlab-ssh"
-      - "traefik.tcp.services.gitlab-ssh.loadbalancer.server.port=3007"
+      - "traefik.tcp.services.gitlab-ssh.loadbalancer.server.port=3007"
--- a/compute-2-mep/gnous_frontend/docker-compose.yaml
+++ b/compute-2-mep/gnous_frontend/docker-compose.yaml
@ -13,6 +13,4 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.gnousdoteu.entryPoints=websecure"
      - "traefik.http.routers.gnousdoteu.rule=Host(`gnous.eu`)"
-      - "traefik.http.routers.gnousdoteu.tls=true"
-      - "traefik.http.routers.gnousdoteu.tls.certresolver=defaultacme"
      - "traefik.http.routers.gnousdoteu.middlewares=proxyHeader@file,proxyError@file"
--- a/compute-2-mep/mastodon/.env.production
+++ b/compute-2-mep/mastodon/.env.production
@ -19,7 +19,7 @@ SMTP_FROM_ADDRESS=Mastodon <service@gnous.eu>
 S3_ENABLED=true
 S3_BUCKET=gnoustoot
 S3_REGION=fr-par
-S3_HOSTNAME=obiwan.gnous.eu
+S3_HOSTNAME=cdn.gnous.eu
 S3_ENDPOINT=https://s3.fr-par.scw.cloud

 ES_ENABLED=false
--- a/compute-2-mep/mastodon/docker-compose.yaml
+++ b/compute-2-mep/mastodon/docker-compose.yaml
@ -5,7 +5,7 @@ networks:

 services:
  redis:
-    image: redis:7-alpine
+    image: redis:8-alpine
    restart: always
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
@ -13,7 +13,7 @@ services:
      - mastodon

  web:
-    image: ghcr.io/mastodon/mastodon:v4.3.3
+    image: ghcr.io/mastodon/mastodon:v4.4.2
    restart: always
    env_file:
      - path: .env.production
@ -33,8 +33,6 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.mastodon-web.entrypoints=websecure"
      - "traefik.http.routers.mastodon-web.rule=Host(`toot.gnous.eu`)"
-      - "traefik.http.routers.mastodon-web.tls=true"
-      - "traefik.http.routers.mastodon-web.tls.certresolver=defaultacme"
      - "traefik.http.routers.mastodon-web.middlewares=proxyHeader@file,proxyError@file"
      # Cron
      - "ofelia.enabled=true"
@ -44,7 +42,7 @@ services:
      - "ofelia.job-exec.clean-account.command=tootctl accounts cull"

  streaming:
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.3
+    image: ghcr.io/mastodon/mastodon-streaming:v4.4.2
    restart: always
    env_file:
      - path: .env.production
@ -64,13 +62,10 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.mastodon-streaming.entrypoints=websecure"
      - "traefik.http.routers.mastodon-streaming.rule=(Host(`toot.gnous.eu`) && PathPrefix(`/api/v1/streaming`))"
-      - "traefik.http.routers.mastodon-streaming.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.mastodon-streaming.tls=true"
-      - "traefik.http.routers.mastodon-streaming.tls.certresolver=defaultacme"
      - "traefik.http.routers.mastodon-streaming.middlewares=proxyHeader@file,proxyError@file"

  sidekiq:
-    image: ghcr.io/mastodon/mastodon:v4.3.3
+    image: ghcr.io/mastodon/mastodon:v4.4.2
    restart: always
    env_file:
      - path: .env.production
--- a/compute-2-mep/restic/.env
+++ b/compute-2-mep/restic/.env
@ -0,0 +1,2 @@
+RESTIC_BASE_URL=[[RESTIC_BASE_URL]]
+RESTIC_PASSWORD=[[RESTIC_PASSWORD]]
--- a/compute-2-mep/restic/docker-compose.yaml
+++ b/compute-2-mep/restic/docker-compose.yaml
@ -1,6 +1,6 @@
 services:
  backup:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
    hostname: docker
    restart: unless-stopped
    environment:
@ -28,7 +28,7 @@ services:
      - ./ssh:/run/secrets/.ssh:ro

  prune:
-    image: mazzolino/restic:1.7.2
+    image: mazzolino/restic:1.8.0
    hostname: docker
    restart: unless-stopped
    environment:
--- a/compute-2-mep/traefik-kop/docker-compose.yaml
+++ b/compute-2-mep/traefik-kop/docker-compose.yaml
@ -1,10 +1,11 @@
 services:
  traefik-kop:
-    image: "ghcr.io/jittering/traefik-kop:0.14"
+    image: "ghcr.io/jittering/traefik-kop:0.17"
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    env_file:
-      - .env
+      - path: .env
+        required: false
    environment:
      - BIND_IP=10.100.2.3
--- a/compute-2-mep/vaultwarden/docker-compose.yaml
+++ b/compute-2-mep/vaultwarden/docker-compose.yaml
@ -8,7 +8,7 @@ volumes:

 services:
  vaultwarden:
-    image: vaultwarden/server:1.33.0
+    image: vaultwarden/server:1.34.1
    container_name: vaultwarden
    environment:
      - WEBSOCKET_ENABLED=true # Enable WebSocket notifications.
@ -24,8 +24,6 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.entryPoints=websecure"
      - "traefik.http.routers.vaultwarden.rule=Host(`pass.gnous.eu`)"
-      - "traefik.http.routers.vaultwarden.tls=true"
-      - "traefik.http.routers.vaultwarden.tls.certresolver=defaultacme"
      - "traefik.http.routers.vaultwarden.middlewares=proxyHeader@file,proxyError@file"
    restart: always
    volumes:
--- a/compute-2-mep/woodpecker/.env
+++ b/compute-2-mep/woodpecker/.env
@ -0,0 +1,4 @@
+WOODPECKER_GITEA_CLIENT=[[WOODPECKER_GITEA_CLIENT]]
+WOODPECKER_GITEA_SECRET=[[WOODPECKER_GITEA_SECRET]]
+WOODPECKER_DB_PASS=[[WOODPECKER_DB_PASS]]
+MEP_DB_HOST=[[MEP_DB_HOST]]
--- a/compute-2-mep/woodpecker/docker-compose.yaml
+++ b/compute-2-mep/woodpecker/docker-compose.yaml
@ -9,7 +9,7 @@ volumes:

 services:
  server:
-    image: woodpeckerci/woodpecker-server:v3.0.1
+    image: woodpeckerci/woodpecker-server:v3.8.0
    container_name: woodpecker_server
    environment:
      - WOODPECKER_OPEN=true
@ -40,8 +40,6 @@ services:
      # web server
      - "traefik.http.services.woodpecker-service-gnous.loadbalancer.server.port=4001"
      - "traefik.http.routers.woodpeckergnous.rule=Host(`cicd.gnous.eu`)"
-      - "traefik.http.routers.woodpeckergnous.tls=true"
-      - "traefik.http.routers.woodpeckergnous.tls.certresolver=defaultacme"
      - "traefik.http.routers.woodpeckergnous.entrypoints=websecure"
      - "traefik.http.routers.woodpeckergnous.service=woodpecker-service-gnous"
      - "traefik.http.routers.woodpeckergnous.middlewares=proxyHeader@file,proxyError@file"
@ -49,8 +47,6 @@ services:
      - "traefik.http.services.woodpecker-grpc-gnous.loadbalancer.server.port=4002"
      - "traefik.http.services.woodpecker-grpc-gnous.loadbalancer.server.scheme=h2c"
      - "traefik.http.routers.woodpecker-grpc-gnous.rule=Host(`grpc.cicd.gnous.eu`)"
-      - "traefik.http.routers.woodpecker-grpc-gnous.tls=true"
-      - "traefik.http.routers.woodpecker-grpc-gnous.tls.certresolver=defaultacme"
      - "traefik.http.routers.woodpecker-grpc-gnous.entrypoints=websecure"
      - "traefik.http.routers.woodpecker-grpc-gnous.service=woodpecker-grpc-gnous"
      - "traefik.http.routers.woodpecker-grpc-gnous.middlewares=woodpecker-grpc-redirect@docker"
--- a/compute-gra/traefik/.env
+++ b/compute-gra/traefik/.env
@ -0,0 +1,20 @@
+TRAEFIK_KOP_REDIS_ADDR=[[TRAEFIK_KOP_REDIS_ADDR]]
+TRAEFIK_KOP_REDIS_PASS=[[TRAEFIK_KOP_REDIS_PASS]]
+
+# TRACS3 ENV 
+TRACS_AWS_REGION=[[TRACS_AWS_REGION]]
+TRACS_S3_ENDPOINT=[[TRACS_S3_ENDPOINT]]
+TRACS_S3_ACCESS_KEY_ID=[[TRACS_S3_ACCESS_KEY_ID]]
+TRACS_S3_SECRET=[[TRACS_S3_SECRET]]
+TRACS_CLOSET_BUCKET=[[TRACS_CLOSET_BUCKET]]
+TRACS_CLOSET_PASSWORD=[[TRACS_CLOSET_PASSWORD]]
+AWS_CONFIGURE_PLUGINS=awscli_plugin_endpoint
+AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED
+AWS_S3_SIGNATURE_VERSION=s3v4
+TRAEFIK_LOCAL_STORE=/certificates/
+TRAEFIK_OUTPUT_FILE=/configs/certificates.toml
+TRAEFIK_CERTIFICATE_DIR=/certificates/
+
+# TRACING
+OLTP_HTTP_ENDPOINT=[[OLTP_HTTP_ENDPOINT]]
+OLTP_HTTP_BASIC_AUTH=[[OLTP_HTTP_BASIC_AUTH]]
--- a/compute-gra/traefik/docker-compose.yaml
+++ b/compute-gra/traefik/docker-compose.yaml
@ -0,0 +1,110 @@
+services:
+  traefik:
+    image: "traefik:v3.5.0"
+    container_name: "traefik"
+    command:
+      - "--log.level=info"
+      - "--log.maxsize=100"
+      - "--log.maxage=3"
+
+      - "--metrics.prometheus=true"
+
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entryPoint.to=webpublic"
+      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+      - "--entryPoints.web.http.redirections.entryPoint.permanent=true"
+      - "--entryPoints.web.allowACMEByPass=true"
+      - "--entryPoints.websecure.address=:446"
+      - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.0.0.0/8"
+      - "--entryPoints.webpublic.address=:443"
+      - "--entryPoints.webpublic.http.tls=true"
+      - "--entryPoints.webpublic.forwardedHeaders.trustedIPs=172.0.0.0/8"
+      - "--entryPoints.ssh.address=:2222"
+      - "--entryPoints.sshgitlab.address=:2223"
+
+      - "--providers.file.directory=/traefik"
+      - "--providers.redis.endpoints=${TRAEFIK_KOP_REDIS_ADDR}"
+      - "--providers.redis.password=${TRAEFIK_KOP_REDIS_PASS}"
+
+      - "--tracing=true"
+      - "--tracing.otlp=true"
+      - "--tracing.otlp.http=true"
+      - "--tracing.serviceName=traefik"
+      - "--tracing.sampleRate=0.2"
+      - "--tracing.otlp.http.endpoint=${OLTP_HTTP_ENDPOINT}"
+      - "--tracing.otlp.http.headers.Authorization=Basic ${OLTP_HTTP_BASIC_AUTH}"
+    restart: always
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/etc/traefik/sites:/traefik"
+      - "certificates:/certificates"
+    network_mode: host
+
+  epee:
+    image: "git.gnous.eu/enpls/epee-service:stable"
+    restart: always
+    container_name: "epee"
+    ports:
+      - "5900:5900"
+    networks:
+      - traefik_internal
+
+  varnish:
+    image: varnish:7.7.1
+    restart: always
+    command: -F -a :445,PROXY -f /etc/varnish/default.vcl -T 127.0.0.1:6082 -t 120 -p thread_pool_min=50 -p thread_pool_max=1000 -p thread_pool_timeout=120 -i varnish -s malloc,2048M -n varnish
+    ports:
+      - 445:445
+    volumes:
+      - /etc/varnish:/etc/varnish
+      - "workdir:/var/lib/varnish"
+
+
+  tracs3:
+    image: ghcr.io/outout14/traefik-acme-s3:main
+    env_file:
+      - tracs3.env
+    command:
+      - "sync"
+    volumes:
+      - "/etc/traefik/sites:/configs"
+      - "certificates:/certificates"
+    network_mode: "host"
+    environment:
+      - AWS_REGION=${TRACS_AWS_REGION}
+      - AWS_DEFAULT_REGION=${TRACS_AWS_REGION}
+      - AWS_ENDPOINT_URL=${TRACS_S3_ENDPOINT}
+      - AWS_S3_ENDPOINT=${TRACS_S3_ENDPOINT}
+      - AWS_S3API_ENDPOINT=${TRACS_S3_ENDPOINT}
+
+      - AWS_ACCESS_KEY_ID=${TRACS_S3_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${TRACS_S3_SECRET}
+
+      - CLOSET_BUCKET=${TRACS_CLOSET_BUCKET}
+      - CLOSET_PASSWORD=${TRACS_CLOSET_PASSWORD}
+
+  tracs3-certificate-sync:
+    image: mcuadros/ofelia:latest
+    restart: always
+    depends_on:
+      tracs3:
+        condition: service_completed_successfully
+    command: daemon --docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      ofelia.job-run.certificate-rotate.schedule: "@every 10m"
+      ofelia.job-run.certificate-rotate.command:  "sh -c 'docker restart front-http-par-tracs3-1'"
+      ofelia.job-run.certificate-rotate.image:  "docker:cli"
+      ofelia.job-run.certificate-rotate.volume:  "/var/run/docker.sock:/var/run/docker.sock"
+
+volumes:
+  certificates:
+  workdir:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+networks:
+  traefik_internal:
+    enable_ipv6: true
--- a/compute-vel/traefik/.env
+++ b/compute-vel/traefik/.env
@ -0,0 +1,20 @@
+TRAEFIK_KOP_REDIS_ADDR=[[TRAEFIK_KOP_REDIS_ADDR]]
+TRAEFIK_KOP_REDIS_PASS=[[TRAEFIK_KOP_REDIS_PASS]]
+
+# TRACS3 ENV 
+TRACS_AWS_REGION=[[TRACS_AWS_REGION]]
+TRACS_S3_ENDPOINT=[[TRACS_S3_ENDPOINT]]
+TRACS_S3_ACCESS_KEY_ID=[[TRACS_S3_ACCESS_KEY_ID]]
+TRACS_S3_SECRET=[[TRACS_S3_SECRET]]
+TRACS_CLOSET_BUCKET=[[TRACS_CLOSET_BUCKET]]
+TRACS_CLOSET_PASSWORD=[[TRACS_CLOSET_PASSWORD]]
+AWS_CONFIGURE_PLUGINS=awscli_plugin_endpoint
+AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED
+AWS_S3_SIGNATURE_VERSION=s3v4
+TRAEFIK_LOCAL_STORE=/certificates/
+TRAEFIK_OUTPUT_FILE=/configs/certificates.toml
+TRAEFIK_CERTIFICATE_DIR=/certificates/
+
+# TRACING
+OLTP_HTTP_ENDPOINT=[[OLTP_HTTP_ENDPOINT]]
+OLTP_HTTP_BASIC_AUTH=[[OLTP_HTTP_BASIC_AUTH]]
--- a/compute-vel/traefik/docker-compose.yaml
+++ b/compute-vel/traefik/docker-compose.yaml
@ -0,0 +1,110 @@
+services:
+  traefik:
+    image: "traefik:v3.5.0"
+    container_name: "traefik"
+    command:
+      - "--log.level=info"
+      - "--log.maxsize=100"
+      - "--log.maxage=3"
+
+      - "--metrics.prometheus=true"
+
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entryPoint.to=webpublic"
+      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+      - "--entryPoints.web.http.redirections.entryPoint.permanent=true"
+      - "--entryPoints.web.allowACMEByPass=true"
+      - "--entryPoints.websecure.address=:446"
+      - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.0.0.0/8"
+      - "--entryPoints.webpublic.address=:443"
+      - "--entryPoints.webpublic.http.tls=true"
+      - "--entryPoints.webpublic.forwardedHeaders.trustedIPs=172.0.0.0/8"
+      - "--entryPoints.ssh.address=:2222"
+      - "--entryPoints.sshgitlab.address=:2223"
+
+      - "--providers.file.directory=/traefik"
+      - "--providers.redis.endpoints=${TRAEFIK_KOP_REDIS_ADDR}"
+      - "--providers.redis.password=${TRAEFIK_KOP_REDIS_PASS}"
+
+      - "--tracing=true"
+      - "--tracing.otlp=true"
+      - "--tracing.otlp.http=true"
+      - "--tracing.serviceName=traefik"
+      - "--tracing.sampleRate=0.2"
+      - "--tracing.otlp.http.endpoint=${OLTP_HTTP_ENDPOINT}"
+      - "--tracing.otlp.http.headers.Authorization=Basic ${OLTP_HTTP_BASIC_AUTH}"
+    restart: always
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/etc/traefik/sites:/traefik"
+      - "certificates:/certificates"
+    network_mode: host
+
+  epee:
+    image: "git.gnous.eu/enpls/epee-service:stable"
+    restart: always
+    container_name: "epee"
+    ports:
+      - "5900:5900"
+    networks:
+      - traefik_internal
+
+  varnish:
+    image: varnish:7.7.1
+    restart: always
+    command: -F -a :445,PROXY -f /etc/varnish/default.vcl -T 127.0.0.1:6082 -t 120 -p thread_pool_min=50 -p thread_pool_max=1000 -p thread_pool_timeout=120 -i varnish -s malloc,2048M -n varnish
+    ports:
+      - 445:445
+    volumes:
+      - /etc/varnish:/etc/varnish
+      - "workdir:/var/lib/varnish"
+
+
+  tracs3:
+    image: ghcr.io/outout14/traefik-acme-s3:main
+    env_file:
+      - tracs3.env
+    command:
+      - "sync"
+    volumes:
+      - "/etc/traefik/sites:/configs"
+      - "certificates:/certificates"
+    network_mode: "host"
+    environment:
+      - AWS_REGION=${TRACS_AWS_REGION}
+      - AWS_DEFAULT_REGION=${TRACS_AWS_REGION}
+      - AWS_ENDPOINT_URL=${TRACS_S3_ENDPOINT}
+      - AWS_S3_ENDPOINT=${TRACS_S3_ENDPOINT}
+      - AWS_S3API_ENDPOINT=${TRACS_S3_ENDPOINT}
+
+      - AWS_ACCESS_KEY_ID=${TRACS_S3_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${TRACS_S3_SECRET}
+
+      - CLOSET_BUCKET=${TRACS_CLOSET_BUCKET}
+      - CLOSET_PASSWORD=${TRACS_CLOSET_PASSWORD}
+
+  tracs3-certificate-sync:
+    image: mcuadros/ofelia:latest
+    restart: always
+    depends_on:
+      tracs3:
+        condition: service_completed_successfully
+    command: daemon --docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      ofelia.job-run.certificate-rotate.schedule: "@every 10m"
+      ofelia.job-run.certificate-rotate.command:  "sh -c 'docker restart front-http-par-tracs3-1'"
+      ofelia.job-run.certificate-rotate.image:  "docker:cli"
+      ofelia.job-run.certificate-rotate.volume:  "/var/run/docker.sock:/var/run/docker.sock"
+
+volumes:
+  certificates:
+  workdir:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+networks:
+  traefik_internal:
+    enable_ipv6: true
--- a/compute-vel/traefik/tracs3.env
+++ b/compute-vel/traefik/tracs3.env
--- a/internals/komodo/.env
+++ b/internals/komodo/.env
@ -0,0 +1,7 @@
+DB_USERNAME=[[KOMODO_DB_USERNAME]]
+DB_PASSWORD=[[KOMODO_DB_PASSWORD]]
+KOMODO_PASSKEY=[[KOMODO_PASSKEY]]
+KOMODO_WEBHOOK_SECRET=[[KOMODO_WEBHOOK_SECRET]]
+KOMODO_JWT_SECRET=[[KOMODO_JWT_SECRET]]
+KOMODO_OIDC_CLIENT_SECRET=[[KOMODO_OIDC_CLIENT_SECRET]]
+PERIPHERY_PASSKEYS=[[KOMODO_PASSKEY]]
--- a/internals/komodo/docker-compose.yaml
+++ b/internals/komodo/docker-compose.yaml
@ -18,6 +18,7 @@ services:
    env_file:
      - path: ./core.env
      - path: ./.env
+        required: false
  core:
    image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    restart: unless-stopped
@ -32,6 +33,7 @@ services:
    env_file:
      - path: ./core.env
      - path: ./.env
+        required: false
    environment:
      KOMODO_DATABASE_ADDRESS: mongo:27017
      KOMODO_DATABASE_USERNAME: ${DB_USERNAME}
@ -43,8 +45,6 @@ services:
      - "traefik.http.routers.komodo.entryPoints=websecure"
      - "traefik.http.routers.komodo.rule=Host(`deploy.net.enpls.org`)"
      - "traefik.http.routers.komodo.tls=true"
-      - "traefik.http.routers.komodo.tls.certresolver=defaultacme"
-      - "traefik.http.routers.komodo.middlewares=proxyHeader@file,proxyError@file"
      - "komodo.skip:"

  periphery:
@ -59,6 +59,7 @@ services:
    env_file:
      - path: ./core.env
      - path: ./.env
+        required: false
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /proc:/proc
--- a/internals/semaphore/docker-compose.yaml
+++ b/internals/semaphore/docker-compose.yaml
@ -6,7 +6,8 @@ services:
    volumes: 
     - db:/var/lib/postgresql/data
    env_file:
-      - .env
+      - path: .env
+        required: false
    environment:
     POSTGRES_USER: semaphore
     POSTGRES_DB: semaphore
@ -14,9 +15,10 @@ services:
    restart: unless-stopped
    ports:
      - 8085:3000
-    image: semaphoreui/semaphore:v2.12.3
+    image: semaphoreui/semaphore:v2.15.4
    env_file:
-      - .env
+      - path: .env
+        required: false
    environment:
      SEMAPHORE_DB_USER: semaphore
      SEMAPHORE_DB_HOST: postgres
@ -31,8 +33,6 @@ services:
      - "traefik.enable=true"
      - "traefik.http.services.semaphore-service.loadbalancer.server.port=8085"
      - "traefik.http.routers.semaphore.rule=Host(`semaphore.net.enpls.org`)"
-      - "traefik.http.routers.semaphore.tls=true"
-      - "traefik.http.routers.semaphore.tls.certresolver=defaultacme"
      - "traefik.http.routers.semaphore.entrypoints=websecure"
      - "traefik.http.routers.semaphore.service=semaphore-service"
      - "traefik.http.routers.semaphore.middlewares=proxyHeader@file,proxyError@file"
--- a/internals/traefik-kop/docker-compose.yaml
+++ b/internals/traefik-kop/docker-compose.yaml
@ -1,10 +1,11 @@
 services:
  traefik-kop:
-    image: "ghcr.io/jittering/traefik-kop:0.14"
+    image: "ghcr.io/jittering/traefik-kop:0.17"
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    env_file:
-      - .env
+      - path: .env
+        required: false
    environment:
      - BIND_IP=10.100.2.5
--- a/internals/vikunja/docker-compose.yaml
+++ b/internals/vikunja/docker-compose.yaml
@ -0,0 +1,60 @@
+services:
+  vikunja:
+    image: vikunja/vikunja:0.24.6
+    environment:
+      VIKUNJA_SERVICE_PUBLICURL: https://todo.net.enpls.org
+      VIKUNJA_DATABASE_HOST: db
+      VIKUNJA_DATABASE_PASSWORD: vikunja
+      VIKUNJA_DATABASE_TYPE: postgres
+      VIKUNJA_DATABASE_USER: vikunja
+      VIKUNJA_DATABASE_DATABASE: vikunja
+      VIKUNJA_SERVICE_ENABLEREGISTRATION: true
+      VIKUNJA_AUTH_LOCAL_ENABLED: false
+      VIKUNJA_AUTH_OPENID_ENABLED: true
+      VIKUNJA_AUTH_OPENID_REDIRECT_URL: "https://todo.net.enpls.org/auth/openid/"
+      VIKUNJA_AUTH_OPENID_PROVIDERS_IDM_NAME: "Kanidm"
+      VIKUNJA_AUTH_OPENID_PROVIDERS_IDM_AUTHURL: "https://idm.enpls.org/oauth2/openid/vikunja"
+      VIKUNJA_AUTH_OPENID_PROVIDERS_IDM_SCOPE: "openid profile email"
+
+    volumes: 
+      - vikunja:/app/vikunja/files
+      - config:/etc/vikunja
+    networks:
+      - vikunja
+    ports:
+      - 3456:3456
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vikunja.rule=Host(`todo.net.enpls.org`)"
+      - "traefik.http.routers.vikunja.entrypoints=websecure"
+      - "traefik.http.routers.vikunja.middlewares=proxyHeader@file,proxyError@file"
+
+  db:
+    image: postgres:17
+    environment:
+      POSTGRES_PASSWORD: vikunja
+      POSTGRES_USER: vikunja
+    volumes:
+      - pgdata2:/var/lib/postgresql/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -h localhost -U $$POSTGRES_USER"]
+      interval: 2s
+    networks:
+      - vikunja
+
+volumes:
+  pgdata2:
+    driver: local
+  vikunja:
+    driver: local
+  config:
+    driver: local
+
+networks:
+  vikunja:
+    external: false
--- a/internals/wikijs/docker-compose.yaml
+++ b/internals/wikijs/docker-compose.yaml
@ -2,7 +2,8 @@ services:
  db:
    image: postgres:14
    env_file:
-      - .env
+      - path: .env
+        required: false
    logging:
      driver: "none"
    restart: unless-stopped
@ -10,7 +11,7 @@ services:
      - db-data:/var/lib/postgresql/data

  server:
-    image: ghcr.io/requarks/wiki:2.5.305
+    image: ghcr.io/requarks/wiki:2.5.307
    depends_on:
      - db
    environment:
@ -18,7 +19,8 @@ services:
      DB_HOST: db
      DB_PORT: 5432
    env_file:
-      - .env
+      - path: .env
+        required: false 
    restart: unless-stopped
    ports:
      - "8082:3000"
@ -26,8 +28,6 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.wikijs.entryPoints=websecure"
      - "traefik.http.routers.wikijs.rule=Host(`doc.net.enpls.org`)"
-      - "traefik.http.routers.wikijs.tls=true"
-      - "traefik.http.routers.wikijs.tls.certresolver=defaultacme"
      - "traefik.http.routers.wikijs.middlewares=proxyHeader@file,proxyError@file"

 volumes:
--- a/internals/woodpecker-worker/docker-compose.yaml
+++ b/internals/woodpecker-worker/docker-compose.yaml
@ -12,7 +12,8 @@ services:
      - WOODPECKER_GRPC_SECURE=true
      - WOODPECKER_GRPC_VERIFY=true
    env_file:
-      - .env
+      - path: .env
+        required: false
    restart: always
    volumes:
      - agent:/etc/woodpecker
--- a/internals/woodpecker/docker-compose.yaml
+++ b/internals/woodpecker/docker-compose.yaml
@ -10,7 +10,7 @@ volumes:

 services:
  server:
-    image: woodpeckerci/woodpecker-server:v3.0.1
+    image: woodpeckerci/woodpecker-server:v3.8.0
    container_name: woodpecker_server
    environment:
      - WOODPECKER_OPEN=false
@ -24,8 +24,10 @@ services:
      - WOODPECKER_GITEA=true
      - WOODPECKER_GITEA_URL=https://git.gnous.eu
      - WOODPECKER_DATABASE_DRIVER=postgres
+      - WOODPECKER_PLUGINS_PRIVILEGED=woodpeckerci/plugin-docker-buildx:5.2
    env_file:
-      - .env
+      - path: .env
+        required: false
    restart: always
    networks:
      - woodpecker
@ -39,8 +41,6 @@ services:
      # web server
      - "traefik.http.services.woodpecker-service.loadbalancer.server.port=8083"
      - "traefik.http.routers.woodpecker.rule=Host(`build.net.enpls.org`)"
-      - "traefik.http.routers.woodpecker.tls=true"
-      - "traefik.http.routers.woodpecker.tls.certresolver=defaultacme"
      - "traefik.http.routers.woodpecker.entrypoints=websecure"
      - "traefik.http.routers.woodpecker.service=woodpecker-service"
      - "traefik.http.routers.woodpecker.middlewares=proxyHeader@file,proxyError@file"
@ -48,8 +48,6 @@ services:
      - "traefik.http.services.woodpecker-grpc.loadbalancer.server.port=8084"
      - "traefik.http.services.woodpecker-grpc.loadbalancer.server.scheme=h2c"
      - "traefik.http.routers.woodpecker-grpc-secure.rule=Host(`grpc.build.net.enpls.org`)"
-      - "traefik.http.routers.woodpecker-grpc-secure.tls=true"
-      - "traefik.http.routers.woodpecker-grpc-secure.tls.certresolver=defaultacme"
      - "traefik.http.routers.woodpecker-grpc-secure.entrypoints=websecure"
      - "traefik.http.routers.woodpecker-grpc-secure.service=woodpecker-grpc"
      - "traefik.http.routers.woodpecker-grpc.middlewares=woodpecker-grpc-redirect@docker"
@ -61,7 +59,8 @@ services:
    image: postgres:14-alpine
    restart: always
    env_file:
-      - .env
+      - path: .env
+        required: false
    networks:
      - woodpecker
    volumes: