chore: first update for docker-compose files

docs/examples/docker/idp-authelia-traefik/docker-compose.yml

@@ -6,7 +6,7 @@ networks:
 
 services:
   copyparty:
-    image: copyparty/ac
+    image: copyparty/ac:latest
     container_name: idp_copyparty
     user: "1000:1000"  # should match the user/group of your fileshare volumes
     volumes:
@@ -19,14 +19,13 @@ services:
     labels:
       - 'traefik.enable=true'
       - 'traefik.http.routers.copyparty.rule=Host(`fs.example.com`)'
-      - 'traefik.http.routers.copyparty.entrypoints=https'
+      - 'traefik.http.routers.copyparty.entrypoints=websecure'
       - 'traefik.http.routers.copyparty.tls=true'
       - 'traefik.http.routers.copyparty.middlewares=authelia@docker'
     stop_grace_period: 15s  # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal
     environment:
       LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE
       # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram)
-
       PYTHONUNBUFFERED: 1
       # ensures log-messages are not delayed (but can reduce speed a tiny bit)
 
@@ -40,7 +39,7 @@ services:
     labels:
       - 'traefik.enable=true'
       - 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
-      - 'traefik.http.routers.authelia.entrypoints=https'
+      - 'traefik.http.routers.authelia.entrypoints=websecure'
       - 'traefik.http.routers.authelia.tls=true'
       #- 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'  # uncomment this to enable automatic certificate signing (1/2)
       - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.example.com'
@@ -54,11 +53,11 @@ services:
     environment:
       - TZ=Etc/UTC
 
-  redis:
+  valkey:
-    image: redis:7.2.4-alpine3.19
+    image: valkey/valkey:8.0-alpine
-    container_name: idp_redis
+    container_name: idp_valkey
     volumes:
-      - ./redis:/data:z
+      - ./valkey:/data:z
     networks:
       - net
     expose:
@@ -67,14 +66,34 @@ services:
     environment:
       - TZ=Etc/UTC
 
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:3.2.3
+    container_name: idp_socket_proxy
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - NETWORKS=1
+      - EVENTS=1
+      - PING=1 
+      - VERSION=1
+      - LOG_LEVEL=warning
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /run:noexec,nosuid,size=10m
+    networks:
+      - net
+    expose:
+      - 2375
+
   traefik:
-    image: traefik:2.11.0
+    image: traefik:3.5
     container_name: idp_traefik
     volumes:
       - ./traefik:/etc/traefik:z
-      - /var/run/docker.sock:/var/run/docker.sock  # WARNING: this gives traefik full root-access to the host OS, but is recommended/required(?) by traefik
-    security_opt:
-      - label:disable  # disable selinux because it (rightly) blocks access to docker.sock
     networks:
       - net
     labels:
@@ -90,16 +109,16 @@ services:
       - '443:443'
     command:
       - '--api'
-      - '--providers.docker=true'
+      - '--providers.docker.endpoint=tcp://socket-proxy:2375'
       - '--providers.docker.exposedByDefault=false'
-      - '--entrypoints.http=true'
+      - '--entrypoints.web.address=:80'
-      - '--entrypoints.http.address=:80'
+      - '--entrypoints.web.http.redirections.entrypoint.to=websecure'
-      - '--entrypoints.http.http.redirections.entrypoint.to=https'
+      - '--entrypoints.web.http.redirections.entrypoint.scheme=https'
-      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
+      - '--entrypoints.websecure.address=:443'
-      - '--entrypoints.https=true'
-      - '--entrypoints.https.address=:443'
       - '--certificatesResolvers.letsencrypt.acme.email=your-email@your-domain.com'
       - '--certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme.json'
       - '--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http'
-      - '--log=true'
+      
       - '--log.level=WARNING'  # DEBUG
+    depends_on:
+      - idp_socket_proxy

docs/examples/docker/idp-authentik-traefik/docker-compose.yml

@@ -3,12 +3,12 @@
 volumes:
   database:
     driver: local
-  redis:
+  valkey:
     driver: local
 
 services:
   copyparty:
-    image: copyparty/ac
+    image: copyparty/ac:latest
     container_name: idp_copyparty
     restart: unless-stopped
     user: "1000:1000"  # should match the user/group of your fileshare volumes
@@ -30,20 +30,46 @@ services:
       PYTHONUNBUFFERED: 1
       # ensures log-messages are not delayed (but can reduce speed a tiny bit)
 
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:3.2.3
+    container_name: idp_socket_proxy
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - NETWORKS=1
+      - EVENTS=1
+      - PING=1 
+      - VERSION=1
+      - LOG_LEVEL=warning
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /run:noexec,nosuid,size=10m
+    expose:
+      - 2375
+
   traefik:
-    image: traefik:v2.11
+    image: traefik:3.5
     container_name: traefik
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock  # WARNING: this gives traefik full root-access to the host OS, but is recommended/required(?) by traefik
+      - ./traefik:/etc/traefik:Z
-    security_opt:
-      - label:disable  # disable selinux because it (rightly) blocks access to docker.sock
     ports:
-      - 80:80
+      - "80:80"
+      - "443:443"
     command:
       - '--api'
-      - '--providers.docker=true'
+      - '--providers.docker.endpoint=tcp://socket-proxy:2375'
       - '--providers.docker.exposedByDefault=false'
       - '--entrypoints.web.address=:80'
+      - '--entrypoints.web.http.redirections.entrypoint.to=websecure'
+      - '--entrypoints.web.http.redirections.entrypoint.scheme=https'
+      - '--entrypoints.websecure.address=:443'
+      - '--log.level=WARNING'
+    depends_on:
+      - idp_socket_proxy
 
   postgresql:
     image: docker.io/library/postgres:12-alpine
@@ -64,19 +90,19 @@ services:
     env_file:
       - .env
 
-  redis:
+  valkey:
-    image: docker.io/library/redis:alpine
+    image: valkey/valkey:8.0-alpine
     command: --save 60 1 --loglevel warning
-    container_name: idp_redis
+    container_name: idp_valkey
     restart: unless-stopped
     healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      test: ["CMD-SHELL", "valkey-cli ping | grep PONG"]
       start_period: 20s
       interval: 30s
       retries: 5
       timeout: 3s
     volumes:
-      - redis:/data:z
+      - valkey:/data:z
 
   authentik_server:
     image: ghcr.io/goauthentik/server:2024.2.1