fix: template validation, variable ordering, and traefik issues

- Fix: Add missing section toggles (13 templates)
- Fix: Correct variable ordering based on dependencies (8 templates)
- Fix: Add traefik_tls_enabled needs constraint to TLS credentials
- Fix: Remove duplicate --ping.entryPoint in traefik compose
- Fix: Remove incompatible traefik_tls_min_version static flag (Traefik v3)

Fixes #1665 #1633

Co-Authored-By: Warp <agent@warp.dev>

library/compose/bind9/template.yaml

@@ -49,42 +49,6 @@ spec:
         needs:
           - tsig_enabled=true
   network:
-    vars:
-      network_name:
-        type: str
-        required: true
-      network_macvlan_ipv4_address:
-        type: str
-        default: 192.168.1.253
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_macvlan_parent_interface:
-        type: str
-        default: eth0
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_macvlan_subnet:
-        type: str
-        default: 192.168.1.0/24
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_macvlan_gateway:
-        type: str
-        default: 192.168.1.1
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_external:
-        type: bool
-        default: false
-        description: Whether the network is external
-      network_mode:
-        type: str
-        default: bridge
-        description: The network mode for the container
   volume:
     vars:
       volume_mode:

library/compose/gitea/template.yaml

@@ -61,32 +61,6 @@ spec:
           - traefik_enabled=false
         default: https://git.example.com
   database:
-    vars:
-      database_type:
-        type: enum
-        options:
-          - sqlite
-          - postgres
-          - mysql
-        default: sqlite
-        required: true
-      database_host:
-        type: str
-        needs:
-          - database_external=true;database_type=postgres,mysql
-        required: true
-      database_name:
-        default: gitea
-      database_user:
-        default: gitea
-      database_password:
-        type: str
-        sensitive: true
-        required: true
-      database_external:
-        type: bool
-        default: false
-        description: Use external database
   ports:
     vars:
       ports_http:

library/compose/gitlab/template.yaml

@@ -184,6 +184,7 @@ spec:
         default: false
         description: Enable Traefik TLS
   email:
+    toggle: email_enabled
     vars:
       email_enabled:
         type: bool
@@ -219,6 +220,7 @@ spec:
         default: false
         description: Use SSL encryption
   authentik:
+    toggle: authentik_enabled
     vars:
       authentik_enabled:
         type: bool

library/compose/grafana/template.yaml

@@ -52,7 +52,12 @@ spec:
       ports_http:
         default: 3000
   authentik:
+    toggle: authentik_enabled
     vars:
+      authentik_enabled:
+        type: bool
+        default: false
+        description: Enable Authentik SSO integration
       authentik_url:
         type: url
         default: https://auth.home.arpa
@@ -73,10 +78,6 @@ spec:
         sensitive: true
         required: true
         needs: authentik_enabled=true
-      authentik_enabled:
-        type: bool
-        default: false
-        description: Enable Authentik SSO integration
   traefik:
     vars:
       traefik_host:
@@ -110,6 +111,11 @@ spec:
         options:
           - sqlite
           - postgres
+      database_external:
+        type: bool
+        default: false
+        description: Use external database
+        needs: database_type=postgres
       database_name:
         type: str
         default: grafana
@@ -118,35 +124,37 @@ spec:
         type: str
         default: grafana
         needs: database_type=postgres
-      database_host:
-        type: str
-        required: true
-        needs: ["database_type=postgres", "database_external=true"]
       database_password:
         type: str
         sensitive: true
         required: true
         needs: database_type=postgres
-      database_external:
-        type: bool
-        default: false
-        description: Use external database
-        needs: database_type=postgres
+      database_host:
+        type: str
+        required: true
+        needs: ["database_type=postgres", "database_external=true"]
   swarm:
+    toggle: swarm_enabled
     vars:
       swarm_enabled:
         type: bool
         default: false
         description: Enable Docker Swarm mode
-      swarm_placement_host:
-        type: str
-        default: ''
-        description: The placement host
       swarm_placement_mode:
         type: str
         default: replicated
         description: The placement mode
+        needs:
+          - swarm_enabled=true
       swarm_replicas:
         type: int
         default: 1
         description: The number of replicas
+        needs:
+          - swarm_placement_mode=replicated
+      swarm_placement_host:
+        type: str
+        default: ''
+        description: The placement host
+        needs:
+          - swarm_placement_mode=replicated

library/compose/homepage/template.yaml

@@ -132,28 +132,3 @@ spec:
         default: ''
         description: The NFS server
   swarm:
-    vars:
-      swarm_enabled:
-        description: Enable Docker Swarm mode
-        type: bool
-        default: false
-      swarm_replicas:
-        description: Number of replicas for replicated mode
-        type: int
-        needs:
-          - swarm_enabled=true
-          - swarm_placement_mode=replicated
-        required: true
-        default: 1
-      swarm_placement_host:
-        description: Hostname for placement constraint
-        type: str
-        needs:
-          - swarm_enabled=true
-          - swarm_placement_mode=replicated
-      swarm_placement_mode:
-        description: The placement mode
-        type: str
-        needs:
-          - swarm_enabled=true
-        default: replicated

library/compose/homer/template.yaml

@@ -69,6 +69,7 @@ spec:
         type: int
         default: 8080
   traefik:
+    toggle: traefik_enabled
     vars:
       traefik_enabled:
         type: bool
@@ -90,6 +91,7 @@ spec:
         type: str
         required: true
   traefik_tls:
+    toggle: traefik_tls_enabled
     vars:
       traefik_tls_enabled:
         description: Enable Traefik TLS

library/compose/komodo/template.yaml

@@ -160,41 +160,6 @@ spec:
         required: true
         default: cloudflare
   network:
-    vars:
-      network_name:
-        default: komodo_network
-      network_macvlan_ipv4_address:
-        type: str
-        default: 192.168.1.253
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_macvlan_parent_interface:
-        type: str
-        default: eth0
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_macvlan_subnet:
-        type: str
-        default: 192.168.1.0/24
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_macvlan_gateway:
-        type: str
-        default: 192.168.1.1
-        needs:
-          - network_mode=macvlan
-        required: true
-      network_external:
-        type: bool
-        default: false
-        description: Whether the network is external
-      network_mode:
-        type: str
-        default: bridge
-        description: The network mode for the container
   ports:
     vars:
       ports_http:
@@ -205,35 +170,6 @@ spec:
           - traefik_enabled=false
           - network_mode=bridge
   volume:
-    vars:
-      volume_mount_path:
-        default: /mnt/storage/komodo
-      volume_nfs_server:
-        type: str
-        default: 192.168.1.1
-        needs:
-          - volume_mode=nfs
-        required: true
-      volume_nfs_path:
-        type: str
-        default: /export
-        needs:
-          - volume_mode=nfs
-        required: true
-      volume_nfs_options:
-        type: str
-        default: rw,nolock,soft
-        needs:
-          - volume_mode=nfs
-        required: true
-      volume_mode:
-        type: enum
-        options:
-          - local
-          - mount
-          - nfs
-        default: local
-        description: The volume mode
   resources:
     vars:
       resources_enabled:

library/compose/n8n/template.yaml

@@ -109,6 +109,7 @@ spec:
         extra: Add a worker service to this compose file. For production, use separate n8n-worker template.
   database:
     title: Database
+    toggle: database_enabled
     description: External database configuration
     vars:
       database_enabled:
@@ -177,6 +178,7 @@ spec:
         extra: Optional separate webhook URL (e.g., https://webhooks.example.com/)
   metrics:
     title: Metrics
+    toggle: metrics_enabled
     description: Prometheus metrics configuration
     vars:
       metrics_enabled:
@@ -217,6 +219,7 @@ spec:
         default: false
         description: Whether the network is external
   traefik:
+    toggle: traefik_enabled
     vars:
       traefik_enabled:
         needs: network_mode=bridge
@@ -252,6 +255,7 @@ spec:
           - traefik_enabled=false
           - network_mode=bridge
   swarm:
+    toggle: swarm_enabled
     vars:
       swarm_enabled:
         needs: network_mode=bridge

library/compose/netbox/template.yaml

@@ -110,6 +110,7 @@ spec:
         required: true
   netbox:
     title: NetBox Configuration
+    toggle: netbox_metrics_enabled
     description: Configure NetBox application settings
     vars:
       netbox_metrics_enabled:

library/compose/nextcloud/template.yaml

@@ -115,22 +115,3 @@ spec:
         default: false
         description: Enable Traefik TLS
   swarm:
-    vars:
-      swarm_replicas:
-        type: int
-        default: 1
-        needs:
-          - swarm_placement_mode=replicated
-        required: true
-      swarm_enabled:
-        type: bool
-        default: false
-        description: Enable Docker Swarm mode
-      swarm_placement_host:
-        type: str
-        default: ''
-        description: The placement host
-      swarm_placement_mode:
-        type: str
-        default: replicated
-        description: The placement mode

library/compose/nginx/template.yaml

@@ -54,6 +54,7 @@ spec:
         type: int
         default: 8443
   traefik:
+    toggle: traefik_enabled
     vars:
       traefik_enabled:
         type: bool
@@ -85,6 +86,7 @@ spec:
       network_name:
         default: bridge
   swarm:
+    toggle: swarm_enabled
     vars:
       swarm_enabled:
         type: bool

library/compose/openwebui/template.yaml

@@ -83,6 +83,7 @@ spec:
         type: int
         default: 8080
   authentik:
+    toggle: authentik_enabled
     vars:
       authentik_enabled:
         default: false

library/compose/renovate/template.yaml

@@ -96,6 +96,7 @@ spec:
         description: "External HTTP port for web interface"
         default: 8080
   traefik:
+    toggle: traefik_enabled
     vars:
       traefik_enabled:
         type: bool
@@ -124,6 +125,7 @@ spec:
       network_name:
         default: "bridge"
   swarm:
+    toggle: swarm_enabled
     vars:
       swarm_enabled:
         type: bool

library/compose/traefik/compose.yaml.j2

@@ -23,7 +23,6 @@ services:
       {% if accesslog_enabled %}
       - "--accesslog=true"
       {% endif %}
-      - "--ping.entryPoint=ping"
       {% if dashboard_enabled %}
       - "--api.dashboard=true"
       - "--api.insecure=true"
@@ -51,9 +50,6 @@ services:
       - "--certificatesresolvers.{{ traefik_tls_certresolver }}.acme.dnsChallenge.provider={{ traefik_tls_certresolver }}"
       - "--certificatesresolvers.{{ traefik_tls_certresolver }}.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
       {% endif %}
-      {% if traefik_tls_min_version %}
-      - "--tls.options.default.minVersion={{ traefik_tls_min_version }}"
-      {% endif %}
       {% if traefik_tls_secure_ciphers %}
       - "--tls.options.default.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
       {% endif %}

library/compose/traefik/template.yaml

@@ -100,23 +100,48 @@ spec:
         default: false
   traefik_tls:
     title: TLS Settings
+    toggle: traefik_tls_enabled
     vars:
+      traefik_tls_enabled:
+        description: Enable HTTPS/TLS with ACME
+        type: bool
+        default: false
+      traefik_tls_certresolver:
+        description: ACME DNS challenge provider
+        type: str
+        options:
+          - cloudflare
+          - porkbun
+          - godaddy
+          - digitalocean
+          - route53
+          - azure
+          - namecheap
+        default: cloudflare
+        required: true
+        needs:
+          - traefik_tls_enabled=true
+        extra: DNS provider for domain validation
       traefik_tls_acme_email:
         description: Email address for ACME
         type: str
         required: true
+        needs:
+          - traefik_tls_enabled=true
       traefik_tls_acme_region:
         description: AWS Region
         type: str
         default: us-east-1
         required: true
         needs:
+          - traefik_tls_enabled=true
           - traefik_tls_certresolver=route53
       traefik_tls_acme_resource_group:
         description: Azure Resource Group
         type: str
         required: true
         needs:
+          - traefik_tls_enabled=true
           - traefik_tls_certresolver=azure
       traefik_tls_acme_secret_key:
         description: DNS provider secret key
@@ -124,6 +149,7 @@ spec:
         sensitive: true
         required: true
         needs:
+          - traefik_tls_enabled=true
           - traefik_tls_certresolver=azure,godaddy,porkbun,route53
         extra: AZURE_CLIENT_SECRET, GODADDY_API_SECRET, PORKBUN_SECRET_API_KEY, or AWS_SECRET_ACCESS_KEY
       traefik_tls_acme_subscription_id:
@@ -131,12 +157,14 @@ spec:
         type: str
         required: true
         needs:
+          - traefik_tls_enabled=true
           - traefik_tls_certresolver=azure
       traefik_tls_acme_tenant_id:
         description: Azure Tenant ID
         type: str
         required: true
         needs:
+          - traefik_tls_enabled=true
           - traefik_tls_certresolver=azure
       traefik_tls_acme_token:
         description: DNS provider API token
@@ -144,6 +172,7 @@ spec:
         sensitive: true
         required: true
         needs:
+          - traefik_tls_enabled=true
           - traefik_tls_certresolver=cloudflare,digitalocean,godaddy,namecheap,porkbun
         extra: CF_DNS_API_TOKEN, DO_AUTH_TOKEN, GODADDY_API_KEY, NAMECHEAP_API_KEY, or PORKBUN_API_KEY
       traefik_tls_acme_username:
@@ -151,39 +180,27 @@ spec:
         type: str
         required: true
         needs:
+          - traefik_tls_enabled=true
           - traefik_tls_certresolver=namecheap
-      traefik_tls_certresolver:
-        description: ACME DNS challenge provider
-        options:
-          - cloudflare
-          - porkbun
-          - godaddy
-          - digitalocean
-          - route53
-          - azure
-          - namecheap
-        extra: DNS provider for domain validation
-      traefik_tls_enabled:
-        description: Enable HTTPS/TLS with ACME
-        default: false
-      traefik_tls_min_version:
-        description: Minimum TLS version
-        type: enum
-        options:
-          - VersionTLS12
-          - VersionTLS13
-        extra: TLS 1.2 is recommended for compatibility, TLS 1.3 for maximum security
       traefik_tls_redirect:
         description: Redirect all HTTP traffic to HTTPS
         type: bool
         default: true
+        needs:
+          - traefik_tls_enabled=true
       traefik_tls_secure_ciphers:
         description: Enable strict cipher suites (recommended)
         type: bool
+        default: false
+        needs:
+          - traefik_tls_enabled=true
         extra: Enforces modern, secure cipher suites
       traefik_tls_skipverify:
         description: Skip TLS verification for backend servers
         type: bool
+        default: false
+        needs:
+          - traefik_tls_enabled=true
         extra: 'WARNING: Only enable for self-signed certificates in trusted environments'
   volume:
     vars:
@@ -220,6 +237,8 @@ spec:
           - volume_mode=nfs
         required: true
   swarm:
+    title: Docker Swarm
+    toggle: swarm_enabled
     vars:
       swarm_placement_mode:
         type: enum

library/compose/twingate-connector/template.yaml

@@ -91,23 +91,3 @@ spec:
           - swarm_enabled=true
         required: true
   swarm:
-    vars:
-      swarm_replicas:
-        type: int
-        default: 1
-        needs:
-          - swarm_placement_mode=replicated
-        required: true
-      swarm_placement_host:
-        type: str
-        description: Target hostname for placement constraint
-        default: ''
-        extra: Constrains service to run on specific node by hostname
-      swarm_enabled:
-        type: bool
-        default: false
-        description: Enable Docker Swarm mode
-      swarm_placement_mode:
-        type: str
-        default: replicated
-        description: The placement mode

library/compose/whoami/template.yaml

@@ -53,6 +53,7 @@ spec:
         default: home.arpa
         required: true
   traefik_tls:
+    toggle: traefik_tls_enabled
     vars:
       traefik_tls_enabled:
         description: Enable HTTPS/TLS
@@ -64,12 +65,14 @@ spec:
         default: cloudflare
         required: true
   resources:
+    toggle: resources_enabled
     vars:
       resources_enabled:
         description: Enable resource limits
         type: bool
         default: false
   swarm:
+    toggle: swarm_enabled
     vars:
       swarm_enabled:
         description: Enable Docker Swarm mode