fix(server): disable Traefik insecure API by default

[knowsuchagency]

Description

Both getDefaultTraefikConfig() and getDefaultServerTraefikConfig() hardcode api.insecure: true, which enables the Traefik dashboard on port 8080 without any authentication on every new Dokploy installation.

While the dashboard port is not published to the host by default, it is accessible from within the Docker network. If a user enables the dashboard via Dokploy UI (which publishes port 8080), it becomes publicly accessible with no auth.

This changes the default to false. Users who want the dashboard can still enable it through the Dokploy UI — the existing traefik.yml on disk is preserved and not overwritten (the code checks existsSync(mainConfig) and returns early in createDefaultTraefikConfig), so this only affects new installations.

Changes

• getDefaultTraefikConfig(): api.insecure: true → api.insecure: false
• getDefaultServerTraefikConfig(): api.insecure: true → api.insecure: false

Checklist

• My branch was forked from canary
• I have read the CONTRIBUTING.md
• I tested locally

🤖 Generated with Claude Code

Greptile Summary

This PR correctly hardens new Dokploy installations by defaulting api.insecure to false in both getDefaultTraefikConfig() and getDefaultServerTraefikConfig(), preventing the Traefik dashboard from being exposed unauthenticated on port 8080 out of the box.

However, the change introduces a regression: the existing "Enable Dashboard" toggle in the Dokploy UI will be silently broken for all new installations. The toggleDashboard mutation only publishes/removes port 8080 from the container's port bindings — it never writes back to traefik.yml. When api.insecure: false is in effect, Traefik does not start its built-in dashboard listener on port 8080 at all, so users who click "Enable Dashboard" will get port 8080 opened on the host but no dashboard served.

Key changes:

• getDefaultTraefikConfig() line 301: api.insecure: true → false
• getDefaultServerTraefikConfig() line 357: api.insecure: true → false
• The toggleDashboard handler in apps/dokploy/server/api/routers/settings.ts is not updated to also patch traefik.yml when the user toggles the dashboard, which is required for the feature to work when api.insecure defaults to false

Confidence Score: 3/5

Not safe to merge as-is: the Enable Dashboard UI feature will be silently broken for all new installations until toggleDashboard is updated to also patch traefik.yml.

The security intent of the PR is sound, but it introduces a P1 regression: publishing port 8080 via the UI Enable Dashboard toggle no longer makes the dashboard accessible because the Traefik config file is never updated to set api.insecure:true. The toggleDashboard mutation must also write the corresponding api.insecure value to traefik.yml for the feature to work end-to-end on new installs.

packages/server/src/setup/traefik-setup.ts (both changed functions) and apps/dokploy/server/api/routers/settings.ts (toggleDashboard mutation, which is unchanged but must be updated to remain functional).

Important Files Changed

Filename	Overview
packages/server/src/setup/traefik-setup.ts	Both getDefaultTraefikConfig() and getDefaultServerTraefikConfig() now default api.insecure to false — a good security hardening — but the toggleDashboard mutation does not update traefik.yml to flip api.insecure, so the Enable Dashboard UI feature will be silently non-functional on all new installations.

_{Reviews (1): Last reviewed commit: "fix(server): disable Traefik insecure AP..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

_{(4/5) You can add custom instructions or style guidelines for the agent here!}

[greptile-apps]

"Enable Dashboard" UI feature broken for new installations

Setting api.insecure: false (repeated at line 357 for getDefaultServerTraefikConfig) correctly hardens new installations, but it also silently breaks the existing "Enable Dashboard" feature in the Dokploy UI for those same new installs.

The toggleDashboard tRPC mutation in apps/dokploy/server/api/routers/settings.ts only publishes/removes port 8080 from the Traefik container's port bindings — it never reads or updates traefik.yml. When api.insecure: false is in the config, Traefik does not start its built-in dashboard listener on port 8080; an explicit router pointing to api@internal is required. So after a user clicks "Enable Dashboard" on a new installation, port 8080 is published to the host but nothing is served on it, making the feature silently non-functional.

The toggleDashboard handler should also patch traefik.yml to mirror the api.insecure flag:

// In the toggleDashboard mutation handler, after computing newPorts:
const mainConfig = readMainConfig();
if (mainConfig) {
    const parsed = parse(mainConfig) as MainTraefikConfig;
    parsed.api = { ...(parsed.api ?? {}), insecure: input.enableDashboard };
    writeMainConfig(stringify(parsed));
}

This keeps the secure default for new installs while ensuring the UI toggle actually works end-to-end.