Fix LetsEncrypt DNS challenge and add Cloudflare support

2022-04-28 18:07:25 -07:00 · 2022-04-28 18:07:25 -07:00 · 737b4ebe15
parent df49a1f3b2
commit 737b4ebe15
5 changed files with 43 additions and 4 deletions
--- a/.env.sample
+++ b/.env.sample
@ -44,6 +44,12 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1

+## Cloudflare, https://cloudflare.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
+#CLOUDFLARE_ENABLED=1
+#SECRET_CLOUDFLARE_EMAIL_VERSION=v1
+#SECRET_CLOUDFLARE_API_KEY=v1
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
--- a/compose.cloudflare.yml
+++ b/compose.cloudflare.yml
@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cloudflare_email
+      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - cloudflare_email
+      - cloudflare_api_key
+
+secrets:
+  cloudflare_email:
+    name: ${STACK_NAME}_cloudflare_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+    external: true
+  cloudflare_api_key:
+    name: ${STACK_NAME}_cloudflare_api_key_${SECRET_CLOUDFLARE_API_KEY}
+    external: true
--- a/compose.yml
+++ b/compose.yml
@ -26,6 +26,8 @@ services:
    environment:
      - DASHBOARD_ENABLED
      - LOG_LEVEL
+      - LETS_ENCRYPT_EMAIL
+      - LETS_ENCRYPT_ENV
    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 30s
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -11,4 +11,9 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}

+{{ if eq (env "CLOUDFLARE_ENABLED") "1" }}
+export CLOUDFLARE_EMAIL=$(cat "$CLOUDFLARE_EMAIL_FILE")
+export CLOUDFLARE_API_KEY=$(cat "$CLOUDFLARE_API_KEY_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -77,30 +77,36 @@ metrics:
 {{ end }}

 certificatesResolvers:
+  {{ if eq (env "LETS_ENCRYPT_ENV") "staging" }}
  staging:
    acme:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/staging-acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      httpChallenge:
-        entryPoint: web
      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
      {{ end }}
+  {{ end }}
+  {{ if eq (env "LETS_ENCRYPT_ENV") "production" }}
  production:
    acme:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/production-acme.json
-      httpChallenge:
-        entryPoint: web
      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
      {{ end }}
+  {{ end }}