feat: add support for wildcard certs via secrets

2023-12-09 23:17:37 -05:00 · 2023-12-09 23:17:37 -05:00 · 3c5333ba71
parent 5f2fd0bf37
commit 3c5333ba71
4 changed files with 33 additions and 1 deletions
--- a/.env.sample
+++ b/.env.sample
@ -46,6 +46,17 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1

+#####################################################################
+# Manual wildcard certificate insertion                             #
+#####################################################################
+# Set wildcards = 1, and uncomment compose_file to enable.
+# Create your certs elsewhere and add them like:
+# abra app secrets insert v1 {myapp.example.coop} ssl_cert "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert v1 {myapp.example.coop} ssl_key "$(cat /path/to/privkey.pem)"
+#WILDCARDS_ENABLED=1
+#SECRET_WILDCARD_CERT_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ssl_cert
+      - ssl_key
+
+secrets:
+  ssl_cert:
+    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
+  ssl_key:
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -45,3 +45,8 @@ tls:
        - CurveP521
        - CurveP384
      sniStrict: true
+  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
+  certificates:
+    - certFile: /run/secrets/ssl_cert
+      keyFile: /run/secrets/ssl_key
+  {{ end }}
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -114,4 +114,4 @@ certificatesResolvers:
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"
-      {{ end }}
+      {{ end }}