From 3c5333ba71b134ee4847b4e89ee12ebd51aea5a0 Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Sat, 9 Dec 2023 23:17:37 -0500
Subject: [PATCH 1/6] feat: add support for wildcard certs via secrets

---
 .env.sample            | 11 +++++++++++
 compose.wildcard.yml   | 16 ++++++++++++++++
 file-provider.yml.tmpl |  5 +++++
 traefik.yml.tmpl       |  2 +-
 4 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 compose.wildcard.yml

diff --git a/.env.sample b/.env.sample
index 62c6352..c4d3597 100644
--- a/.env.sample
+++ b/.env.sample
@@ -46,6 +46,17 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+#####################################################################
+# Manual wildcard certificate insertion                             #
+#####################################################################
+# Set wildcards = 1, and uncomment compose_file to enable.
+# Create your certs elsewhere and add them like:
+# abra app secrets insert v1 {myapp.example.coop} ssl_cert "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert v1 {myapp.example.coop} ssl_key "$(cat /path/to/privkey.pem)"
+#WILDCARDS_ENABLED=1
+#SECRET_WILDCARD_CERT_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
diff --git a/compose.wildcard.yml b/compose.wildcard.yml
new file mode 100644
index 0000000..0637680
--- /dev/null
+++ b/compose.wildcard.yml
@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ssl_cert
+      - ssl_key
+
+secrets:
+  ssl_cert:
+    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
+  ssl_key:
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
\ No newline at end of file
diff --git a/file-provider.yml.tmpl b/file-provider.yml.tmpl
index a7d3d48..f63bc46 100644
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@@ -45,3 +45,8 @@ tls:
         - CurveP521
         - CurveP384
       sniStrict: true
+  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
+  certificates:
+    - certFile: /run/secrets/ssl_cert
+      keyFile: /run/secrets/ssl_key
+  {{ end }}
\ No newline at end of file
diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl
index b734a8a..0c94743 100644
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@@ -114,4 +114,4 @@ certificatesResolvers:
         resolvers:
           - "1.1.1.1:53"
           - "9.9.9.9:53"
-      {{ end }}
+      {{ end }}
\ No newline at end of file

From f4b05fd87f9a06658d70b4d9d561b8371c7fe01d Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Sat, 9 Dec 2023 23:22:30 -0500
Subject: [PATCH 2/6] Bump file revisions for wildcard support

---
 abra.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/abra.sh b/abra.sh
index fcae9d8..f42c912 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v17
-export FILE_PROVIDER_YML_VERSION=v8
+export TRAEFIK_YML_VERSION=v18
+export FILE_PROVIDER_YML_VERSION=v9
 export ENTRYPOINT_VERSION=v2

From 64351c27d155a97a893cac70e9ba76ba1ce6f1b9 Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Sat, 9 Dec 2023 23:24:23 -0500
Subject: [PATCH 3/6] fix: deprecation warning - handled by redirect under web
 already

---
 file-provider.yml.tmpl | 1 -
 1 file changed, 1 deletion(-)

diff --git a/file-provider.yml.tmpl b/file-provider.yml.tmpl
index f63bc46..aa827bd 100644
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@@ -25,7 +25,6 @@ http:
     security:
       headers:
         frameDeny: true
-        sslRedirect: true
         browserXssFilter: true
         contentTypeNosniff: true
         stsIncludeSubdomains: true

From cd92c909baee57fbbb9e3d500d906c6b53b7ae4e Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Sat, 9 Dec 2023 23:29:17 -0500
Subject: [PATCH 4/6] docs: correct secret insertion examples

---
 .env.sample | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.env.sample b/.env.sample
index c4d3597..19523aa 100644
--- a/.env.sample
+++ b/.env.sample
@@ -49,10 +49,11 @@ COMPOSE_FILE="compose.yml"
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
+
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
-# abra app secrets insert v1 {myapp.example.coop} ssl_cert "$(cat /path/to/fullchain.pem)"
-# abra app secrets insert v1 {myapp.example.coop} ssl_key "$(cat /path/to/privkey.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"

From 998190f684851c0b4b760ef270829cc98d617cdc Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Thu, 11 Jan 2024 21:38:44 -0500
Subject: [PATCH 5/6] feat: add distinct version for wildcard key secret

---
 .env.sample          | 1 +
 compose.wildcard.yml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.env.sample b/.env.sample
index 19523aa..30762dd 100644
--- a/.env.sample
+++ b/.env.sample
@@ -56,6 +56,7 @@ COMPOSE_FILE="compose.yml"
 # abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
+#SECRET_WILDCARD_KEY_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
 
 #####################################################################
diff --git a/compose.wildcard.yml b/compose.wildcard.yml
index 0637680..4e46d83 100644
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@@ -12,5 +12,5 @@ secrets:
     name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
     external: true
   ssl_key:
-    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_CERT_VERSION}
-    external: true
\ No newline at end of file
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
+    external: true

From e3c1df83fa7b61cacef594681a48d79d11f81012 Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Thu, 11 Jan 2024 21:40:47 -0500
Subject: [PATCH 6/6] chore(security): update traefik to 2.10.7

Addresses two CVE fixes from 2.10.6
---
 compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/compose.yml b/compose.yml
index bba8f6a..3795cae 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.10.5"
+    image: "traefik:v2.10.7"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports