Merge pull request 'Add support for externally-sourced wildcard certificates' (#45) from wolcen/traefik:master into master
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
Reviewed-on: #45 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
This commit is contained in:
commit
a0e70f33be
13
.env.sample
13
.env.sample
|
@ -46,6 +46,19 @@ COMPOSE_FILE="compose.yml"
|
||||||
#GANDI_ENABLED=1
|
#GANDI_ENABLED=1
|
||||||
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# Manual wildcard certificate insertion #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
# Set wildcards = 1, and uncomment compose_file to enable.
|
||||||
|
# Create your certs elsewhere and add them like:
|
||||||
|
# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
|
||||||
|
# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
|
||||||
|
#WILDCARDS_ENABLED=1
|
||||||
|
#SECRET_WILDCARD_CERT_VERSION=v1
|
||||||
|
#SECRET_WILDCARD_KEY_VERSION=v1
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
|
||||||
|
|
||||||
#####################################################################
|
#####################################################################
|
||||||
# Keycloak log-in #
|
# Keycloak log-in #
|
||||||
#####################################################################
|
#####################################################################
|
||||||
|
|
4
abra.sh
4
abra.sh
|
@ -1,3 +1,3 @@
|
||||||
export TRAEFIK_YML_VERSION=v17
|
export TRAEFIK_YML_VERSION=v18
|
||||||
export FILE_PROVIDER_YML_VERSION=v8
|
export FILE_PROVIDER_YML_VERSION=v9
|
||||||
export ENTRYPOINT_VERSION=v2
|
export ENTRYPOINT_VERSION=v2
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
secrets:
|
||||||
|
- ssl_cert
|
||||||
|
- ssl_key
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
ssl_cert:
|
||||||
|
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
|
||||||
|
external: true
|
||||||
|
ssl_key:
|
||||||
|
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
|
||||||
|
external: true
|
|
@ -3,7 +3,7 @@ version: "3.8"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: "traefik:v2.10.5"
|
image: "traefik:v2.10.7"
|
||||||
# Note(decentral1se): *please do not* add any additional ports here.
|
# Note(decentral1se): *please do not* add any additional ports here.
|
||||||
# Doing so could break new installs with port conflicts. Please use
|
# Doing so could break new installs with port conflicts. Please use
|
||||||
# the usual `compose.$app.yml` approach for any additional ports
|
# the usual `compose.$app.yml` approach for any additional ports
|
||||||
|
|
|
@ -25,7 +25,6 @@ http:
|
||||||
security:
|
security:
|
||||||
headers:
|
headers:
|
||||||
frameDeny: true
|
frameDeny: true
|
||||||
sslRedirect: true
|
|
||||||
browserXssFilter: true
|
browserXssFilter: true
|
||||||
contentTypeNosniff: true
|
contentTypeNosniff: true
|
||||||
stsIncludeSubdomains: true
|
stsIncludeSubdomains: true
|
||||||
|
@ -45,3 +44,8 @@ tls:
|
||||||
- CurveP521
|
- CurveP521
|
||||||
- CurveP384
|
- CurveP384
|
||||||
sniStrict: true
|
sniStrict: true
|
||||||
|
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
|
||||||
|
certificates:
|
||||||
|
- certFile: /run/secrets/ssl_cert
|
||||||
|
keyFile: /run/secrets/ssl_key
|
||||||
|
{{ end }}
|
|
@ -114,4 +114,4 @@ certificatesResolvers:
|
||||||
resolvers:
|
resolvers:
|
||||||
- "1.1.1.1:53"
|
- "1.1.1.1:53"
|
||||||
- "9.9.9.9:53"
|
- "9.9.9.9:53"
|
||||||
{{ end }}
|
{{ end }}
|
Loading…
Reference in New Issue