Attempt to disable Letsencrypt for self-signed joy

.drone.yml

@@ -3,12 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: traefik
-      networks:
-       - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
@@ -16,25 +14,8 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v4
-      FILE_PROVIDER_YML_VERSION: v3
-      ENTRYPOINT_VERSION: v1
+      TRAEFIK_YML_VERSION: v3
+      FILE_PROVIDER_YML_VERSION: v2
 trigger:
   branch:
     - master
----
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,119 +1,27 @@
 TYPE=traefik
-TIMEOUT=300
-ENABLE_AUTO_UPDATE=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
 
+LETS_ENCRYPT_DISABLED=0
 LETS_ENCRYPT_EMAIL=certs@example.com
 # DASHBOARD_ENABLED=true
 # WARN, INFO etc.
 LOG_LEVEL=WARN
 
-# This is here so later lines can extend it; you likely don't wanna edit
-COMPOSE_FILE="compose.yml"
-
-#####################################################################
-# General settings                                                  #
-#####################################################################
-
-## Host-mode networking
-#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
-
-## "Headless mode" (no domain configured)
-#COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
-
-#####################################################################
-# Automatic DNS set-up for Letsencrypt                              #
-#####################################################################
-
-## Enable dns challenge (for wildcard domains)
-##   https://doc.traefik.io/traefik/https/acme/#dnschallenge
-#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
-#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
-
-## OVH, https://ovh.com
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ovh.yml"
-#OVH_ENABLED=1
-#OVH_APPLICATION_KEY=
-#OVH_ENDPOINT=
-#SECRET_OVH_APP_SECRET_VERSION=v1
-#SECRET_OVH_CONSUMER_KEY=v1
-
-## Gandi, https://gandi.net
-## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
-#GANDI_ENABLED=1
-#SECRET_GANDIV5_API_KEY_VERSION=v1
-
-#####################################################################
-# Keycloak log-in                                                   #
-#####################################################################
-
 ## Enable Keycloak
-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
+#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
 #KEYCLOAK_MIDDLEWARE_ENABLED=1
-#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
-#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
-#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
-
-#####################################################################
-# Prometheus metrics                                                #
-#####################################################################
-
-## Enable prometheus metrics collection
-## used used by the coop-cloud monitoring stack
-#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
-#METRICS_ENABLED=1
-
-#####################################################################
-# File provider directory configuration                             #
-# (Route bare metal and non-docker services on the machine!)        #
-#####################################################################
-#FILE_PROVIDER_DIRECTORY_ENABLED=1
-
-#####################################################################
-# Additional services                                               #
-#####################################################################
 
 ## SMTP port 587
-#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#COMPOSE_FILE="compose.yml:compose.smtp.yml"
 #SMTP_ENABLED=1
 
-## Compy
-#COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
-#COMPY_ENABLED=1
-
 ## Gitea SSH
-# COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
 # GITEA_SSH_ENABLED=1
 
 ## Foodsoft SMTP
-# COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
 # FOODSOFT_SMTP_ENABLED=1
 
-## Peertube RTMP
-#COMPOSE_FILE="$COMPOSE_FILE:compose.peertube.yml"
-#PEERTUBE_RTMP_ENABLED=1
-
-## Secure Scuttlebutt MUXRPC
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ssb.yml"
-#SSB_MUXRPC_ENABLED=1
-
-## MSSQL
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mssql.yml"
-#MSSQL_ENABLED=1
-
-## Mumble
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
-#MUMBLE_ENABLED=1
-
-## Matrix
-#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-#MATRIX_FEDERATION_ENABLED=1
-
-## BASIC_AUTH
-## Use httpasswd to generate the secret
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
-#BASIC_AUTH=1
-#SECRET_USERSFILE_VERSION=v1
+## Host-mode networking
+#COMPOSE_FILE="compose.yml:compose.host.yml"

README.md

@@ -7,11 +7,11 @@
 <!-- metadata -->
 * **Category**: Utilities
 * **Status**: ?
-* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
+* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
 * **Email**: N/A
-* **Tests**: 2
+* **Tests**: ❷💛
 * **SSO**: ? (Keycloak)
 <!-- endmetadata -->
 
@@ -19,29 +19,8 @@
 
 1. Set up Docker Swarm and [`abra`]
 2. `abra app new traefik`
-3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
    your Docker swarm box
-4. `abra app deploy YOURAPPDOMAIN`
-
-## Configuring wildcard SSL using DNS
-
-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
-subdomains, like
-[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
-
-1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
-   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
-2. Run `abra app config YOURAPPDOMAIN`
-3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
-   `SECRET_GANDIV5_API_KEY_VERSION`
-4. Generate an API key for your provider
-5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
-   `gandiv5_api_key` and `SECRETVALUE` is the API key.
-6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
+4. `abra app YOURAPPDOMAIN deploy`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,2 @@
-export TRAEFIK_YML_VERSION=v17
-export FILE_PROVIDER_YML_VERSION=v8
-export ENTRYPOINT_VERSION=v2
+export TRAEFIK_YML_VERSION=v7
+export FILE_PROVIDER_YML_VERSION=v1

compose.basicauth.yml

@@ -1,12 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - BASIC_AUTH
-    secrets:
-      - usersfile
-
-secrets:
-  usersfile:
-    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
-    external: true

compose.compy.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - COMPY_ENABLED
-    ports:
-      - "9999:9999"

compose.foodsoft.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - FOODSOFT_SMTP_ENABLED
-    ports:
-      - "2525:2525"

compose.gandi.yml

@@ -1,15 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - GANDIV5_API_KEY_FILE=/run/secrets/gandiv5_api_key
-      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
-      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
-    secrets:
-      - gandiv5_api_key
-
-secrets:
-  gandiv5_api_key:
-    name: ${STACK_NAME}_gandiv5_api_key_${SECRET_GANDIV5_API_KEY_VERSION}
-    external: true

compose.gitea.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - GITEA_SSH_ENABLED
-    ports:
-      - "2222:2222"

compose.headless.yml

@@ -1,14 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.traefik.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"

compose.host.yml

@@ -13,3 +13,6 @@ services:
       - target: 443
         published: 443
         mode: host
+      - target: 2222
+        published: 2222
+        mode: host

compose.keycloak.yml

@@ -5,9 +5,6 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
+        - "traefik.http.routers.traefik.middlewares=keycloak@file"
     environment:
       - KEYCLOAK_MIDDLEWARE_ENABLED
-      - KEYCLOAK_TFA_SERVICE
-      - KEYCLOAK_MIDDLEWARE_2_ENABLED
-      - KEYCLOAK_TFA_SERVICE_2

compose.matrix.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - MATRIX_FEDERATION_ENABLED
-    ports:
-      - "8448:8448"

compose.metrics.yml

@@ -1,9 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - METRICS_ENABLED
-    ports:
-      - target: 8082
-        published: 8082
-        mode: host

compose.minio.yml

@@ -1,9 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - MINIO_CONSOLE_ENABLED
-    ports:
-      - "9001:9001"

compose.mssql.yml

@@ -1,10 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - MSSQL_ENABLED
-    ports:
-      - target: 1433
-        published: 1433
-        protocol: tcp
-        mode: host

compose.mumble.yml

@@ -1,9 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - MUMBLE_ENABLED
-    ports:
-      - "64738:64738/udp"
-      # note (3wc): see https://github.com/docker/compose/issues/7627
-      - "64737-64739:64737-64739/tcp"

compose.ovh.yml

@@ -1,21 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - OVH_APPLICATION_KEY
-      - OVH_APPLICATION_SECRET_FILE=/run/secrets/ovh_app_secret
-      - OVH_CONSUMER_KEY_FILE=/run/secrets/ovh_consumer_key
-      - OVH_ENABLED
-      - OVH_ENDPOINT
-    secrets:
-      - ovh_app_secret
-      - ovh_consumer_key
-
-secrets:
-  ovh_app_secret:
-    name: ${STACK_NAME}_ovh_app_secret_${SECRET_OVH_APP_SECRET_VERSION}
-    external: true
-  ovh_consumer_key:
-    name: ${STACK_NAME}_ovh_consumer_key_${SECRET_OVH_CONSUMER_KEY}
-    external: true

compose.peertube.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - PEERTUBE_RTMP_ENABLED
-    ports:
-      - "1935:1935"

compose.smtp.yml

@@ -3,7 +3,5 @@ version: "3.8"
 
 services:
   app:
-    environment:
-      - SMTP_ENABLED
     ports:
       - "587:587"

compose.ssb.yml

@@ -1,7 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - SSB_MUXRPC_ENABLED
-    ports:
-      - "8008:8008"

compose.yml

@@ -1,73 +1,60 @@
----
 version: "3.8"
-
 services:
   app:
-    image: "traefik:v2.10.4"
-    # Note(decentral1se): *please do not* add any additional ports here.
-    # Doing so could break new installs with port conflicts. Please use
-    # the usual `compose.$app.yml` approach for any additional ports
+    image: "traefik:v2.4.8"
     ports:
       - "80:80"
       - "443:443"
+      - "2222:2222"
+      - "2525:2525"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
-      - "file-providers:/etc/traefik/file-providers"
     configs:
       - source: traefik_yml
         target: /etc/traefik/traefik.yml
       - source: file_provider_yml
         target: /etc/traefik/file-provider.yml
-      - source: entrypoint
-        target: /custom-entrypoint.sh
-        mode: 0555
     networks:
       - proxy
     environment:
       - DASHBOARD_ENABLED
+      - LETS_ENCRYPT_DISABLED
+      - LETS_ENCRYPT_EMAIL
+      - FOODSOFT_SMTP_ENABLED
+      - GITEA_SSH_ENABLED
       - LOG_LEVEL
+      - SMTP_ENABLED
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 1m
-    command: traefik
-    entrypoint: /custom-entrypoint.sh
     deploy:
       update_config:
         failure_action: rollback
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.4.2+v2.10.4"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-
+        - "traefik.http.services.traefik.loadbalancer.server.port=web"
+        - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.traefik.entrypoints=web-secure"
+          #- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.traefik.tls.options=default@file"
+        - "traefik.http.routers.traefik.service=api@internal"
+        - "traefik.http.routers.traefik.middlewares=security@file"
+        - coop-cloud.${STACK_NAME}.app.version=v2.4.8-d7d63b0d
 networks:
   proxy:
     external: true
-
 configs:
   traefik_yml:
     name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
-    file: traefik.yml.tmpl
+    file: traefik.yml
     template_driver: golang
   file_provider_yml:
     name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
-    file: file-provider.yml.tmpl
-    template_driver: golang
-  entrypoint:
-    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
-    file: entrypoint.sh.tmpl
-    template_driver: golang
-
+    file: file-provider.yml
 volumes:
   letsencrypt:
-  file-providers:

entrypoint.sh.tmpl

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-set -e
-
-{{ if eq (env "OVH_ENABLED") "1" }}
-export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
-export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
-{{ end }}
-
-{{ if eq (env "GANDI_ENABLED") "1" }}
-export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
-{{ end }}
-
-/entrypoint.sh "$@"

file-provider.yml

@@ -4,24 +4,11 @@ http:
     {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
     keycloak:
       forwardAuth:
-        address: "http://{{ env "KEYCLOAK_TFA_SERVICE" }}:4181"
+        address: "http://traefik-forward-auth:4181"
         trustForwardHeader: true
         authResponseHeaders:
           - X-Forwarded-User
     {{ end }}
-    {{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
-    keycloak2:
-      forwardAuth:
-        address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
-        trustForwardHeader: true
-        authResponseHeaders:
-          - X-Forwarded-User
-    {{ end }}
-    {{ if eq (env "BASIC_AUTH") "1" }}
-    basicauth:
-      basicAuth:
-        usersFile: "/run/secrets/usersfile"
-    {{ end }}
     security:
       headers:
         frameDeny: true

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

traefik.yml

@@ -0,0 +1,58 @@
+---
+log:
+  level: {{ env "LOG_LEVEL" }}
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: proxy
+    swarmMode: true
+  file:
+    filename: /etc/traefik/file-provider.yml
+
+api:
+  dashboard: {{ env "DASHBOARD_ENABLED" }}
+  debug: false
+
+entrypoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: web-secure
+  web-secure:
+    address: ":443"
+  {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
+  gitea-ssh:
+    address: ":2222"
+  {{ end }}
+  {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
+  foodsoft-smtp:
+    address: ":2525"
+  {{ end }}
+  {{ if eq (env "SMTP_ENABLED") "1" }}
+  smtp-submission:
+    address: ":587"
+  {{ end }}
+
+ping:
+  entryPoint: web
+
+{{ if not (eq (env "LETS_ENCRYPT_DISABLED") "1") }}
+certificatesResolvers:
+  staging:
+    acme:
+      email: {{ env "LETS_ENCRYPT_EMAIL" }}
+      storage: /etc/letsencrypt/staging-acme.json
+      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      httpChallenge:
+        entryPoint: web
+  production:
+    acme:
+      email: {{ env "LETS_ENCRYPT_EMAIL" }}
+      storage: /etc/letsencrypt/production-acme.json
+      httpChallenge:
+        entryPoint: web
+{{ end }}

traefik.yml.tmpl

@@ -1,117 +0,0 @@
----
-log:
-  level: {{ env "LOG_LEVEL" }}
-
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-    network: proxy
-    swarmMode: true
-  {{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
-  file:
-    directory: /etc/traefik/file-providers
-    watch: true
-  {{ else }}
-  file:
-    filename: /etc/traefik/file-provider.yml
-  {{ end }}
-
-api:
-  dashboard: {{ env "DASHBOARD_ENABLED" }}
-  debug: false
-
-entrypoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: web-secure
-  web-secure:
-    address: ":443"
-  {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
-  gitea-ssh:
-    address: ":2222"
-  {{ end }}
-  {{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
-  foodsoft-smtp:
-    address: ":2525"
-  {{ end }}
-  {{ if eq (env "SMTP_ENABLED") "1" }}
-  smtp-submission:
-    address: ":587"
-  {{ end }}
-  {{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
-  peertube-rtmp:
-    address: ":1935"
-  {{ end }}
-  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
-  ssb-muxrpc:
-    address: ":8008"
-  {{ end }}
-  {{ if eq (env "MSSQL_ENABLED") "1" }}
-  mssql:
-    address: ":1433"
-  {{ end }}
-  {{ if eq (env "MUMBLE_ENABLED") "1" }}
-  mumble:
-    address: ":64738"
-  mumble-udp:
-    address: ":64738/udp"
-  {{ end }}
-  {{ if eq (env "COMPY_ENABLED") "1" }}
-  compy:
-    address: ":9999"
-  {{ end }}
-  {{ if eq (env "METRICS_ENABLED") "1" }}
-  metrics:
-    address: ":8082"
-    http:
-      middlewares:
-        - basicauth@file
-  {{ end }}
-  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
-  matrix-federation:
-    address: ":9001"
-  {{ end }}
-
-ping:
-  entryPoint: web
-
-{{ if eq (env "METRICS_ENABLED") "1" }}
-metrics:
-  prometheus:
-    entryPoint: metrics
-    addRoutersLabels: true
-    addServicesLabels: true
-{{ end }}
-
-certificatesResolvers:
-  staging:
-    acme:
-      email: {{ env "LETS_ENCRYPT_EMAIL" }}
-      storage: /etc/letsencrypt/staging-acme.json
-      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      httpChallenge:
-        entryPoint: web
-      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
-      dnsChallenge:
-        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
-        resolvers:
-          - "1.1.1.1:53"
-          - "8.8.8.8:53"
-      {{ end }}
-  production:
-    acme:
-      email: {{ env "LETS_ENCRYPT_EMAIL" }}
-      storage: /etc/letsencrypt/production-acme.json
-      httpChallenge:
-        entryPoint: web
-      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
-      dnsChallenge:
-        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
-        resolvers:
-          - "1.1.1.1:53"
-          - "9.9.9.9:53"
-      {{ end }}