Fix Cloudlfare DNS (#104)

<!--
Thank you for doing recipe maintenance work!
Please mark all checklist items which are relevant for your changes.
Please remove the checklist items which are not relevant for your changes.
Feel free to remove this comment.
-->

Apologies for submitting changes and then immediately undoing some of them. I made a mistake previously by assuming that letsdebug.net tests were sufficient to confirm that this setup was working. But, it turns out that my site was still failing to get valid SSL certs. After digging into the Lego docs I realized I needed to be using different environment variables, which I added here. Once I deployed these changes to a fresh VPS on a different domain with a more straightforward configuration, I confirmed that HTTPS connections to the Traefik dashboard worked just fine.

Please let me know if there's anything else I can do to verify these fixes so I can be extra-super-sure that it's good to go. I'm still new to a lot of this and clearly have lots to learn.

As a treat, I also added `generate=false` flags to the DNS secrets for other providers, as discussed in my previous PR. Cheers!

* [x] I have deployed and tested my changes
Deployed on a fresh VPS, confirmed that HTTPS connections work after deploying these changes
* [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
No version update needed
* [x] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
This does remove the two environment variables that I introduced in my prior PR. Since those haven't been picked up in a release, I'm hoping this is an acceptable regression. Those two variables are both perfectly valid, they just require an account-wide API token which is unnecessarily risky in my opinion. But if we want to keep them in, I'm happy to put things back as they were :)
* [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)
Not necessary

Reviewed-on: #104
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>
Co-authored-by: Zigzagill <zigzagill@proton.me>
Co-committed-by: Zigzagill <zigzagill@proton.me>

.env.sample

@@ -38,7 +38,7 @@ COMPOSE_FILE="compose.yml"
 ## Enable dns challenge (for wildcard domains)
 ##   https://go-acme.github.io/lego/dns/#dns-providers
 #LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
-## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun.
+## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
 ## Uncomment the corresponding provider below to insert your secret token/key.
 #LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
 
@@ -47,25 +47,25 @@ COMPOSE_FILE="compose.yml"
 #OVH_ENABLED=1
 #OVH_APPLICATION_KEY=
 #OVH_ENDPOINT=
-#SECRET_OVH_APP_SECRET_VERSION=v1
-#SECRET_OVH_CONSUMER_KEY=v1
+#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
+#SECRET_OVH_CONSUMER_KEY=v1 # generate=false
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
 #GANDI_API_KEY_ENABLED=1
-#SECRET_GANDIV5_API_KEY_VERSION=v1
+#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false
 
 ## Gandi, https://gandi.net
 ## note: uses GandiV5 Personal Access Token
 #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
 #GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
-#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false
 
 ## DigitalOcean, https://digitalocean.com
 #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
 #DIGITALOCEAN_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
+#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false
 
 ## Azure, https://azure.com
 ## To insert your Azure client secret:
@@ -76,24 +76,26 @@ COMPOSE_FILE="compose.yml"
 #AZURE_CLIENT_ID=
 #AZURE_SUBSCRIPTION_ID=
 #AZURE_RESOURCE_GROUP=
-#SECRET_AZURE_SECRET_VERSION=v1
+#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
 
 ## Porkbun, https://porkbun.com
 ## To insert your secrets:
 ## abra app secret insert 1312.net pb_api_key v1 pk1_413
 ## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
 #COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
-#SECRET_PORKBUN_API_KEY_VERSION=v1
-#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
+#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
+#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
 
 ## Cloudflare, htps://cloudflare.com
 ## To insert your secrets:
-## abra app secret insert {myapp.example.coop} cf_email v1 "<CLOUDFLARE_EMAIL>"
-## abra app secret insert {myapp.example.coop} cf_api_key v1 "<CLOUDFLARE_API_KEY>"
-## cf_api_key is an account API key from Cloudflare that has DNS read + edit permission
+## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
+## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
+## These can be the same token or different tokens
+## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
+## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
 #COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
-#SECRET_CLOUDFLARE_EMAIL_VERSION=v1 # generate=false
-#SECRET_CLOUDFLARE_API_KEY_VERSION=v1 # generate=false
+#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
+#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false
 
 #####################################################################
 # Manual wildcard certificate insertion                             #
@@ -212,6 +214,7 @@ COMPOSE_FILE="compose.yml"
 #ANUBIS_OG_EXPIRY_TIME=1h
 #ANUBIS_OG_CACHE_CONSIDER_HOST=true
 #ANUBIS_SERVE_ROBOTS_TXT=true
+#ANUBIS_SLOG_LEVEL=INFO
 
 ## Enable onion service support
 #ONION_ENABLED=1

README.md

@@ -32,15 +32,16 @@
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`
 
-## Configuring wildcard SSL using DNS
+## Configuring SSL using DNS
 
-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
+Automatic certificate generation will Just Work™ for most recipes which use a
+fixed number of subdomains. If your server can't be reached from the Internet,
+or if you're deploying a recipe that needs to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
+the use of wildcard certificates,) you can give Traefik access to your DNS provider
+so that it can carry out Letsencrypt DNS challenges.
 
 1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
    can be easily added, see

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v30
+export TRAEFIK_YML_VERSION=v31
 export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5

compose.anubis.yml

@@ -17,6 +17,7 @@ services:
       OG_EXPIRY_TIME: "${ANUBIS_OG_EXPIRY_TIME}"
       OG_CACHE_CONSIDER_HOST: "${ANUBIS_OG_CACHE_CONSIDER_HOST}"
       SERVE_ROBOTS_TXT: "${ANUBIS_SERVE_ROBOTS_TXT}"
+      SLOG_LEVEL: "${ANUBIS_SLOG_LEVEL:-INFO}"
     networks:
     - proxy
     deploy:

compose.cloudflare.yml

@@ -3,16 +3,16 @@ version: "3.8"
 services:
   app:
     environment:
-      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cf_email
-      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cf_api_key
+      - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
+      - CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
     secrets:
-      - cf_email
-      - cf_api_key
-  
+      - cf_dns_token
+      - cf_zone_token
+
 secrets:
-  cf_email:
-    name: ${STACK_NAME}_cf_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+  cf_dns_token:
+    name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
     external: true
-  cf_api_key:
-    name: ${STACK_NAME}_cf_api_key_${SECRET_CLOUDFLARE_API_KEY_VERSION}
+  cf_zone_token:
+    name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
     external: true

release/next

@@ -0,0 +1 @@
+letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.

traefik.yml.tmpl

@@ -127,8 +127,10 @@ certificatesResolvers:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/staging-acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
@@ -140,8 +142,10 @@ certificatesResolvers:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}