From 5bab061cdaa8b1792d2b4458298008263627f449 Mon Sep 17 00:00:00 2001 From: Zigzagill Date: Sun, 17 May 2026 02:04:30 -0700 Subject: [PATCH 1/3] switch to dns/zone api token for cloudflare dns --- .env.sample | 14 ++++++++------ compose.cloudflare.yml | 18 +++++++++--------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/.env.sample b/.env.sample index cb14413..6b616e7 100644 --- a/.env.sample +++ b/.env.sample @@ -38,7 +38,7 @@ COMPOSE_FILE="compose.yml" ## Enable dns challenge (for wildcard domains) ## https://go-acme.github.io/lego/dns/#dns-providers #LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1 -## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun. +## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare. ## Uncomment the corresponding provider below to insert your secret token/key. #LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh @@ -88,12 +88,14 @@ COMPOSE_FILE="compose.yml" ## Cloudflare, htps://cloudflare.com ## To insert your secrets: -## abra app secret insert {myapp.example.coop} cf_email v1 "" -## abra app secret insert {myapp.example.coop} cf_api_key v1 "" -## cf_api_key is an account API key from Cloudflare that has DNS read + edit permission +## abra app secret insert {myapp.example.coop} cf_dns_api_token v1 "" +## abra app secret insert {myapp.example.coop} cf_zone_api_token v1 "" +## These can be the same token or different tokens +## cf_dns_api_token needs DNS edit access, cf_zone_api_token needs zone edit access +## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html #COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml" -#SECRET_CLOUDFLARE_EMAIL_VERSION=v1 # generate=false -#SECRET_CLOUDFLARE_API_KEY_VERSION=v1 # generate=false +#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false +#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false ##################################################################### # Manual wildcard certificate insertion # diff --git a/compose.cloudflare.yml b/compose.cloudflare.yml index 1feb55b..00aacaf 100644 --- a/compose.cloudflare.yml +++ b/compose.cloudflare.yml @@ -3,16 +3,16 @@ version: "3.8" services: app: environment: - - CLOUDFLARE_EMAIL_FILE=/run/secrets/cf_email - - CLOUDFLARE_API_KEY_FILE=/run/secrets/cf_api_key + - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token + - CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_api_token secrets: - - cf_email - - cf_api_key - + - cf_dns_api_token + - cf_zone_api_token + secrets: - cf_email: - name: ${STACK_NAME}_cf_email_${SECRET_CLOUDFLARE_EMAIL_VERSION} + cf_dns_api_token: + name: ${STACK_NAME}_cf_dns_api_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION} external: true - cf_api_key: - name: ${STACK_NAME}_cf_api_key_${SECRET_CLOUDFLARE_API_KEY_VERSION} + cf_zone_api_token: + name: ${STACK_NAME}_cf_zone_api_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION} external: true -- 2.49.0 From 856d0c1af0458a42015d63b54c114fa8309dc1e0 Mon Sep 17 00:00:00 2001 From: Zigzagill Date: Sun, 17 May 2026 02:05:28 -0700 Subject: [PATCH 2/3] add generate=false to DNS secrets --- .env.sample | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.env.sample b/.env.sample index 6b616e7..d62b096 100644 --- a/.env.sample +++ b/.env.sample @@ -47,25 +47,25 @@ COMPOSE_FILE="compose.yml" #OVH_ENABLED=1 #OVH_APPLICATION_KEY= #OVH_ENDPOINT= -#SECRET_OVH_APP_SECRET_VERSION=v1 -#SECRET_OVH_CONSUMER_KEY=v1 +#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false +#SECRET_OVH_CONSUMER_KEY=v1 # generate=false ## Gandi, https://gandi.net ## note(3wc): only "V5" (new) API is supported, so far #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml" #GANDI_API_KEY_ENABLED=1 -#SECRET_GANDIV5_API_KEY_VERSION=v1 +#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false ## Gandi, https://gandi.net ## note: uses GandiV5 Personal Access Token #COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml" #GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1 -#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 +#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false ## DigitalOcean, https://digitalocean.com #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml" #DIGITALOCEAN_ENABLED=1 -#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 +#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false ## Azure, https://azure.com ## To insert your Azure client secret: @@ -76,15 +76,15 @@ COMPOSE_FILE="compose.yml" #AZURE_CLIENT_ID= #AZURE_SUBSCRIPTION_ID= #AZURE_RESOURCE_GROUP= -#SECRET_AZURE_SECRET_VERSION=v1 +#SECRET_AZURE_SECRET_VERSION=v1 # generate=false ## Porkbun, https://porkbun.com ## To insert your secrets: ## abra app secret insert 1312.net pb_api_key v1 pk1_413 ## abra app secret insert 1312.net pb_s_api_key v1 sk1_612 #COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml" -#SECRET_PORKBUN_API_KEY_VERSION=v1 -#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 +#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false +#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false ## Cloudflare, htps://cloudflare.com ## To insert your secrets: -- 2.49.0 From 7d5d6efa291a604b2f1190dd7c7279b9db4082d6 Mon Sep 17 00:00:00 2001 From: Zigzagill Date: Sun, 17 May 2026 14:56:36 -0700 Subject: [PATCH 3/3] Shorten Cloudflare token variable names --- .env.sample | 6 +++--- compose.cloudflare.yml | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.env.sample b/.env.sample index d62b096..9b48ff4 100644 --- a/.env.sample +++ b/.env.sample @@ -88,10 +88,10 @@ COMPOSE_FILE="compose.yml" ## Cloudflare, htps://cloudflare.com ## To insert your secrets: -## abra app secret insert {myapp.example.coop} cf_dns_api_token v1 "" -## abra app secret insert {myapp.example.coop} cf_zone_api_token v1 "" +## abra app secret insert {myapp.example.coop} cf_dns_token v1 "" +## abra app secret insert {myapp.example.coop} cf_zone_token v1 "" ## These can be the same token or different tokens -## cf_dns_api_token needs DNS edit access, cf_zone_api_token needs zone edit access +## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access ## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html #COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml" #SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false diff --git a/compose.cloudflare.yml b/compose.cloudflare.yml index 00aacaf..89c87d4 100644 --- a/compose.cloudflare.yml +++ b/compose.cloudflare.yml @@ -3,16 +3,16 @@ version: "3.8" services: app: environment: - - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token - - CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_api_token + - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token + - CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token secrets: - - cf_dns_api_token - - cf_zone_api_token + - cf_dns_token + - cf_zone_token secrets: - cf_dns_api_token: - name: ${STACK_NAME}_cf_dns_api_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION} + cf_dns_token: + name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION} external: true - cf_zone_api_token: - name: ${STACK_NAME}_cf_zone_api_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION} + cf_zone_token: + name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION} external: true -- 2.49.0