2024-01-12 20:48:03 +00:00
6 changed files with 38 additions and 5 deletions
--- a/.env.sample
+++ b/.env.sample
@ -46,6 +46,19 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1

+#####################################################################
+# Manual wildcard certificate insertion                             #
+#####################################################################
+
+# Set wildcards = 1, and uncomment compose_file to enable.
+# Create your certs elsewhere and add them like:
+# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+#WILDCARDS_ENABLED=1
+#SECRET_WILDCARD_CERT_VERSION=v1
+#SECRET_WILDCARD_KEY_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v17
-export FILE_PROVIDER_YML_VERSION=v8
+export TRAEFIK_YML_VERSION=v18
+export FILE_PROVIDER_YML_VERSION=v9
 export ENTRYPOINT_VERSION=v2
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ssl_cert
+      - ssl_key
+
+secrets:
+  ssl_cert:
+    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
+  ssl_key:
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
+    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: "traefik:v2.10.5"
+    image: "traefik:v2.10.7"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -25,7 +25,6 @@ http:
    security:
      headers:
        frameDeny: true
-        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
@ -45,3 +44,8 @@ tls:
        - CurveP521
        - CurveP384
      sniStrict: true
+  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
+  certificates:
+    - certFile: /run/secrets/ssl_cert
+      keyFile: /run/secrets/ssl_key
+  {{ end }}