feat: disable httpChallenge when DNS challenge is configured

As documented in the README's "Configuring wildcard SSL using DNS"
section, the necessary pieces for DNS-01 ACME challenges to work are
already baked into Traefik's recipe, though they were originally
considered for provisioning wildcard certificates. Furthermore, in
environments where the server is not exposed to the internet, the
default HTTP-01 challenge mechanism doesn't work, so taking advantage
of this alternative method makes complete sense.

This change causes ACME validations to be done always using DNS when
LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard
certificate requests Traefik uses the HTTP-01 challenge method, which
doesn't work in servers behind a firewall.

We should amend the related section in the
[operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server)
to make a not about the possibility of using DNS challenges in those
scenarios as well.

README.md

@@ -32,15 +32,16 @@
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`
 
-## Configuring wildcard SSL using DNS
+## Configuring SSL using DNS
 
-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
+Automatic certificate generation will Just Work™ for most recipes which use a
+fixed number of subdomains. If your server can't be reached from the Internet,
+or if you're deploying a recipe that needs to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
+the use of wildcard certificates,) you can give Traefik access to your DNS provider
+so that it can carry out Letsencrypt DNS challenges.
 
 1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
    can be easily added, see

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v30
+export TRAEFIK_YML_VERSION=v31
 export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5

traefik.yml.tmpl

@@ -127,8 +127,10 @@ certificatesResolvers:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/staging-acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
@@ -140,8 +142,10 @@ certificatesResolvers:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}