From 46010aeb953a5a36e54a26b6e9c232371dff041b Mon Sep 17 00:00:00 2001
From: 3wc <3wc@doesthisthing.work>
Date: Sat, 19 Jun 2021 02:47:25 +0200
Subject: [PATCH] Enable Gandi DNS challenge for Letsencrypt

---
 .env.sample        |  5 +++++
 abra.sh            |  4 ++--
 compose.gandi.yml  | 15 +++++++++++++++
 entrypoint.sh.tmpl |  4 ++++
 traefik.yml.tmpl   | 18 ++++++++++++++----
 5 files changed, 40 insertions(+), 6 deletions(-)
 create mode 100644 compose.gandi.yml

diff --git a/.env.sample b/.env.sample
index 388b517..d09478f 100644
--- a/.env.sample
+++ b/.env.sample
@@ -21,6 +21,11 @@ LOG_LEVEL=WARN
 # SECRET_OVH_APP_SECRET_VERSION=v1
 # SECRET_OVH_CONSUMER_KEY=v1
 
+## Gandi configuration
+# COMPOSE_FILE="compose.yml:compose.gandi.yml"
+# GANDI_ENABLED=1
+# SECRET_GANDIV5_API_KEY_VERSION=v1
+
 ## Enable Keycloak
 #COMPOSE_FILE="compose.yml:compose.keycloak.yml"
 #KEYCLOAK_MIDDLEWARE_ENABLED=1
diff --git a/abra.sh b/abra.sh
index 2f8abf1..da0d100 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v9
+export TRAEFIK_YML_VERSION=v10
 export FILE_PROVIDER_YML_VERSION=v2
-export ENTRYPOINT_VERSION=v1
+export ENTRYPOINT_VERSION=v2
diff --git a/compose.gandi.yml b/compose.gandi.yml
new file mode 100644
index 0000000..42e8c14
--- /dev/null
+++ b/compose.gandi.yml
@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - GANDIV5_API_KEY_FILE=/run/secrets/gandiv5_api_key
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - gandiv5_api_key
+
+secrets:
+  gandiv5_api_key:
+    name: ${STACK_NAME}_gandiv5_api_key_${SECRET_GANDIV5_API_KEY_VERSION}
+    external: true
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 84c59b6..298d5dc 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -7,4 +7,8 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
+{{ if eq (env "GANDI_ENABLED") "1" }}
+export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"
diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl
index ef0147f..b4553eb 100644
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@@ -60,13 +60,23 @@ certificatesResolvers:
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       httpChallenge:
         entryPoint: web
+      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      dnsChallenge:
+        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+      {{ end }}
   production:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
       httpChallenge:
         entryPoint: web
-        {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
-        dnsChallenge:
-          provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
-        {{ end }}
+      {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
+      dnsChallenge:
+        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+      {{ end }}