🏡 index : github.com/captn3m0/nebula.git

author Nemo <commits@captnemo.in> 2024-02-20 23:46:26.0 +05:30:00
committer Nemo <commits@captnemo.in> 2024-02-20 23:46:26.0 +05:30:00
commit
b40519f964ff1a4e61636dae5121e924d69cea6e [patch]
tree
af2517e6576b2c829c44285e3e3c955974859686
parent
6aa694aca7f39e86621629abc5ac3a891f5aaefa
download
b40519f964ff1a4e61636dae5121e924d69cea6e.tar.gz

disable acme on traefik

Not great, but cloudflare was not liking my DNS config.
the issue was a TXT/SPF record on bb8.fun
Since *.bb8.fun CNAMEs to bb8.fun
_acme-challenge.bb8.fun TXT is the same
as TXT bb8.fun, and that means any rogue
TXT records (such as TXT/spf) will equate
with renewal being screwed up.

since I'm anyway renewing some of my other certs manually,
this just sets up *.bb8.fun as another manual cert for now

Diff

 docker/traefik.tf        | 34 ++++++++++++++++++++--------------
 docker/conf/traefik.toml | 37 +++++++------------------------------
 2 files changed, 19 insertions(+), 52 deletions(-)

diff --git a/docker/traefik.tf b/docker/traefik.tf
index 116e1f8..58ec8a1 100644
--- a/docker/traefik.tf
+++ a/docker/traefik.tf
@@ -1,23 +1,7 @@
resource "docker_container" "traefik" {

  name  = "traefik"
  image = docker_image.traefik17.image_id


  labels {

    label = "traefik.enable"
    value = "true"
  }

  labels {

    label = "traefik.http.routers.api.rule"
    value = "Host('traefik.in.bb8.fun')"
  }

  labels {

    label = "traefik.http.routers.api.service"
    value = "api@internal"
  }

  # Local Web Server
  ports {

    internal = 80
@@ -74,6 +58,20 @@
      "/home/nemo/projects/personal/certs/tatooine.club/privkey.pem",
    )
    file = "/etc/traefik/tatooine.club.key"
  }

  upload {

    content = file(

      "/home/nemo/.acme.sh/*.bb8.fun_ecc/*.bb8.fun.key",
    )
    file = "/etc/traefik/star.bb8.fun.key"
  }

  upload {

    content = file(

      "/home/nemo/.acme.sh/*.bb8.fun_ecc/fullchain.cer",
    )
    file = "/etc/traefik/star.bb8.fun.crt"
  }


@@ -118,8 +116,4 @@
    name = "bridge"
  }

  env = [

    "CLOUDFLARE_EMAIL=${var.cloudflare_email}",
    "CLOUDFLARE_API_KEY=${var.cloudflare_key}",
  ]
}
diff --git a/docker/conf/traefik.toml b/docker/conf/traefik.toml
index e7145ff..5608048 100644
--- a/docker/conf/traefik.toml
+++ a/docker/conf/traefik.toml
@@ -6,11 +6,16 @@
[accessLog]

[entryPoints]
[entryPoints.http]
  address = ":80"
[entryPoints.https]
  address = ":443"
  # This is required for ACME support
  [entryPoints.https.tls]
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/star.bb8.fun.crt"
    keyFile = "/etc/traefik/star.bb8.fun.key"
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/git.captnemo.in.crt"
    keyFile  = "/etc/traefik/git.captnemo.in.key"
  [[entryPoints.https.tls.certificates]]
@@ -21,7 +26,6 @@
    keyFile  = "/etc/traefik/tatooine.club.key"

[docker]
  # Make sure you mount this as readonly
  # NOTE: readonly doesn't reduce the risk because
  # it is a unix socket - it doesn't automatically translate
  # read|write perms to GET/POST requests.
@@ -32,37 +36,6 @@

[file]
[backends]

# This is currently not exposed
# Since I can't apply a authentication
# on this yet

[web]
  address = ":1111"
  readOnly = true

# To enable Traefik to export internal metrics to Prometheus
[web.metrics.prometheus]

[acme]
email = "acme@captnemo.in"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = false
onDemand   = false
acmelogging = true

[acme.httpChallenge]
  entryPoint = "http"

[acme.dnsChallenge]
  provider = "cloudflare"
  delayBeforeCheck = 120
  resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

# Primary 2 wildcard certs
[[acme.domains]]
  main = "*.bb8.fun"
# Internal services are also protected!
[[acme.domains]]
  main = "*.in.bb8.fun"