From b40519f964ff1a4e61636dae5121e924d69cea6e Mon Sep 17 00:00:00 2001
From: Nemo <commits@captnemo.in>
Date: Tue, 20 Feb 2024 23:46:26 +0530
Subject: [PATCH] disable acme on traefik
Not great, but cloudflare was not liking my DNS config.
the issue was a TXT/SPF record on bb8.fun
Since *.bb8.fun CNAMEs to bb8.fun
_acme-challenge.bb8.fun TXT is the same
as TXT bb8.fun, and that means any rogue
TXT records (such as TXT/spf) will equate
with renewal being screwed up.
since I'm anyway renewing some of my other certs manually,
this just sets up *.bb8.fun as another manual cert for now
---
docker/traefik.tf | 34 ++++++++++++++++++++--------------
docker/conf/traefik.toml | 37 +++++++------------------------------
2 files changed, 19 insertions(+), 52 deletions(-)
diff --git a/docker/traefik.tf b/docker/traefik.tf
index 116e1f8..58ec8a1 100644
--- a/docker/traefik.tf
+++ a/docker/traefik.tf
@@ -1,23 +1,7 @@
resource "docker_container" "traefik" {
name = "traefik"
image = docker_image.traefik17.image_id
-
- labels {
- label = "traefik.enable"
- value = "true"
- }
-
- labels {
- label = "traefik.http.routers.api.rule"
- value = "Host('traefik.in.bb8.fun')"
- }
-
- labels {
- label = "traefik.http.routers.api.service"
- value = "api@internal"
- }
-
# Local Web Server
ports {
internal = 80
@@ -74,6 +58,20 @@
"/home/nemo/projects/personal/certs/tatooine.club/privkey.pem",
)
file = "/etc/traefik/tatooine.club.key"
+ }
+
+ upload {
+ content = file(
+ "/home/nemo/.acme.sh/*.bb8.fun_ecc/*.bb8.fun.key",
+ )
+ file = "/etc/traefik/star.bb8.fun.key"
+ }
+
+ upload {
+ content = file(
+ "/home/nemo/.acme.sh/*.bb8.fun_ecc/fullchain.cer",
+ )
+ file = "/etc/traefik/star.bb8.fun.crt"
}
@@ -118,8 +116,4 @@
name = "bridge"
}
- env = [
- "CLOUDFLARE_EMAIL=${var.cloudflare_email}",
- "CLOUDFLARE_API_KEY=${var.cloudflare_key}",
- ]
}
diff --git a/docker/conf/traefik.toml b/docker/conf/traefik.toml
index e7145ff..5608048 100644
--- a/docker/conf/traefik.toml
+++ a/docker/conf/traefik.toml
@@ -6,11 +6,16 @@
[accessLog]
[entryPoints]
+[entryPoints.http]
+ address = ":80"
[entryPoints.https]
address = ":443"
# This is required for ACME support
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
+ certFile = "/etc/traefik/star.bb8.fun.crt"
+ keyFile = "/etc/traefik/star.bb8.fun.key"
+ [[entryPoints.https.tls.certificates]]
certFile = "/etc/traefik/git.captnemo.in.crt"
keyFile = "/etc/traefik/git.captnemo.in.key"
[[entryPoints.https.tls.certificates]]
@@ -21,7 +26,6 @@
keyFile = "/etc/traefik/tatooine.club.key"
[docker]
- # Make sure you mount this as readonly
# NOTE: readonly doesn't reduce the risk because
# it is a unix socket - it doesn't automatically translate
# read|write perms to GET/POST requests.
@@ -32,37 +36,6 @@
[file]
[backends]
-
-# This is currently not exposed
-# Since I can't apply a authentication
-# on this yet
-
-[web]
- address = ":1111"
- readOnly = true
# To enable Traefik to export internal metrics to Prometheus
[web.metrics.prometheus]
-
-[acme]
-email = "acme@captnemo.in"
-storage = "/acme/acme.json"
-entryPoint = "https"
-onHostRule = false
-onDemand = false
-acmelogging = true
-
-[acme.httpChallenge]
- entryPoint = "http"
-
-[acme.dnsChallenge]
- provider = "cloudflare"
- delayBeforeCheck = 120
- resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-
-# Primary 2 wildcard certs
-[[acme.domains]]
- main = "*.bb8.fun"
-# Internal services are also protected!
-[[acme.domains]]
- main = "*.in.bb8.fun"
--
rgit 0.1.5