From e63f025b0d153927337d2b9fdab6a99864cc7fc8 Mon Sep 17 00:00:00 2001 From: Adrien Poupa Date: Sat, 13 May 2023 15:49:14 -0400 Subject: [PATCH] feat: Make Traefik SSL configuration more flexible --- .env.example | 2 ++ README.md | 49 +++++++++++++++++++++++++--------------------- docker-compose.yml | 5 ++--- 3 files changed, 31 insertions(+), 25 deletions(-) diff --git a/.env.example b/.env.example index a688432..e947268 100644 --- a/.env.example +++ b/.env.example @@ -11,7 +11,9 @@ PIA_PASS= PIA_LOCAL_NETWORK="192.168.0.0/16" HOSTNAME=localhost ADGUARD_HOSTNAME= +DNS_CHALLENGE=true DNS_CHALLENGE_PROVIDER=cloudflare +LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory LETS_ENCRYPT_EMAIL= CLOUDFLARE_EMAIL= CLOUDFLARE_DNS_API_TOKEN= diff --git a/README.md b/README.md index 9ae9bc8..6fe43f8 100644 --- a/README.md +++ b/README.md @@ -75,26 +75,28 @@ For the first time, run `./update-config.sh` to update the applications base URL ## Environment Variables -| Variable | Description | Default | -|-----------------------------|------------------------------------------------------------------------------------------------------|-------------------------| -| `COMPOSE_FILE` | Docker compose files to load | `docker-compose.yml` | -| `COMPOSE_PATH_SEPARATOR` | Path separator between compose files to load | `:` | -| `USER_ID` | ID of the user to use in Docker containers | `1000` | -| `GROUP_ID` | ID of the user group to use in Docker containers | `1000` | -| `TIMEZONE` | TimeZone used by the container. | `America/New_York` | -| `DATA_ROOT` | Host location of the data files | `/mnt/data` | -| `DOWNLOAD_ROOT` | Host download location for qBittorrent, should be a subfolder of `DATA_ROOT` | `/mnt/data/torrents` | -| `PIA_LOCATION` | Servers to use for PIA | `ca` (Montreal, Canada) | -| `PIA_USER` | PIA username | | -| `PIA_PASS` | PIA password | | -| `PIA_LOCAL_NETWORK` | PIA local network | `192.168.0.0/16` | -| `HOSTNAME` | Hostname of the NAS, could be a local IP or a domain name | `localhost` | -| `ADGUARD_HOSTNAME` | AdGuard Home hostname used, if enabled | | -| `DNS_CHALLENGE_PROVIDER` | Provider for DNS01 challenge, [see list here](https://doc.traefik.io/traefik/https/acme/#providers). | `cloudflare` | -| `LETS_ENCRYPT_EMAIL` | E-mail address used to send expiration notifications | | -| `CLOUDFLARE_EMAIL` | CloudFlare Account email | | -| `CLOUDFLARE_DNS_API_TOKEN` | API token with `DNS:Edit` permission | | -| `CLOUDFLARE_ZONE_API_TOKEN` | API token with `Zone:Read` permission | | +| Variable | Description | Default | +|-----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------| +| `COMPOSE_FILE` | Docker compose files to load | `docker-compose.yml` | +| `COMPOSE_PATH_SEPARATOR` | Path separator between compose files to load | `:` | +| `USER_ID` | ID of the user to use in Docker containers | `1000` | +| `GROUP_ID` | ID of the user group to use in Docker containers | `1000` | +| `TIMEZONE` | TimeZone used by the container. | `America/New_York` | +| `DATA_ROOT` | Host location of the data files | `/mnt/data` | +| `DOWNLOAD_ROOT` | Host download location for qBittorrent, should be a subfolder of `DATA_ROOT` | `/mnt/data/torrents` | +| `PIA_LOCATION` | Servers to use for PIA | `ca` (Montreal, Canada) | +| `PIA_USER` | PIA username | | +| `PIA_PASS` | PIA password | | +| `PIA_LOCAL_NETWORK` | PIA local network | `192.168.0.0/16` | +| `HOSTNAME` | Hostname of the NAS, could be a local IP or a domain name | `localhost` | +| `ADGUARD_HOSTNAME` | AdGuard Home hostname used, if enabled | | +| `DNS_CHALLENGE` | Enable/Disable DNS01 challenge, set to `false` to disable. | `true` | +| `DNS_CHALLENGE_PROVIDER` | Provider for DNS01 challenge, [see list here](https://doc.traefik.io/traefik/https/acme/#providers). | `cloudflare` | +| `LETS_ENCRYPT_CA_SERVER` | Let's Encrypt CA Server used to generate certificates, set to production by default.
Set to `https://acme-staging-v02.api.letsencrypt.org/directory` to test your changes with the staging server. | `https://acme-v02.api.letsencrypt.org/directory` | +| `LETS_ENCRYPT_EMAIL` | E-mail address used to send expiration notifications | | +| `CLOUDFLARE_EMAIL` | CloudFlare Account email | | +| `CLOUDFLARE_DNS_API_TOKEN` | API token with `DNS:Edit` permission | | +| `CLOUDFLARE_ZONE_API_TOKEN` | API token with `Zone:Read` permission | | ## PIA WireGuard VPN @@ -199,9 +201,10 @@ baring environment variable changes, see the Traefik documentation above and [Le Then, fill the CloudFlare `.env` entries. -If you want to test your configuration first, use the Let's Encrypt staging server by uncommenting this: +If you want to test your configuration first, use the Let's Encrypt staging server by updating `LETS_ENCRYPT_CA_SERVER`'s +value in `.env`: ``` -#- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory +LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory ``` If it worked, you will see the staging certificate at https://nas.domain.com. @@ -211,6 +214,8 @@ You are free to use any DNS01 provider. Simply replace `DNS_CHALLENGE_PROVIDER` [see complete list here](https://doc.traefik.io/traefik/https/acme/#providers). You will also need to inject the environments variables specific to your provider. +Certificate generation can be disabled by setting `DNS_CHALLENGE` to `false`. + ### Accessing from the outside with Tailscale If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found diff --git a/docker-compose.yml b/docker-compose.yml index a6c41b0..7770e20 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,10 +17,9 @@ services: - --entrypoints.web.http.redirections.entryPoint.to=web-secure - --entrypoints.web.http.redirections.entryPoint.scheme=https - --entrypoints.web.http.redirections.entrypoint.permanent=true - - --certificatesresolvers.myresolver.acme.dnschallenge=true + - --certificatesresolvers.myresolver.acme.dnschallenge=${DNS_CHALLENGE:-true} - --certificatesresolvers.myresolver.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare} - # Uncomment to test your configuration by using Let's Encrypt staging certificates - #- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + - --certificatesresolvers.myresolver.acme.caserver=${LETS_ENCRYPT_CA_SERVER:-https://acme-v02.api.letsencrypt.org/directory} - --certificatesresolvers.myresolver.acme.email=${LETS_ENCRYPT_EMAIL} - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json ports: