admin
84c3e84641
traefik's websecure entrypoint now declares http.tls.domains *.<domain>+apex so it proactively obtains the wildcard via Cloudflare DNS-01 at startup (cert ready before first client, every router serves it by SNI). Gated on CFAPIToken (DNS-01). TraefikData gains Domain; ensureTraefik wires cfg.Customer.Domain. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
64 lines
1.4 KiB
Cheetah
64 lines
1.4 KiB
Cheetah
# Traefik Static Configuration
|
|
# Generated by felhom-controller (base-infra bring-up). Do not edit — regenerated on bring-up.
|
|
|
|
api:
|
|
dashboard: true
|
|
insecure: false
|
|
|
|
entryPoints:
|
|
web:
|
|
address: ":80"
|
|
http:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
websecure:
|
|
address: ":443"
|
|
{{- if .ACMEEmail}}
|
|
http:
|
|
tls:
|
|
certResolver: letsencrypt
|
|
{{- if .CFAPIToken}}
|
|
# Wildcard proactive issuance (DNS-01 only — HTTP-01 can't do wildcards): traefik obtains
|
|
# *.<domain> (+ apex) at startup, so every router serves the real cert by SNI match with no
|
|
# per-app labels and the cert is ready before the first client connects.
|
|
domains:
|
|
- main: "*.{{.Domain}}"
|
|
sans:
|
|
- "{{.Domain}}"
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
providers:
|
|
docker:
|
|
endpoint: "unix:///var/run/docker.sock"
|
|
exposedByDefault: false
|
|
network: traefik-public
|
|
file:
|
|
directory: /etc/traefik/dynamic
|
|
watch: true
|
|
|
|
log:
|
|
level: INFO
|
|
|
|
accessLog: {}
|
|
{{- if .ACMEEmail}}
|
|
|
|
certificatesResolvers:
|
|
letsencrypt:
|
|
acme:
|
|
email: {{.ACMEEmail}}
|
|
storage: /etc/traefik/acme.json
|
|
{{- if .CFAPIToken}}
|
|
dnsChallenge:
|
|
provider: cloudflare
|
|
resolvers:
|
|
- "1.1.1.1:53"
|
|
- "8.8.8.8:53"
|
|
{{- else}}
|
|
httpChallenge:
|
|
entryPoint: web
|
|
{{- end}}
|
|
{{- end}}
|