change traefik to use wildcard instead of specifics

2026-02-05 11:10:14 -07:00 · 2026-02-05 11:10:14 -07:00 · 297e47379f
commit 297e47379f
parent ea85352a5f
2 changed files with 78 additions and 28 deletions
--- a/lxc1/p1-ingress/pre-consolidation-traefik.bak0
+++ b/lxc1/p1-ingress/pre-consolidation-traefik.bak0
@ -0,0 +1,51 @@
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik-node${TRAEFIK_NODE_ID}
+    network_mode: host
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    cpus: 1.0
+    mem_limit: "1024m"
+    mem_reservation: "128m"
+    restart: always
+    command:
+      - "--api.dashboard=true"
+      - "--api.insecure=true" 
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.useBindPortIP=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      # Variables for flexibility
+      - "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
+      - "--providers.file.directory=/etc/traefik/dynamic"
+      - "--providers.file.watch=true"
+      ## DNS resolver
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
+      - "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
+      - "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
+      ## HTTP Resolver
+      - "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
+      ## mysresolver resolver for old configs
+      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
+      - "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+    environment:
+      - DESEC_TOKEN=${DESEC_TOKEN}
+      - DESEC_DOMAIN=${DESEC_DOMAIN}
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/docker/traefik/letsencrypt:/letsencrypt"
+      - "/docker/traefik/dynamic:/etc/traefik/dynamic"
--- a/lxc1/p1-ingress/traefik.yml
+++ b/lxc1/p1-ingress/traefik.yml
@ -10,41 +10,40 @@ services:
    mem_reservation: "128m"
    restart: always
    command:
+      # --- Core & API ---
      - "--api.dashboard=true"
-      - "--api.insecure=true" 
+      # REMOVED: --api.insecure=true (We will route the dashboard securely via Traefik labels instead)
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
-      - "--providers.docker.useBindPortIP=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
-      # Variables for flexibility
-      - "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
+      - "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}" # Ensure these are correct!
      - "--providers.file.directory=/etc/traefik/dynamic"
      - "--providers.file.watch=true"
-      ## DNS resolver
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
-      - "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
-      - "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
-      ## HTTP Resolver
-      - "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
-      - "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
-      - "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
-      - "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
-      ## mysresolver resolver for old configs
-      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
-      - "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
-      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+
+      # --- Entrypoints ---
+      - "--entrypoints.web.address=:80"
+      # Global Redirect: Force HTTP -> HTTPS for everyone
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+      
+      - "--entrypoints.websecure.address=:443"
+      # WILDCARD BLANKET: This tells Traefik "Use deSEC to get a wildcard cert for EVERYTHING on port 443"
+      - "--entrypoints.websecure.http.tls.certresolver=desec"
+      - "--entrypoints.websecure.http.tls.domains[0].main=mapletree.email"
+      - "--entrypoints.websecure.http.tls.domains[0].sans=*.mapletree.email"
+      - "--entrypoints.websecure.http.tls.domains[0].sans=*.dev.mapletree.email" # Optional: Add your dev subdomain too
+      - "--entrypoints.websecure.http.tls.domains[0].sans=*.test.mapletree.email"
+
+      # --- One Resolver to Rule Them All (deSEC) ---
+      # I renamed this to 'desec' for clarity.
+      - "--certificatesresolvers.desec.acme.dnschallenge=true"
+      - "--certificatesresolvers.desec.acme.dnschallenge.provider=desec"
+      - "--certificatesresolvers.desec.acme.email=${ACME_EMAIL}"
+      - "--certificatesresolvers.desec.acme.storage=/letsencrypt/acme.json"
+      # Optimization: deSEC is fast; we don't need massive delays or propagation checks
+      - "--certificatesresolvers.desec.acme.dnschallenge.delaybeforecheck=10"
+      - "--certificatesresolvers.desec.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
    environment:
      - DESEC_TOKEN=${DESEC_TOKEN}
-      - DESEC_DOMAIN=${DESEC_DOMAIN}
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/docker/traefik/letsencrypt:/letsencrypt"