flndrn/briven
1
0
Fork 0
Code Issues Pull requests 5 Projects Releases packages.title Wiki Activity actions.actions

feat(infra): wildcard TLS via Cloudflare DNS-01 #9

Merged
flndrn-dev merged 1 commit from feat/traefik-cloudflare-dns01-tls into main 2026-04-25 12:23:58 +02:00
Conversation 0 Commits 1 Files changed 3 +80 -18
flndrn-dev commented 2026-04-25 10:59:12 +02:00 (Migrated from github.com)
Copy link

Summary

  • Wildcard TLS for *.apps.briven.cloud via Let's Encrypt DNS-01 against Cloudflare
  • HTTPS for dev-uptime.briven.cloud via the existing HTTP-01 letsencrypt resolver
  • Version-controls the Traefik static config (infra/traefik/traefik.yml) for the first time

What changed on the KVM (already deployed, this PR only catches up the repo)

  • /etc/dokploy/traefik/traefik.yml — added a second cert resolver cloudflare (DNS-01); the original letsencrypt (HTTP-01) is untouched and all 13 existing app certs still work
  • dokploy-traefik container recreated with --env-file /root/.briven-secrets/cloudflare.env so CF_DNS_API_TOKEN is in the container env. Token is a CF API token scoped Zone:DNS:Edit + Zone:Read on briven.cloud only. Stored mode 600, root-owned, never enters the repo
  • acme-cloudflare.json created (mode 600) for the new resolver's storage; existing acme.json for letsencrypt is untouched

Verification

  • dev-uptime.briven.cloud — Let's Encrypt R13, valid till 2026-07-24, browser shows green padlock
  • *.apps.briven.cloud — Let's Encrypt R12 wildcard cert with SAN for apps.briven.cloud, valid till 2026-07-24
  • All 4 routers (*-web and *-websecure for both hostnames) report enabled with no errors via Traefik's API

Test plan

  • Browser visit https://dev-uptime.briven.cloud returns Uptime Kuma UI with valid cert
  • Browser visit https://anything.apps.briven.cloud returns the API JSON with valid wildcard cert
  • Existing Dokploy-managed apps (dev.briven.cloud, api.briven.cloud, docs.briven.cloud, etc.) still work with their original letsencrypt certs
  • acme.json cert count unchanged (14 entries — adds dev-uptime, no regressions)
  • No router errors in the Traefik API

Follow-ups (not in this PR)

  • No automation yet for shipping infra/traefik/traefik.yml to the KVM — currently manual scp. Could add a small make target or CI step later
  • acme-cloudflare.json lives only on the KVM (correctly, it's Let's Encrypt account state and shouldn't be in git)
  • The CF token can be rotated cheaply via the CF dashboard if it ever leaks

🤖 Generated with Claude Code

## Summary - Wildcard TLS for `*.apps.briven.cloud` via Let's Encrypt DNS-01 against Cloudflare - HTTPS for `dev-uptime.briven.cloud` via the existing HTTP-01 letsencrypt resolver - Version-controls the Traefik static config (`infra/traefik/traefik.yml`) for the first time ## What changed on the KVM (already deployed, this PR only catches up the repo) - `/etc/dokploy/traefik/traefik.yml` — added a second cert resolver `cloudflare` (DNS-01); the original `letsencrypt` (HTTP-01) is untouched and all 13 existing app certs still work - `dokploy-traefik` container recreated with `--env-file /root/.briven-secrets/cloudflare.env` so `CF_DNS_API_TOKEN` is in the container env. Token is a CF API token scoped `Zone:DNS:Edit` + `Zone:Read` on `briven.cloud` only. Stored mode 600, root-owned, never enters the repo - `acme-cloudflare.json` created (mode 600) for the new resolver's storage; existing `acme.json` for letsencrypt is untouched ## Verification - `dev-uptime.briven.cloud` — Let's Encrypt R13, valid till 2026-07-24, browser shows green padlock - `*.apps.briven.cloud` — Let's Encrypt R12 wildcard cert with SAN for `apps.briven.cloud`, valid till 2026-07-24 - All 4 routers (`*-web` and `*-websecure` for both hostnames) report `enabled` with no errors via Traefik's API ## Test plan - [x] Browser visit `https://dev-uptime.briven.cloud` returns Uptime Kuma UI with valid cert - [x] Browser visit `https://anything.apps.briven.cloud` returns the API JSON with valid wildcard cert - [x] Existing Dokploy-managed apps (`dev.briven.cloud`, `api.briven.cloud`, `docs.briven.cloud`, etc.) still work with their original letsencrypt certs - [x] `acme.json` cert count unchanged (14 entries — adds dev-uptime, no regressions) - [x] No router errors in the Traefik API ## Follow-ups (not in this PR) - No automation yet for shipping `infra/traefik/traefik.yml` to the KVM — currently manual `scp`. Could add a small make target or CI step later - `acme-cloudflare.json` lives only on the KVM (correctly, it's Let's Encrypt account state and shouldn't be in git) - The CF token can be rotated cheaply via the CF dashboard if it ever leaks 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something isn't working

  
dependencies

Pull requests that update a dependency file

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
github_actions

Pull requests that update GitHub Actions code

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
javascript

Pull requests that update javascript code

  
question

Further information is requested

  
wontfix

This will not be worked on

No labels
bug
dependencies
documentation
duplicate
enhancement
github_actions
good first issue
help wanted
invalid
javascript
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
notification.notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
flndrn/briven!9
No description provided.