From 87bfb200be1bd68af580279606469b2639d15953 Mon Sep 17 00:00:00 2001
From: Colin Hebert <hebert.colin@gmail.com>
Date: Sun, 30 Apr 2023 11:51:16 +1000
Subject: [PATCH] Improve TLS setup

---
 services/reverse-proxy/configs/dynamic/tls.yml | 6 ------
 services/reverse-proxy/configs/traefik.yml     | 5 ++---
 services/reverse-proxy/docker-compose.yml      | 2 ++
 3 files changed, 4 insertions(+), 9 deletions(-)
 delete mode 100644 services/reverse-proxy/configs/dynamic/tls.yml

diff --git a/services/reverse-proxy/configs/dynamic/tls.yml b/services/reverse-proxy/configs/dynamic/tls.yml
deleted file mode 100644
index e58ab35..0000000
--- a/services/reverse-proxy/configs/dynamic/tls.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-tls:
-  stores:
-    default:
-      defaultGeneratedCert:
-        resolver: defaultResolver
-        domain:
diff --git a/services/reverse-proxy/configs/traefik.yml b/services/reverse-proxy/configs/traefik.yml
index 7b50d8b..a6a8f62 100644
--- a/services/reverse-proxy/configs/traefik.yml
+++ b/services/reverse-proxy/configs/traefik.yml
@@ -16,11 +16,9 @@ accessLog: {}
 certificatesResolvers:
   defaultResolver:
     acme:
-      email: {{ env `NASCOMPOSE_TRAEFIK_ADMIN_EMAIL` }}
       storage: /etc/traefik/acme/acme.json
       dnsChallenge:
         provider: cloudflare
-      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
 
 entryPoints:
   web:
@@ -33,7 +31,8 @@ entryPoints:
   websecure:
     address: :443
     http:
-      tls: {}
+      tls:
+        certResolver: defaultResolver
       middlewares:
         - hsts@file
   ssh:
diff --git a/services/reverse-proxy/docker-compose.yml b/services/reverse-proxy/docker-compose.yml
index a9fe99e..f566246 100644
--- a/services/reverse-proxy/docker-compose.yml
+++ b/services/reverse-proxy/docker-compose.yml
@@ -8,6 +8,8 @@ services:
       NASCOMPOSE_TRAEFIK_DOMAINS: ${NASCOMPOSE_TRAEFIK_DOMAINS?}
       NASCOMPOSE_TRAEFIK_ADMIN_EMAIL: ${NASCOMPOSE_TRAEFIK_ADMIN_EMAIL?}
       CF_DNS_API_TOKEN_FILE: /run/secrets/cf_dns_token
+      TRAEFIK_CERTIFICATESRESOLVERS_DEFAULTRESOLVER_ACME_EMAIL: admin@${NASCOMPOSE_TRAEFIK_DOMAINS?}
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_DOMAINS_0_MAIN: '*.${NASCOMPOSE_TRAEFIK_DOMAINS?}'
       LEGO_DISABLE_CNAME_SUPPORT: true
     networks:
       - reverse-proxy