Michael Skrynski
14d4f2528d
- Introduce Traefik ACME configuration using Cloudflare DNS-01 challenge - Deploy Vaultwarden password manager with IP allowlist protection - Add middleware for security headers, compression, and rate limiting - Update IngressRoute resources to use new ACME resolver - Add troubleshooting steps for certificate and TLS issues - Include test application deployment and verification commands
23 lines
971 B
YAML
23 lines
971 B
YAML
---
|
|
# Traefik ACME / Let's Encrypt configuration via Cloudflare DNS-01 challenge
|
|
# Secrets (acme_email, cloudflare_api_token) are read from .env at runtime.
|
|
|
|
# Name of the ACME certificate resolver — must match the certresolver annotation
|
|
# used in Ingress/IngressRoute objects (e.g. vaultwarden-deployment.yaml).
|
|
traefik_certresolver_name: letsencrypt-cloudflare
|
|
|
|
# Let's Encrypt ACME server.
|
|
# Use the staging URL while testing to avoid rate-limit hits:
|
|
# https://acme-staging-v02.api.letsencrypt.org/directory
|
|
traefik_acme_server: https://acme-v02.api.letsencrypt.org/directory
|
|
|
|
# Path inside the Traefik pod where ACME state (certs, account) is persisted.
|
|
traefik_acme_storage: /data/acme.json
|
|
|
|
# Traefik entrypoint names — must match annotations in ingress manifests.
|
|
traefik_entrypoint_web: web # HTTP (port 80)
|
|
traefik_entrypoint_websecure: websecure # HTTPS (port 443)
|
|
|
|
# Redirect all HTTP traffic to HTTPS.
|
|
traefik_redirect_http_to_https: true
|