From 0496e9ab61e04bab58b603195e3ffa0a09e071cc Mon Sep 17 00:00:00 2001
From: jack <jack@csrx.ru>
Date: Sun, 22 Mar 2026 04:13:42 +0700
Subject: [PATCH] feat: wildcard TLS certificate *.csrx.ru via Cloudflare
 DNS-01

Add tls.stores.default.defaultGeneratedCert in dynamic config:
- Traefik requests one *.csrx.ru + csrx.ru SAN cert via DNS-01
- All existing and future subdomains use this single cert
- No per-service cert issuance wait when adding new services
- Cert auto-renewed by Traefik ~30 days before expiry

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../templates/traefik/dynamic/routes.yml.j2         | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/roles/services/templates/traefik/dynamic/routes.yml.j2 b/roles/services/templates/traefik/dynamic/routes.yml.j2
index bf4c672..6f49a70 100644
--- a/roles/services/templates/traefik/dynamic/routes.yml.j2
+++ b/roles/services/templates/traefik/dynamic/routes.yml.j2
@@ -1,6 +1,19 @@
 # Traefik dynamic routing config — generated by Ansible
 # Do not edit manually; re-run ansible-playbook deploy.yml
 
+# ── Wildcard TLS certificate via Cloudflare DNS-01 ────────────────────────────
+# One cert covers ALL *.csrx.ru subdomains + root csrx.ru.
+# Adding a new service = zero cert wait time, Traefik reuses this cert.
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: letsencrypt
+        domain:
+          main: "*.{{ domain_base }}"
+          sans:
+            - "{{ domain_base }}"
+
 http:
   routers:
     traefik-dashboard: