jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: wildcard TLS certificate *.csrx.ru via Cloudflare DNS-01
Some checks failed
CI/CD / syntax-check (push) Successful in 43s
Details
CI/CD / deploy (push) Failing after 48s
Details

Browse source 
Add tls.stores.default.defaultGeneratedCert in dynamic config:
- Traefik requests one *.csrx.ru + csrx.ru SAN cert via DNS-01
- All existing and future subdomains use this single cert
- No per-service cert issuance wait when adding new services
- Cert auto-renewed by Traefik ~30 days before expiry

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
jack 2026-03-22 04:13:42 +07:00
parent 5befd48a50
commit 0496e9ab61
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
roles/services/templates/traefik/dynamic/routes.yml.j2
View file

@ -1,6 +1,19 @@
# Traefik dynamic routing config — generated by Ansible # Traefik dynamic routing config — generated by Ansible
# Do not edit manually; re-run ansible-playbook deploy.yml # Do not edit manually; re-run ansible-playbook deploy.yml
# ── Wildcard TLS certificate via Cloudflare DNS-01 ────────────────────────────
# One cert covers ALL *.csrx.ru subdomains + root csrx.ru.
# Adding a new service = zero cert wait time, Traefik reuses this cert.
tls:
stores:
default:
defaultGeneratedCert:
resolver: letsencrypt
domain:
main: "*.{{ domain_base }}"
sans:
- "{{ domain_base }}"
http: http:
routers: routers:
traefik-dashboard: traefik-dashboard: