infra

jack/infra

Fork 0

History

jack c2f9a0c21c Some checks failed CI/CD / syntax-check (push) Successful in 44s Details CI/CD / deploy (push) Failing after 46s Details feat: wildcard TLS via Cloudflare DNS-01 + real-IP forwarding - Switch Traefik ACME to dnsChallenge (provider: cloudflare) - Add .csrx.ru wildcard cert via tls.stores.default.defaultGeneratedCert - Pass CLOUDFLARE_DNS_API_TOKEN to Traefik via env_file: .env - Add Cloudflare IP ranges to forwardedHeaders.trustedIPs (real visitor IPs) - Fix UFW: allow 172.16.0.0/12 on 80/443 so act_runner can reach Forgejo - Add A records: auth.csrx.ru, status.csrx.ru, csrx.ru root → 87.249.49.32 Result: one .csrx.ru cert covers all subdomains, auto-renewed by Traefik. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:47:46 +07:00
..
routes.yml.j2	feat: wildcard TLS via Cloudflare DNS-01 + real-IP forwarding	2026-03-22 04:47:46 +07:00

jack c2f9a0c21c

CI/CD / syntax-check (push) Successful in 44s

Details

CI/CD / deploy (push) Failing after 46s

Details

feat: wildcard TLS via Cloudflare DNS-01 + real-IP forwarding

- Switch Traefik ACME to dnsChallenge (provider: cloudflare)
- Add *.csrx.ru wildcard cert via tls.stores.default.defaultGeneratedCert
- Pass CLOUDFLARE_DNS_API_TOKEN to Traefik via env_file: .env
- Add Cloudflare IP ranges to forwardedHeaders.trustedIPs (real visitor IPs)
- Fix UFW: allow 172.16.0.0/12 on 80/443 so act_runner can reach Forgejo
- Add A records: auth.csrx.ru, status.csrx.ru, csrx.ru root → 87.249.49.32

Result: one *.csrx.ru cert covers all subdomains, auto-renewed by Traefik.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-22 04:47:46 +07:00

routes.yml.j2

feat: wildcard TLS via Cloudflare DNS-01 + real-IP forwarding

2026-03-22 04:47:46 +07:00