jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles
History
jack c2f9a0c21c
Some checks failed
CI/CD / syntax-check (push) Successful in 44s
Details
CI/CD / deploy (push) Failing after 46s
Details
feat: wildcard TLS via Cloudflare DNS-01 + real-IP forwarding 
- Switch Traefik ACME to dnsChallenge (provider: cloudflare)
- Add *.csrx.ru wildcard cert via tls.stores.default.defaultGeneratedCert
- Pass CLOUDFLARE_DNS_API_TOKEN to Traefik via env_file: .env
- Add Cloudflare IP ranges to forwardedHeaders.trustedIPs (real visitor IPs)
- Fix UFW: allow 172.16.0.0/12 on 80/443 so act_runner can reach Forgejo
- Add A records: auth.csrx.ru, status.csrx.ru, csrx.ru root → 87.249.49.32

Result: one *.csrx.ru cert covers all subdomains, auto-renewed by Traefik.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 04:47:46 +07:00
..
backup feat: Timeweb S3 offsite backup uploads 2026-03-22 03:58:58 +07:00
base fix: allow Docker bridge networks through UFW for runner + add unattended-upgrades 2026-03-22 04:11:39 +07:00
docker feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl 2026-03-22 04:06:46 +07:00
services feat: wildcard TLS via Cloudflare DNS-01 + real-IP forwarding 2026-03-22 04:47:46 +07:00