Keep secrets out of repo

2025-11-13 01:44:01 +08:00
parent f8e38599b0
commit 56055187f8
5 changed files with 25 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -22,5 +22,8 @@ node_modules/
 .env
 .env.*

+# Ignore generated secrets
+dynamic.d/middlewares/crowdsec.yml
+
 # Ignore backup files
-*.~*    
+*.~*    
--- a/README.md
+++ b/README.md
@@ -28,8 +28,7 @@ Configuration files is customized for Gbanyan personal usage.

 ## Configuration

- **.env**: Cloudflare E-mail and API Token for SSL DNS Challenge
-  - Also defines `ACME_EMAIL` (Let’s Encrypt contact) and `CROWDSEC_LAPI_KEY`
+- **.env**: Cloudflare E-mail/API Token plus `CROWDSEC_LAPI_KEY`. Run `scripts/render_dynamic.sh` after editing `.env` so the CrowdSec middleware file is regenerated (it stays ignored by git).
 - **Traefik Configuration**: Modify `traefik.yml`, `dynamic.yml` to customize Traefik's behavior.
 - **Docker Compose**: Use `docker-compose.yml` to define services and networks.

--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -13,8 +13,6 @@ services:
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
-      - TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=${ACME_EMAIL}
-      - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./certs:/letsencrypt
--- a/scripts/render_dynamic.sh
+++ b/scripts/render_dynamic.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+if [[ ! -f .env ]]; then
+  echo "Missing .env file. Copy .env.example and fill in secrets." >&2
+  exit 1
+fi
+set -a
+# shellcheck disable=SC1091
+source .env
+set +a
+: "${CROWDSEC_LAPI_KEY:?CROWDSEC_LAPI_KEY must be set in .env}"
+if ! command -v envsubst >/dev/null 2>&1; then
+  echo "envsubst is required to render templates." >&2
+  exit 1
+fi
+envsubst < dynamic.d/middlewares/crowdsec.yml.tmpl > dynamic.d/middlewares/crowdsec.yml
+echo "Rendered dynamic.d/middlewares/crowdsec.yml"
--- a/traefik.yml
+++ b/traefik.yml
@@ -112,6 +112,7 @@ providers:
 certificatesResolvers:
  letsencrypt:
    acme:
+      email: gbanyan.huang@gmail.com
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare