Keep secrets out of repo

2025-11-13 01:44:01 +08:00
parent f8e38599b0
commit 56055187f8
5 changed files with 25 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -22,5 +22,8 @@ node_modules/
 .env
 .env.*
 # Ignore generated secrets
 dynamic.d/middlewares/crowdsec.yml
 # Ignore backup files
-*.~*    
+*.~*    
--- a/README.md
+++ b/README.md
@@ -28,8 +28,7 @@ Configuration files is customized for Gbanyan personal usage.
 ## Configuration
- **.env**: Cloudflare E-mail and API Token for SSL DNS Challenge
+- **.env**: Cloudflare E-mail/API Token plus `CROWDSEC_LAPI_KEY`. Run `scripts/render_dynamic.sh` after editing `.env` so the CrowdSec middleware file is regenerated (it stays ignored by git).
  - Also defines `ACME_EMAIL` (Let’s Encrypt contact) and `CROWDSEC_LAPI_KEY`
 - **Traefik Configuration**: Modify `traefik.yml`, `dynamic.yml` to customize Traefik's behavior.
 - **Docker Compose**: Use `docker-compose.yml` to define services and networks.
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -13,8 +13,6 @@ services:
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
      - TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=${ACME_EMAIL}
      - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./certs:/letsencrypt
--- a/scripts/render_dynamic.sh
+++ b/scripts/render_dynamic.sh
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 set -euo pipefail
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "$ROOT_DIR"
 if [[ ! -f .env ]]; then
  echo "Missing .env file. Copy .env.example and fill in secrets." >&2
  exit 1
 fi
 set -a
 # shellcheck disable=SC1091
 source .env
 set +a
 : "${CROWDSEC_LAPI_KEY:?CROWDSEC_LAPI_KEY must be set in .env}"
 if ! command -v envsubst >/dev/null 2>&1; then
  echo "envsubst is required to render templates." >&2
  exit 1
 fi
 envsubst < dynamic.d/middlewares/crowdsec.yml.tmpl > dynamic.d/middlewares/crowdsec.yml
 echo "Rendered dynamic.d/middlewares/crowdsec.yml"
--- a/traefik.yml
+++ b/traefik.yml
@@ -112,6 +112,7 @@ providers:
 certificatesResolvers:
  letsencrypt:
    acme:
      email: gbanyan.huang@gmail.com
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare