psc/vcard4reseller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6dd6d3a96e
vcard4reseller/deploy/terraform/terraform.tfvars.example
Thomas Peterson 79e996ab03 Deployment: Caddy-Edge (TLS + On-Demand für Custom-Domains) + Hetzner DNS 
- Caddy ersetzt den Hetzner-LB: terminiert TLS (Portal-Domain automatisch) und
  load-balanced per reverse_proxy über die App-Nodes. Für Custom-Domains (§11)
  On-Demand-TLS, autorisiert über GET /internal/tls-allowed.
- TlsCheckController + DomainRepository::findVerifiedByHostname: erlaubt Zertifikate
  nur für Portal-Domain oder verifizierte Domains (Schutz vor Cert-Flooding).
- Terraform: hcloud_load_balancer entfernt, Caddy-Server + Firewall (80/443) +
  cloud-init-caddy (Caddyfile templated mit Upstreams/Domain/ACME).
- Optional Hetzner DNS via API (manage_dns): A-Record Portal + Wildcard → Caddy.
- nginx.prod: /internal zu Symfony geroutet; APP_PORTAL_DOMAIN-Env.

Validiert: Caddyfile (caddy validate), Terraform (validate), /internal/tls-allowed (200/403/400).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 22:13:29 +02:00

49 lines
1.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Kopiere nach terraform.tfvars und fülle die Werte. NICHT committen (steht in .gitignore).
hcloud_token = "DEIN_HETZNER_API_TOKEN"
ssh_public_key = "ssh-ed25519 AAAA... dein-key"
admin_cidr = "1.2.3.4/32" # deine IP für SSH
location = "nbg1"
network_zone = "eu-central"
app_count = 2
app_server_type = "cx22"
db_server_type = "cx22"
# Anwendung
repo_url = "https://github.com/DEIN-USER/vcard4reseller.git" # privat: Token in URL
repo_branch = "main"
domain = "test.example.com" # Portal-Domain (ins Portal einloggen)
acme_email = "admin@example.com" # Let's Encrypt
app_secret = "GENERIERE_32_HEX" # z. B. openssl rand -hex 16
# DNS optional über Hetzner DNS API (sonst A-Record manuell auf caddy_ip setzen)
manage_dns = false
hetzner_dns_token = "" # separater DNS-API-Token
dns_zone_name = "" # z. B. example.com
# Datenbank
db_password = "STARKES_PASSWORT"
db_root_password = "STARKES_ROOT_PASSWORT"
# JWT (einmal erzeugen, identisch für alle Nodes siehe README)
jwt_passphrase = "DEINE_PASSPHRASE"
jwt_private_key = <<-EOT
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
EOT
jwt_public_key = <<-EOT
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
EOT
# Hetzner Object Storage (Bucket + Keys vorab in der Console anlegen)
s3_endpoint = "https://nbg1.your-objectstorage.com"
s3_region = "nbg1"
s3_bucket = "vcard4-card-assets"
s3_key = "OBJECT_STORAGE_ACCESS_KEY"
s3_secret = "OBJECT_STORAGE_SECRET_KEY"
Reference in New Issue View Git Blame Copy Permalink