Fix Let's Encrypt certificate deployment issues

- Change CF_DNS_API_TOKEN_FILE to CLOUDFLARE_DNS_API_TOKEN_FILE (correct env var for Traefik/lego)
- Fix inject-secrets.sh to clean up Docker-created directories before injecting secrets
- Add detection for GitLab variables set as Variable type instead of File type
- Improve error messages to help diagnose configuration issues

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docker-compose.yml

@@ -7,7 +7,7 @@ services:
     command:
       - --configFile=/etc/traefik/traefik.yml
     environment:
-      CF_DNS_API_TOKEN_FILE: /run/secrets/cloudflare-dns-token
+      CLOUDFLARE_DNS_API_TOKEN_FILE: /run/secrets/cloudflare-dns-token
     ports:
       - "80:80"
       - "443:443"

scripts/inject-secrets.sh

@@ -6,6 +6,10 @@
 # GitLab File variables provide the PATH to a temporary file containing the secret.
 # This script copies those files to the expected secrets/app/ location.
 #
+# IMPORTANT: In GitLab, variables MUST be set as "File" type, not "Variable" type.
+# File type variables provide a PATH to a temp file containing the secret.
+# Variable type provides the raw value, which will NOT work with this script.
+#
 # Required GitLab CI/CD Variables (File type):
 #   - POSTGRES_PASSWORD
 #   - AUTH0_CLIENT_SECRET
@@ -22,11 +26,32 @@ set -euo pipefail
 DEPLOY_PATH="${DEPLOY_PATH:-/opt/motovaultpro}"
 SECRETS_DIR="${DEPLOY_PATH}/secrets/app"
 
+# List of all secret files (must match docker-compose volume mounts)
+SECRET_FILES=(
+    "postgres-password.txt"
+    "auth0-client-secret.txt"
+    "google-maps-api-key.txt"
+    "google-maps-map-id.txt"
+    "cloudflare-dns-token.txt"
+)
+
 echo "Injecting secrets..."
 echo "  Deploy path: $DEPLOY_PATH"
 echo "  Secrets dir: $SECRETS_DIR"
 
-# Clean up any incorrectly created directories and create secrets directory
+# Step 1: Clean up any incorrectly created directories
+# Docker creates directories when bind-mounting files that don't exist
+echo ""
+echo "Cleaning up any corrupted secret paths..."
+for file in "${SECRET_FILES[@]}"; do
+    target_path="${SECRETS_DIR}/${file}"
+    if [ -d "$target_path" ]; then
+        echo "  Removing directory: $file"
+        rm -rf "$target_path"
+    fi
+done
+
+# Step 2: Ensure secrets directory exists
 if [ -e "$SECRETS_DIR" ] && [ ! -d "$SECRETS_DIR" ]; then
     echo "  Removing invalid secrets path..."
     rm -rf "$SECRETS_DIR"
@@ -45,19 +70,23 @@ inject_secret() {
 
     if [ -z "$source_path" ]; then
         echo "  ERROR: Variable $var_name is not set"
+        echo "         Ensure it exists in GitLab CI/CD Variables"
+        return 1
+    fi
+
+    # Check if it looks like a raw value instead of a file path
+    if [[ ! "$source_path" =~ ^/ ]]; then
+        echo "  ERROR: $var_name appears to be a raw value, not a file path"
+        echo "         In GitLab, change the variable Type from 'Variable' to 'File'"
         return 1
     fi
 
     if [ ! -f "$source_path" ]; then
         echo "  ERROR: File not found for $var_name at $source_path"
+        echo "         Ensure the variable is set as 'File' type in GitLab"
         return 1
     fi
 
-    # Remove if exists as directory (cleanup from bad previous runs)
-    if [ -d "$target_path" ]; then
-        rm -rf "$target_path"
-    fi
-
     # Copy the secret file (644 so container users can read)
     cp "$source_path" "$target_path"
     chmod 644 "$target_path"