From e5837dfd75e1ec742498bccd7b82f0723475d92d Mon Sep 17 00:00:00 2001
From: Eric Gullickson <16152721+ericgullickson@users.noreply.github.com>
Date: Tue, 30 Dec 2025 13:09:42 -0600
Subject: [PATCH] fix: Traefik Let's Encrypt acme.json

---
 .gitea/workflows/production.yaml | 7 ++++++-
 .gitea/workflows/staging.yaml    | 7 ++++++-
 .gitignore                       | 5 ++++-
 docker-compose.blue-green.yml    | 2 +-
 docker-compose.yml               | 3 +--
 5 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/production.yaml b/.gitea/workflows/production.yaml
index 98d1bbc..2123ff8 100644
--- a/.gitea/workflows/production.yaml
+++ b/.gitea/workflows/production.yaml
@@ -122,9 +122,14 @@ jobs:
       - name: Initialize data directories
         run: |
           cd "$DEPLOY_PATH"
-          sudo mkdir -p data/backups data/documents
+          sudo mkdir -p data/backups data/documents data/traefik
           sudo chown -R 1001:1001 data/backups data/documents
           sudo chmod 755 data/backups data/documents
+          # Traefik acme.json requires 600 permissions
+          if [ ! -f data/traefik/acme.json ]; then
+            touch data/traefik/acme.json
+          fi
+          chmod 600 data/traefik/acme.json
 
       - name: Pull new images
         run: |
diff --git a/.gitea/workflows/staging.yaml b/.gitea/workflows/staging.yaml
index 9efc0d8..2a8f761 100644
--- a/.gitea/workflows/staging.yaml
+++ b/.gitea/workflows/staging.yaml
@@ -114,9 +114,14 @@ jobs:
       - name: Initialize data directories
         run: |
           cd "$DEPLOY_PATH"
-          sudo mkdir -p data/backups data/documents
+          sudo mkdir -p data/backups data/documents data/traefik
           sudo chown -R 1001:1001 data/backups data/documents
           sudo chmod 755 data/backups data/documents
+          # Traefik acme.json requires 600 permissions
+          if [ ! -f data/traefik/acme.json ]; then
+            touch data/traefik/acme.json
+          fi
+          chmod 600 data/traefik/acme.json
 
       - name: Pull new images
         run: |
diff --git a/.gitignore b/.gitignore
index d74b407..dc5fa5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,4 +17,7 @@ coverage/
 secrets/**
 !secrets/
 !secrets/**/
-!secrets/**/*.example
\ No newline at end of file
+!secrets/**/*.example
+
+# Traefik ACME certificates (contains private keys)
+data/traefik/acme.json
\ No newline at end of file
diff --git a/docker-compose.blue-green.yml b/docker-compose.blue-green.yml
index 0b0a08d..cfc737e 100644
--- a/docker-compose.blue-green.yml
+++ b/docker-compose.blue-green.yml
@@ -191,5 +191,5 @@ services:
       - ./config/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
       - ./config/traefik/dynamic:/etc/traefik/dynamic:ro
       - ./certs:/certs:ro
-      - traefik_data:/data
+      - ./data/traefik:/data
       - ./secrets/app/cloudflare-dns-token.txt:/run/secrets/cloudflare-dns-token:ro
diff --git a/docker-compose.yml b/docker-compose.yml
index a7fbb04..518747c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,7 +21,7 @@ services:
       - ./config/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
       - ./config/traefik/dynamic:/etc/traefik/dynamic:ro
       - ./certs:/certs:ro
-      - traefik_data:/data
+      - ./data/traefik:/data
       - ./secrets/app/cloudflare-dns-token.txt:/run/secrets/cloudflare-dns-token:ro
     networks:
       frontend:
@@ -233,7 +233,6 @@ networks:
 
 # Volume Definitions
 volumes:
-  traefik_data: null
   mvp_postgres_data:
     name: mvp_postgres_data
   mvp_redis_data: