contrib/sni-router: read $DOMAIN from env in haproxy.cfg

Closes #501.

Before: the SNI hostname had to be edited in haproxy.cfg, plus
DOMAIN had to be set in .env for Caddy.  Two places to keep in sync.

After: DOMAIN is the single source — set it once in .env (or export),
docker-compose forwards it into both haproxy and caddy containers,
and HAProxy interpolates ${DOMAIN} into the SNI ACL at startup.

mtg-config.toml's secret still embeds the domain in its bytes
(generated once with `mtg generate-secret <domain>`), so that one
remains a one-time edit at install — the README is updated to reflect
this.

HAProxy has supported environment-variable substitution in config
strings since 1.6.

contrib/sni-router/README.md

@@ -27,10 +27,9 @@ natural and passive DPI has nothing to flag.
 # 2. Generate an mtg secret:
 docker run --rm nineseconds/mtg:2 generate-secret --hex YOUR_DOMAIN
 
-# 3. Edit the config files:
-#    - mtg-config.toml  →  paste the secret
-#    - haproxy.cfg       →  replace "example.com" in the SNI ACL
-#    - .env or export    →  DOMAIN=your.domain
+# 3. Configure:
+#    - .env (or export)  →  DOMAIN=your.domain   # used by HAProxy + Caddy
+#    - mtg-config.toml   →  paste the secret
 
 # 4. (Optional) put your site content into www/
 
@@ -83,7 +82,7 @@ domain's DNS A/AAAA record points to this server before starting.
 | File | Purpose |
 |---|---|
 | `docker-compose.yml` | Service definitions |
-| `haproxy.cfg` | SNI routing rules — **edit the domain** |
+| `haproxy.cfg` | SNI routing rules (reads `$DOMAIN` from the environment) |
 | `mtg-config.toml` | mtg proxy config — **paste your secret** |
 | `Caddyfile` | Web server config (auto-HTTPS) |
 | `www/` | Static site content served by Caddy |

contrib/sni-router/docker-compose.yml

@@ -9,10 +9,12 @@
 # SNI/IP because the domain resolves to this server's IP.
 #
 # Quick start:
-#   1. Set YOUR_DOMAIN below (and in mtg-config.toml)
-#   2. docker compose up -d
-#   3. mtg generate-secret YOUR_DOMAIN   -> put it in mtg-config.toml
-#   4. docker compose restart mtg
+#   1. Set DOMAIN in a .env file next to this one (or export it)
+#   2. mtg generate-secret YOUR_DOMAIN   -> paste into mtg-config.toml
+#   3. docker compose up -d
+#
+# DOMAIN is forwarded to both Caddy (TLS cert) and HAProxy (SNI ACL),
+# so the SNI/cert/secret all line up from a single source.
 #
 # See BEST_PRACTICES.md and the project wiki for background.
 
@@ -24,6 +26,8 @@ services:
       - "80:80"
     volumes:
       - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z
+    environment:
+      DOMAIN: ${DOMAIN:-example.com}
     depends_on:
       - mtg
       - web

contrib/sni-router/haproxy.cfg

@@ -39,9 +39,10 @@ frontend tls
     tcp-request inspect-delay 5s
     tcp-request content accept if { req_ssl_hello_type 1 }
 
-    # Route Telegram clients to mtg.
-    # Replace "example.com" with the domain from your mtg secret.
-    use_backend mtg if { req_ssl_sni -i example.com }
+    # Route Telegram clients to mtg.  The domain is read from the $DOMAIN
+    # environment variable (forwarded by docker-compose), so it stays in
+    # sync with Caddy and there is no per-deploy edit to this file.
+    use_backend mtg if { req_ssl_sni -i "${DOMAIN}" }
 
     default_backend web