Merge b293a33d99 into 8d143d7bde

contrib/sni-router/README.md

 # 2. Generate an mtg secret:
 docker run --rm nineseconds/mtg:2 generate-secret --hex YOUR_DOMAIN
 
-# 3. Edit the config files:
-#    - mtg-config.toml  →  paste the secret
-#    - haproxy.cfg       →  replace "example.com" in the SNI ACL
-#    - .env or export    →  DOMAIN=your.domain
+# 3. Configure:
+#    - .env (or export)  →  DOMAIN=your.domain   # used by HAProxy + Caddy
+#    - mtg-config.toml   →  paste the secret
 
 # 4. (Optional) put your site content into www/
 
 | File | Purpose |
 |---|---|
 | `docker-compose.yml` | Service definitions |
-| `haproxy.cfg` | SNI routing rules — **edit the domain** |
+| `haproxy.cfg` | SNI routing rules (reads `$DOMAIN` from the environment) |
 | `mtg-config.toml` | mtg proxy config — **paste your secret** |
 | `Caddyfile` | Web server config (auto-HTTPS) |
 | `www/` | Static site content served by Caddy |

contrib/sni-router/docker-compose.yml

 # SNI/IP because the domain resolves to this server's IP.
 #
 # Quick start:
-#   1. Set YOUR_DOMAIN below (and in mtg-config.toml)
-#   2. docker compose up -d
-#   3. mtg generate-secret YOUR_DOMAIN   -> put it in mtg-config.toml
-#   4. docker compose restart mtg
+#   1. Set DOMAIN in a .env file next to this one (or export it)
+#   2. mtg generate-secret YOUR_DOMAIN   -> paste into mtg-config.toml
+#   3. docker compose up -d
+#
+# DOMAIN is forwarded to both Caddy (TLS cert) and HAProxy (SNI ACL),
+# so the SNI/cert/secret all line up from a single source.
 #
 # See BEST_PRACTICES.md and the project wiki for background.
 
+x-domain-env: &domain-env
+  DOMAIN: ${DOMAIN:-example.com}
+
 services:
   haproxy:
     image: haproxy:lts-alpine
       - "80:80"
     volumes:
       - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z
+    environment:
+      <<: *domain-env
     depends_on:
       - mtg
       - web
       - "80"
       - "8443"
     environment:
-      DOMAIN: ${DOMAIN:-example.com}
+      <<: *domain-env
     restart: unless-stopped
 
 volumes:

contrib/sni-router/haproxy.cfg

     tcp-request inspect-delay 5s
     tcp-request content accept if { req_ssl_hello_type 1 }
 
-    # Route Telegram clients to mtg.
-    # Replace "example.com" with the domain from your mtg secret.
-    use_backend mtg if { req_ssl_sni -i example.com }
+    # Route Telegram clients to mtg.  The domain is read from the $DOMAIN
+    # environment variable (forwarded by docker-compose), so it stays in
+    # sync with Caddy and there is no per-deploy edit to this file.
+    use_backend mtg if { req_ssl_sni -i "${DOMAIN}" }
 
     default_backend web
 

contrib/sni-router/mtg-config.toml

 # Minimal mtg configuration for the SNI-router setup.
 #
-# 1. Generate a secret:  mtg generate-secret --hex example.com
-# 2. Paste it below.
-# 3. Replace example.com with your actual domain everywhere.
+# 1. Generate a secret:  mtg generate-secret --hex <your.domain>
+# 2. Paste it into the `secret` field below.
+# 3. Set DOMAIN=<your.domain> in .env (HAProxy + Caddy pick it up).
 
 secret = "PASTE_YOUR_SECRET_HERE"
 bind-to = "0.0.0.0:3128"