implement prefer_wildcard_cert flag

server/config.ts

@@ -4,12 +4,15 @@ import path from "path";
 import fs from "fs";
 import yaml from "js-yaml";
 import { fileURLToPath } from "url";
+import { signup } from "./routers/auth";
 
 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
 
 export const APP_PATH = path.join("config");
 
+const portSchema = z.number().positive().gt(0).lte(65535);
+
 const environmentSchema = z.object({
     app: z.object({
         name: z.string(),
@@ -18,15 +21,17 @@ const environmentSchema = z.object({
         save_logs: z.boolean(),
     }),
     server: z.object({
-        external_port: z.number().positive().gt(0).lte(65535),
-        internal_port: z.number().positive().gt(0).lte(65535),
+        external_port: portSchema,
+        internal_port: portSchema,
         internal_hostname: z.string(),
         secure_cookies: z.boolean(),
+        signup_secret: z.string().optional(),
     }),
     traefik: z.object({
         http_entrypoint: z.string(),
         https_entrypoint: z.string().optional(),
         cert_resolver: z.string().optional(),
+        prefer_wildcard_cert: z.boolean().optional(),
     }),
     rate_limit: z.object({
         window_minutes: z.number().positive().gt(0),
@@ -35,7 +40,7 @@ const environmentSchema = z.object({
     email: z
         .object({
             smtp_host: z.string().optional(),
-            smtp_port: z.number().positive().gt(0).lte(65535).optional(),
+            smtp_port: portSchema.optional(),
             smtp_user: z.string().optional(),
             smtp_pass: z.string().optional(),
             no_reply: z.string().email().optional(),
@@ -45,6 +50,8 @@ const environmentSchema = z.object({
         .object({
             allow_org_subdomain_changing: z.boolean().optional(),
             require_email_verification: z.boolean().optional(),
+            disable_signup_without_invite: z.boolean().optional(),
+            require_signup_secret: z.boolean().optional(),
         })
         .optional(),
 });

server/routers/traefik/getTraefikConfig.ts

@@ -33,6 +33,9 @@ export function buildTraefikConfig(
 
     const tls = {
         certResolver: config.traefik.cert_resolver,
+        ...(config.traefik.prefer_wildcard_cert
+            ? { domains: [baseDomain, `*.${baseDomain}`] }
+            : {}),
     };
 
     const http: any = {
@@ -57,7 +60,11 @@ export function buildTraefikConfig(
         const serviceName = `${target.targetId}-service`;
 
         http.routers![routerName] = {
-            entryPoints: [target.ssl ? config.traefik.https_entrypoint : config.traefik.https_entrypoint],
+            entryPoints: [
+                target.ssl
+                    ? config.traefik.https_entrypoint
+                    : config.traefik.http_entrypoint,
+            ],
             middlewares: [middlewareName],
             service: serviceName,
             rule: `Host(\`${target.resourceId}\`)`, // assuming resourceId is a valid full hostname
@@ -80,7 +87,10 @@ export async function getAllTargets(): Promise<schema.Target[]> {
     const all = await db
         .select()
         .from(schema.targets)
-        .innerJoin(schema.resources, eq(schema.targets.resourceId, schema.resources.resourceId))
+        .innerJoin(
+            schema.resources,
+            eq(schema.targets.resourceId, schema.resources.resourceId)
+        )
         .where(
             and(
                 eq(schema.targets.enabled, true),

src/app/auth/verify-email/page.tsx

@@ -5,7 +5,7 @@ import { redirect } from "next/navigation";
 export default async function Page(props: {
     searchParams: Promise<{ [key: string]: string | string[] | undefined }>;
 }) {
-    if (!process.env.NEXT_PUBLIC_FLAGS_EMAIL_VERIFICATION_REQUIRED) {
+    if (process.env.NEXT_PUBLIC_FLAGS_EMAIL_VERIFICATION_REQUIRED !== "true") {
         redirect("/");
     }