# Let's Encrypt production — trusted certificates; respect rate limits.
# Prefer a real mailbox for expiry notices; this domain is accepted by LE (edit if needed).
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: certificates@noble.lab.pcenicni.dev
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      # DNS-01 — Cloudflare token covers pcenicni.dev only. Requires Secret cloudflare-dns-api-token in cert-manager.
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              name: cloudflare-dns-api-token
              key: api-token
        selector:
          dnsZones:
            - pcenicni.dev
      # HTTP-01 fallback — used for all other zones (e.g. nikflix.ca via Pangolin → Newt → Traefik).
      # Requires a Pangolin HTTP resource + target for each hostname before LE can reach /.well-known/acme-challenge/.
      - http01:
          ingress:
            ingressClassName: traefik