From cb828bdf53daada75e0c3faea204175cc5ce176a Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Sun, 25 Jan 2026 15:27:12 -0500
Subject: [PATCH] Fix SELinux context for Cloudflare API files

---
 roles/proxy/tasks/main.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index 1275629..529059a 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -65,14 +65,14 @@
 
 - name: Grab Cloudflare API token for configuration
   ansible.builtin.slurp:
-    src: /root/.cloudflare-api
+    src: /etc/letsencrypt/cloudflare-api.key
   register: cfapi
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Install Cloudflare API token
   ansible.builtin.template:
     src: cloudflare.ini.j2
-    dest: /root/.cloudflare.ini
+    dest: /etc/letsencrypt/cloudflare.ini
     mode: "400"
   diff: false
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
@@ -97,10 +97,11 @@
     --agree-tos \
     --email "{{ proxy.dns_cloudflare.email }}" \
     --dns-cloudflare \
-    --dns-cloudflare-credentials /root/.cloudflare.ini \
+    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
     -d "*.{{ item }}" \
     -d "{{ item }}" \
-    {{ proxy.dns_cloudflare.opts | default("") }}'
+    {{ proxy.dns_cloudflare.opts | default("") }}
+    < /dev/null'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"