feat(registrar): add TLS_MODE for Traefik TCP; fix tag newline; default ACME resolver

- Add TLS_MODE env to control TCP TLS behavior:
  - terminating (default): Traefik terminates TLS (tls=true + tls.certresolver)
  - passthrough: end-to-end TLS passthrough (tls.passthrough=true)
  - plaintext: plain TCP for internal/Tailscale (HostSNI(`*`) + priority=1)

- Introduce TRAEFIK_CERT_RESOLVER with default "alidns" for ACME issuance.
  (HTTP branch keeps optional tls.certresolver line commented for easy enablement.)

- Fix tag concatenation: use a real newline for NL so that to_json_array()
  parses tags line-by-line into a proper JSON array (prevents single-line tag blob).

- Improve TCP router/service tags and comments to make behavior explicit
  per mode, and keep HTTP branch consistent (middlewares + priority).

BREAKING CHANGE:
- TCP default changes from implicit plaintext to TLS-terminating via Traefik.
  If you relied on plaintext TCP previously, set `TLS_MODE=plaintext` (or
  use `TLS_MODE=passthrough` if your backend terminates TLS itself).
  Ensure Traefik has a working ACME resolver named in $TRAEFIK_CERT_RESOLVER
  (default "alidns") or override accordingly.

registrar.sh

@@ -15,6 +15,8 @@ CHECK_TIMEOUT="${CHECK_TIMEOUT:-2s}"
 DEREG_AFTER="${DEREG_AFTER:-1m}"
 TRAEFIK_HTTP_ENTRYPOINT="${TRAEFIK_HTTP_ENTRYPOINT:-websecure}"
 TRAEFIK_TCP_ENTRYPOINT="${TRAEFIK_TCP_ENTRYPOINT:-tcp}"
+TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-alidns}"
+TLS_MODE="${TLS_MODE:-terminating}"   # terminating | passthrough | plaintext
 # TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-cf}"
 
 echo "[registrar] consul: $CONSUL, service: $SERVICE_NAME@$SERVICE_ADDR:$SERVICE_PORT"
@@ -47,9 +49,35 @@ if [ "$SERVICE_PROTOCOL" = "http" ]; then
   # 如需 ACME 证书解析器可再加一行（取消注释）
   # TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
 elif [ "$SERVICE_PROTOCOL" = "tcp" ]; then
-  TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
+  case "$TLS_MODE" in
-  TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+    # A：Traefik 终止 TLS（推荐公网）
-  TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+    terminating)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls=true"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    # A-备用：后端自己终止 TLS（需要给 woodpecker-server 配 cert/key）
+    passthrough)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.passthrough=true"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    # B：明文 TCP（仅内网/Tailscale，用 * 兜底）
+    plaintext)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`*\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.priority=1"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    *)
+      echo "unsupported TLS_MODE=$TLS_MODE" >&2; exit 2;;
+  esac
 else
   echo "unsupported SERVICE_PROTOCOL=$SERVICE_PROTOCOL" >&2; exit 2
 fi