Merge pull request #45 from Hugo-C/feature/GH-44

GH-44 # Fix let's encrypt certificate
Hugo-C · Jan 29, 2024 · 5abd7de · 5abd7de
2 parents 9b59ede + 4d1b63a
commit 5abd7de
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 5 deletions.
diff --git a/docker-compose-LE.yml b/docker-compose-LE.yml
@@ -0,0 +1,20 @@
+version: '3'
+
+services:
+
+  letsencrypt:
+    image: certbot/certbot:latest
+    command: sh -c "certbot certonly --standalone -d jarm.online --text --agree-tos --email contact@jarm.online --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --verbose --keep-until-expiring --preferred-challenges=http && chown -R 1001:1001 /etc/letsencrypt/ && chmod -R 755 /etc/letsencrypt/"
+    entrypoint: ""
+    volumes:
+      - "letsencrypt:/etc/letsencrypt"
+    environment:
+      - TERM=xterm
+# For the first generation, see https://stackoverflow.com/a/66638930
+#    ports:
+#      - "80:80"
+# Else, run in a cron: docker-compose -f docker-compose-LE.yml run --rm letsencrypt
+
+volumes:
+  letsencrypt:
+    name: letsencrypt_keys
diff --git a/docker-compose.yml.prod b/docker-compose.yml.prod
@@ -5,8 +5,7 @@ services:
     container_name: jarm_online_gui_container
     volumes:
        - ./nginx/nginx.conf:/etc/nginx/nginx.conf
-       - ./nginx/www.hugocjarm.software.key:/etc/nginx/ssl/www.hugocjarm.software.key
-       - ./nginx/www.hugocjarm.software.pem:/etc/nginx/ssl/www.hugocjarm.software.pem
+       - letsencrypt:/etc/letsencrypt:ro
     restart: unless-stopped
     ports:
       - "80:80"
@@ -19,8 +18,17 @@ services:
   jarm_online_api:
     image: hugocker/jarm_online_api
     container_name: jarm_online_api_container
+    stop_signal: SIGKILL  # SIGTERM is allowed in config starting with rocket.rs 0.5
     environment:
-      - ROCKET_PROFILE=release
+      - ROCKET_ENV=production
       - ROCKET_SENTRY_DSN=${ROCKET_SENTRY_DSN}
       - ROCKET_SENTRY_TRANSACTION_SAMPLE_RATE=1.0
+      - ALEXA_TOP1M_RAW_DATA_PATH=/alexa_top1M.csv
+    volumes:
+      - ./data/result_aggregated.csv:/alexa_top1M.csv
     restart: unless-stopped
+
+volumes:
+  letsencrypt:
+    external: true
+    name: letsencrypt_keys
diff --git a/jarm_online_gui/nginx.conf.prod b/jarm_online_gui/nginx.conf.prod
@@ -35,6 +35,16 @@ http {
   server {
       listen 80 default_server;
       listen [::]:80 default_server;
+      server_name _;
+
+      location /.well-known/acme-challenge {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream letsencrypt;
+        proxy_pass http://$upstream:80;
+        proxy_set_header Host            $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto https;
+      }
 
       location / {
           return 301 https://$host$request_uri;
@@ -46,8 +56,8 @@ http {
     ssl_protocols TLSv1.3 TLSv1.2;
     ssl_prefer_server_ciphers on;
     add_header   Strict-Transport-Security "max-age=63072000" always;
-    ssl_certificate        /etc/nginx/ssl/www.hugocjarm.software.pem;
-    ssl_certificate_key    /etc/nginx/ssl/www.hugocjarm.software.key;
+    ssl_certificate       /etc/letsencrypt/live/jarm.online/fullchain.pem;
+    ssl_certificate_key   /etc/letsencrypt/live/jarm.online/privkey.pem;
 
     location ^~ /api/v1 {
       proxy_http_version 1.1;