enble tls with certbot

client/nginx.conf

@@ -40,4 +40,31 @@ http {
             proxy_cache_bypass $http_upgrade;
         }
     }
+
+    server {
+        listen 443 ssl;
+        listen [::]:443;
+
+        # Ideally, should figure this out.  I believe it to be specific
+        # to the environment.
+        # resolver 127.0.0.11;
+
+        # Since this is the default (and only server) we don't need a
+        # valid server_name.  _ is convention.
+        server_name substrait-fiddle.com www.substrait-fiddle.com;
+
+        ssl_certificate /etc/letsencrypt/live/tu_dominio.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/tu_dominio.com/privkey.pem
+
+        root /app/static;
+
+        location /api/ {
+            proxy_pass http://api:9090;  # Use the service name instead of IP
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_cache_bypass $http_upgrade;
+        }
+    }
 }

docker-compose.yaml

@@ -18,10 +18,23 @@ services:
       - VITE_SESSION_SECRET=$VITE_SESSION_SECRET
     ports:
       - "80:8080"
+      - "443:443"
     networks:
       - fiddle-network
     environment:
      - NODE_ENV=production
+    volumes:
+      - ./nginx/certbot/conf:/etc/letsencrypt
+      - ./nginx/certbot/www:/var/www/certbot
+    depends_on:
+      - certbot
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ./nginx/certbot/conf:/etc/letsencrypt
+      - ./nginx/certbot/www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    command: certonly --webroot --webroot-path=/var/www/certbot --email eng-oss-ops@voltrondata.com --agree-tos --no-eff-email --staging -d substrait-fiddle.com -d www.substrait-fiddle.com
 
 networks:
   fiddle-network: