Skip to content

Commit ffce515

Browse files
lkeeganlkeegan
authored
Allow certbot to renew SSL certificates without stopping frontend (#220)
- update nginx.conf - allow certbot certificate renewal on port 80 - forward everything else to https://mondey.lkeegan.dev - update docker-compose - mount a folder to allow certbot to renew SSL certificates - add better default logging settings - update deployment docs - add command to generate / renew SSL certificates & sample crontab entry
1 parent 302c994 commit ffce515

File tree

3 files changed

+67
-10
lines changed

3 files changed

+67
-10
lines changed

DEPLOYMENT.md

+25-9
Original file line numberDiff line numberDiff line change
@@ -5,30 +5,46 @@ Some information on how to deploy the website - currently it is deployed on a te
55
## Production deployment
66

77
Production docker container images are automatically built by CI.
8+
Before running them, the location of the data directory, SSL keys and secret key should be set
9+
either in env vars or in a file `.env` in the same location as the docker compose.yml.
10+
11+
For example the current test deployment on heicloud looks like this:
12+
13+
```
14+
MONDEY_SSL_CERT="/etc/letsencrypt/live/mondey.lkeegan.dev/fullchain.pem"
15+
MONDEY_SSL_KEY="/etc/letsencrypt/live/mondey.lkeegan.dev/privkey.pem"
16+
```
17+
18+
### docker compose
19+
820
To deploy the latest version on a virtual machine with docker compose installed,
921
download [docker-compose.yml](https://raw.githubusercontent.com/ssciwr/mondey/main/docker-compose.yml), then do
1022

1123
```
12-
sudo docker compose pull
13-
sudo docker compose up -d
24+
sudo docker compose pull && sudo docker compose up -d && sudo docker system prune -af
1425
```
1526

16-
The location of the database directory, image files directory, SSL keys and secret key should be set
17-
either in env vars or in a file `.env` in the same location as the docker-compose.yml.
27+
The same command can be used to update the running website to use the latest available docker images.
1828

19-
TODO: document these options
20-
21-
The current status of the containers can be checked with
29+
The current status of the running containers can be checked with
2230

2331
```
2432
sudo docker compose ps
2533
sudo docker compose logs
2634
```
2735

28-
To update the running website to the latest version:
36+
### SSL certificates
37+
38+
To generate SSL certificates for the domain `mondey.lkeegan.dev` from [Let's Encrypt](https://letsencrypt.org/) using [Certbot](https://certbot.eff.org/):
2939

3040
```
31-
sudo docker compose pull && sudo docker compose up -d && sudo docker system prune -af
41+
sudo docker run -it --rm -v/etc/letsencrypt:/etc/letsencrypt -v/var/www/certbot:/var/www/certbot certbot/certbot certonly --webroot --webroot-path /var/www/certbot/ -n -d mondey.lkeegan.dev
42+
```
43+
44+
The certificates needs renewing every three months, which can be done manually using the same command. To automatically renew once a week you can use cron, e.g. `sudo crontab -e`, then add the following line:
45+
46+
```
47+
0 0 * * 0 docker run -it --rm -v/etc/letsencrypt:/etc/letsencrypt -v/var/www/certbot:/var/www/certbot certbot/certbot certonly --webroot --webroot-path /var/www/certbot/ -n -d mondey.lkeegan.dev
3248
```
3349

3450
### Give users admin rights

docker-compose.yml

+17
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,11 @@ services:
1616
- PORT=${PORT:-80}
1717
- RELOAD=${RELOAD:-false}
1818
- LOG_LEVEL=${LOG_LEVEL:-info}
19+
logging:
20+
driver: "local"
21+
options:
22+
max-size: 20m
23+
max-file: 25
1924
frontend:
2025
image: ghcr.io/ssciwr/mondey_frontend:${MONDEY_DOCKER_IMAGE_TAG:-latest}
2126
build:
@@ -28,7 +33,19 @@ services:
2833
volumes:
2934
- ${MONDEY_SSL_CERT:-./cert.pem}:/mondey_ssl_cert.pem
3035
- ${MONDEY_SSL_KEY:-./key.pem}:/mondey_ssl_key.pem
36+
# to allow certbot to renew SSL certificates:
37+
- /var/www/certbot:/var/www/certbot:ro
38+
logging:
39+
driver: "local"
40+
options:
41+
max-size: 20m
42+
max-file: 25
3143
email:
3244
image: "boky/postfix"
3345
environment:
3446
- ALLOW_EMPTY_SENDER_DOMAINS="true"
47+
logging:
48+
driver: "local"
49+
options:
50+
max-size: 20m
51+
max-file: 3

frontend/nginx.conf

+25-1
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,33 @@
1+
server {
2+
# allow certbot to renew SSL certificates using port 80
3+
listen 80;
4+
listen [::]:80;
5+
6+
server_name mondey.lkeegan.dev;
7+
server_tokens off;
8+
9+
location /.well-known/acme-challenge/ {
10+
root /var/www/certbot;
11+
}
12+
13+
# forward anything else to https://mondey.lkeegan.dev
14+
location / {
15+
return 301 https://mondey.lkeegan.dev$request_uri;
16+
}
17+
}
18+
19+
server {
20+
# redirect www.mondey.lkeegan to mondey.lkeegan.dev
21+
server_name www.mondey.lkeegan.dev;
22+
return 301 $scheme://mondey.lkeegan.dev$request_uri;
23+
}
24+
125
server {
226
listen 80;
327
listen 443 ssl;
428
listen [::]:443 ssl;
529
http2 on;
6-
server_name www.mondey.lkeegan.dev mondey.lkeegan.dev localhost;
30+
server_name mondey.lkeegan.dev;
731
ssl_certificate /mondey_ssl_cert.pem;
832
ssl_certificate_key /mondey_ssl_key.pem;
933

0 commit comments

Comments
 (0)