feat: Add Certbot init docker stack

Elastic-Suite · Oct 3, 2024 · 23d7c68 · 23d7c68
1 parent 3e9fbee
commit 23d7c68
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 31 deletions.
diff --git a/.github/workflows/deploy-int.yml b/.github/workflows/deploy-int.yml
@@ -70,6 +70,10 @@ jobs:
             make .env &&
             POSTGRES_PASSWORD=$POSTGRES_PASSWORD docker compose -f compose.yml -f compose.int.yml up -d database && 
             docker compose -f compose.yml -f compose.int.yml down &&
+            SERVER_NAME=$HOSTNAME docker compose -f compose.init_certs.yml build &&
+            SERVER_NAME=$HOSTNAME docker compose -f compose.init_certs.yml up proxy_init_certs -d &&
+            SERVER_NAME=$HOSTNAME docker compose -f compose.init_certs.yml up certbot_init_certs &&
+            docker compose -f compose.init_certs.yml down &&
             git fetch --all && git reset --hard  && git checkout ${{ env.back_branch }} &&
             [ -d front/gally-admin ] || git clone https://github.com/Elastic-Suite/gally-admin.git front/gally-admin &&
             cd front/gally-admin && git fetch --all && git reset --hard && git checkout ${{ env.front_branch }} &&

diff --git a/compose.init_certs.yml b/compose.init_certs.yml
@@ -0,0 +1,26 @@
+services:
+  proxy_init_certs:
+    build:
+      context: ./docker/proxy-init-certs
+    ports:
+      - "80:80"
+    volumes:
+      - ./docker/certbot/certs:/etc/nginx/certs
+      - certbot_www:/var/www/certbot
+    environment:
+      - SERVER_NAME=${SERVER_NAME:-gally.localhost}
+      - API_SERVER_NAME=${API_SERVER_NAME:-api.gally.localhost}
+
+  certbot_init_certs:
+    build:
+      context: ./docker/certbot-init-certs
+    volumes:
+      - ./docker/certbot/certs:/etc/letsencrypt
+      - certbot_www:/var/www/certbot
+    environment:
+      - SERVER_NAME=${SERVER_NAME:-gally.localhost}
+      - API_SERVER_NAME=${API_SERVER_NAME:-api.gally.localhost}
+      - HAS_MULTIPLE_DOMAINS=${API_SERVER_NAME:-}
+
+volumes:
+  certbot_www:
diff --git a/compose.int.yml b/compose.int.yml
@@ -13,7 +13,7 @@ services:
   php:
     environment:
       - APP_SECRET=${APP_SECRET}
-      - XDEBUG_MODE='off'
+      - XDEBUG_MODE=off
       - ELASTICSEARCH_SSL_VERIFICATION=false
 
   pwa:

diff --git a/compose.yml b/compose.yml
@@ -23,7 +23,6 @@ services:
       context: ./docker/certbot
     volumes:
       - ./docker/certbot/certs:/etc/letsencrypt 
-      - ./docker/certbot/www:/var/www/certbot 
     environment:
       - SELF_SIGNED=true
       - SERVER_NAME=${SERVER_NAME:-gally.localhost}

diff --git a/docker/certbot-init-certs/Dockerfile b/docker/certbot-init-certs/Dockerfile
@@ -0,0 +1,8 @@
+FROM certbot/certbot:latest
+
+COPY ./generate-certs.sh /generate-certs.sh
+
+HEALTHCHECK --interval=1m --timeout=10s --start-period=30s --retries=3 \
+    CMD find  /etc/letsencrypt/ -name 'fullchain.pem' -exec test -f {} \; || exit 1
+
+ENTRYPOINT ["/generate-certs.sh"]
diff --git a/docker/certbot-init-certs/generate-certs.sh b/docker/certbot-init-certs/generate-certs.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+CERT_PATH="/etc/letsencrypt/${SERVER_NAME}/fullchain.pem"
+KEY_PATH="/etc/letsencrypt/${SERVER_NAME}/privkey.pem"
+
+if [[ ! -f "$CERT_PATH" ]]; then
+	mkdir -p $(dirname $CERT_PATH)
+
+	if [[ -z $SELF_SIGNED ]]
+	then
+		echo 'Ask letsencrypt certificates'
+		[[ -z "${HAS_MULTIPLE_DOMAINS}" ]] \
+			&& DOMAINS="${SERVER_NAME}" \
+			|| DOMAINS="${SERVER_NAME},${API_SERVER_NAME}"
+
+		certbot certonly --webroot --webroot-path=/var/www/certbot --non-interactive --agree-tos --register-unsafely-without-email --agree-tos --no-eff-email -d ${DOMAINS}
+	fi
+fi
+
diff --git a/docker/certbot/generate-certs.sh b/docker/certbot/generate-certs.sh
@@ -4,39 +4,32 @@ CERT_PATH="/etc/letsencrypt/${SERVER_NAME}/fullchain.pem"
 KEY_PATH="/etc/letsencrypt/${SERVER_NAME}/privkey.pem"
 
 if [[ ! -f "$CERT_PATH" ]]; then
-	echo 'Generate self signed certificates'
-	mkdir -p $(dirname $CERT_PATH)
+    mkdir -p $(dirname $CERT_PATH)
 
-	[[ -z "${HAS_MULTIPLE_DOMAINS}" ]] \
-		&& openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-			  -keyout $KEY_PATH \
-			  -out $CERT_PATH \
-			  -subj "/CN=${SERVER_NAME:-localhost}" \
-		|| openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-			  -keyout $KEY_PATH \
-			  -out $CERT_PATH \
-			  -subj "/CN=${SERVER_NAME:-localhost}" \
-			  -addext "subjectAltName=DNS:${SERVER_NAME},DNS:${API_SERVER_NAME}"
-
-	if [[ -z $SELF_SIGNED ]]
-	then
-		echo 'Ask letsencrypt certificates'
-		[[ -z "${HAS_MULTIPLE_DOMAINS}" ]] \
-			&& DOMAINS="${SERVER_NAME}" \
-			|| DOMAINS="${SERVER_NAME},${API_SERVER_NAME}"
-
-		certbot certonly --webroot --webroot-path=/var/www/certbot --non-interactive --agree-tos --register-unsafely-without-email --agree-tos --no-eff-email -d ${DOMAINS}
-	fi
+    if [[ -n $SELF_SIGNED ]]
+    then
+        echo 'Generate self signed certificates'
+        [[ -z "${HAS_MULTIPLE_DOMAINS}" ]] \
+            && openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+                  -keyout $KEY_PATH \
+                  -out $CERT_PATH \
+                  -subj "/CN=${SERVER_NAME:-localhost}" \
+            || openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+                  -keyout $KEY_PATH \
+                  -out $CERT_PATH \
+                  -subj "/CN=${SERVER_NAME:-localhost}" \
+                  -addext "subjectAltName=DNS:${SERVER_NAME},DNS:${API_SERVER_NAME}"
+    fi
 fi
 
 if [[ -z $SELF_SIGNED ]]; then
-	echo 'Wait 48h for certificates renew'
-	trap exit TERM
-	while :; do
-		sleep 48h & wait;
-		certbot renew;
-	done
+    echo 'Wait 12h for certificates renew'
+    trap exit TERM
+    while :; do
+        sleep 12h & wait;
+        certbot renew;
+    done
 else
-	sleep infinity
+    sleep infinity
 fi
 
diff --git a/docker/proxy-init-certs/Dockerfile b/docker/proxy-init-certs/Dockerfile
@@ -0,0 +1,3 @@
+FROM nginx:latest
+
+COPY --link ./templates /etc/nginx/templates
diff --git a/docker/proxy-init-certs/templates/default.conf.template b/docker/proxy-init-certs/templates/default.conf.template
@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    server_name ${SERVER_NAME} ${API_SERVER_NAME};
+
+    # Rediriger tout le trafic HTTP vers HTTPS
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		FROM nginx:latest

		COPY --link ./templates /etc/nginx/templates