From 4ab982d44676a3f31607bb8dbddf1fdc26e892a7 Mon Sep 17 00:00:00 2001
From: Pierre Gauthier <pigau@smile.fr>
Date: Wed, 11 Sep 2024 10:19:41 +0200
Subject: [PATCH] Add LetsEncrypt certificats

---
 .github/workflows/deploy-int.yml             |  5 ++---
 compose.override.yaml                        |  4 ++++
 compose.yml                                  | 22 ++++++++++----------
 docker/proxy/templates/default.conf.template | 14 +++++++++++++
 4 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/deploy-int.yml b/.github/workflows/deploy-int.yml
index ae3f40ef8..4b1ce1827 100644
--- a/.github/workflows/deploy-int.yml
+++ b/.github/workflows/deploy-int.yml
@@ -68,7 +68,7 @@ jobs:
             docker system prune -af &&
             ([[ $(docker volume ls -q | awk '!/_/' | wc -l) -eq 0 ]] || docker volume rm $(docker volume ls -q | awk '!/_/' | tr '\n' ' ')) &&
             make .env &&
-            POSTGRES_PASSWORD=$POSTGRES_PASSWORD docker compose -f compose.yml -f compose.int.yml start database && 
+            POSTGRES_PASSWORD=$POSTGRES_PASSWORD docker compose -f compose.yml -f compose.int.yml up -d database && 
             docker compose -f compose.yml -f compose.int.yml down &&
             git fetch --all && git reset --hard  && git checkout ${{ env.back_branch }} &&
             [ -d front/gally-admin ] || git clone https://github.com/Elastic-Suite/gally-admin.git front/gally-admin &&
@@ -78,6 +78,5 @@ jobs:
             docker compose run --rm php composer config repositories.gally-premium composer $PACKAGIST_URL &&
             docker compose run --rm -e COMPOSER_AUTH='$COMPOSER_AUTH' php composer require \"gally/gally-standard:${{ env.composer_version }} as ${{ inputs.last_published_version }}\" &&
             docker compose run --rm -e COMPOSER_AUTH='$COMPOSER_AUTH' php composer require \"gally/gally-premium:${{ env.composer_version }}\" &&
-            [ -z ${MEDIA_URL} ] || echo -e \"gally:\n  base_url:\n    media: '$MEDIA_URL'\" > api/config/packages/gally_configuration.yaml &&
-            SERVER_NAME=$HOSTNAME API_ROUTE_PREFIX=api APP_SECRET=$APP_SECRET POSTGRES_PASSWORD=$POSTGRES_PASSWORD COMPOSER_AUTH='$COMPOSER_AUTH' docker compose -f compose.yml -f compose.int.yml up -d --build
+            GALLY_CATALOG_MEDIA_URL=${MEDIA_URL} SERVER_NAME=$HOSTNAME API_ROUTE_PREFIX=api APP_SECRET=$APP_SECRET POSTGRES_PASSWORD=$POSTGRES_PASSWORD COMPOSER_AUTH='$COMPOSER_AUTH' docker compose -f compose.yml -f compose.int.yml up -d --build
           "
diff --git a/compose.override.yaml b/compose.override.yaml
index 9fe91f523..36522887d 100644
--- a/compose.override.yaml
+++ b/compose.override.yaml
@@ -1,5 +1,9 @@
 # Development environment override
 services:
+  
+  certbot: # Disable certbot for local env
+    entrypoint: 'true'
+  
   router:
     volumes:
       - ./api/public:/app/public
diff --git a/compose.yml b/compose.yml
index b1e4fa0e5..fd84a60b5 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,6 +3,7 @@ services:
     build:
       context: ./docker/proxy
     ports:
+      - "80:80"
       - "443:443"
     volumes:
       - ./docker/certs:/etc/nginx/certs
@@ -12,6 +13,16 @@ services:
       - SERVER_NAME=${SERVER_NAME:-gally.localhost}
       - API_SERVER_NAME=${API_SERVER_NAME:-api.gally.localhost}
       - BACKEND_UPSTREAM=varnish:80
+        
+  certbot:
+    image: certbot/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do sleep 48h & wait; certbot renew; done;'"
+    command: certonly --webroot --webroot-path=/var/www/certbot --non-interactive --agree-tos --register-unsafely-without-email --agree-tos --no-eff-email -d ${SERVER_NAME:-gally.localhost},${API_SERVER_NAME:-api.gally.localhost}
+    volumes:
+      - ./docker/certs:/etc/letsencrypt 
+      - ./docker/certs/www:/var/www/certbot 
+    depends_on:
+      - proxy
 
   varnish:
     build:
@@ -84,17 +95,6 @@ services:
       interval: 10s
       timeout: 5s
       retries: 20
-      
-  
-#  certbot:
-#    image: certbot/certbot
-#    entrypoint: "/bin/sh -c 'if [ \"${ENVIRONMENT}\" = \"local\" ]; then sleep infinity; else certbot certonly --webroot --webroot-path=/var/www/certbot -d YOUR_DOMAIN_HERE --non-interactive --agree-tos --register-unsafely-without-email; fi'"
-#    volumes:
-#      - ./docker/certs:/etc/letsencrypt
-#      - ./docker/certbot/www:/var/www/certbot
-#    environment:
-#      - ENVIRONMENT=${ENVIRONMENT:-local}
-#      - CERTBOT_DOMAIN=${DOMAIN:-your-generated-domain}
   
   ###> doctrine/doctrine-bundle ###
   database:
diff --git a/docker/proxy/templates/default.conf.template b/docker/proxy/templates/default.conf.template
index 2b9547462..3e53414bd 100644
--- a/docker/proxy/templates/default.conf.template
+++ b/docker/proxy/templates/default.conf.template
@@ -1,3 +1,17 @@
+server {
+    listen 80;
+    server_name ${SERVER_NAME} ${API_SERVER_NAME};
+
+    # Rediriger tout le trafic HTTP vers HTTPS
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
 server {
     listen 443 ssl;
     server_name ${SERVER_NAME} ${API_SERVER_NAME};