setup docker

6 files changed, 107 insertions, 0 deletions

diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..fe0d95bf
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,33 @@
+.PHONY: all
+all: deploy
+
+.PHONY: deploy
+deploy: build serve
+
+.PHONY: setup
+setup: certbot
+	cd vhosts/blog; make setup
+
+.PHONY: build
+build:
+	docker-compose build
+	cd vhosts/blog; make build
+
+.PHONY: serve
+serve: .nsfisis_dev_shared_network
+	docker-compose up -d
+	cd vhosts/blog; make serve
+
+.PHONY: clean
+clean:
+	cd vhosts/blog; make clean
+	docker-compose down
+	docker network ls | grep nsfisis_dev_shared > /dev/null && docker network rm nsfisis_dev_shared
+
+.PHONY: .nsfisis_dev_shared_network
+.nsfisis_dev_shared_network:
+	docker network ls | grep nsfisis_dev_shared > /dev/null || docker network create nsfisis_dev_shared
+
+.PHONY: certbot
+certbot:
+	docker-compose run --rm certbot certonly --webroot -w /var/letsencrypt/www -d nsfisis.dev,blog.nsfisis.dev
diff --git a/acme-challenge/.gitignore b/acme-challenge/.gitignore
new file mode 100644
index 00000000..d6b7ef32
--- /dev/null
+++ b/acme-challenge/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 00000000..f6879ffa
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,38 @@
+version: '3'
+
+services:
+  proxy:
+    image: nginx
+    volumes:
+      - ./nginx/proxy.conf:/etc/nginx/conf.d/default.conf
+      - ./letsencrypt:/etc/letsencrypt
+    ports:
+      - 443:443
+    environment:
+      TZ: Asia/Tokyo
+    restart: always
+
+  acme-challenge:
+    image: nginx
+    volumes:
+      - ./nginx/acme-challenge.conf:/etc/nginx/conf.d/default.conf
+      - ./acme-challenge:/var/letsencrypt/www
+    ports:
+      - 80:80
+    environment:
+      TZ: Asia/Tokyo
+    command: "/bin/sh -c 'while :; do sleep 36h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
+    restart: always
+
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ./acme-challenge:/var/letsencrypt/www
+      - ./letsencrypt:/etc/letsencrypt
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    restart: always
+
+networks:
+  default:
+    external:
+      name: nsfisis_dev_shared
diff --git a/letsencrypt/.gitignore b/letsencrypt/.gitignore
new file mode 100644
index 00000000..d6b7ef32
--- /dev/null
+++ b/letsencrypt/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/nginx/acme-challange.conf b/nginx/acme-challange.conf
new file mode 100644
index 00000000..66ed996e
--- /dev/null
+++ b/nginx/acme-challange.conf
@@ -0,0 +1,9 @@
+server {
+    listen 80 default;
+    listen [::]:80;
+    server_name nsfisis.dev;
+
+    location ^~ /.well-known/acme-challenge {
+        root /var/letsencrypt/www;
+    }
+}
diff --git a/nginx/proxy.conf b/nginx/proxy.conf
new file mode 100644
index 00000000..6725c4c4
--- /dev/null
+++ b/nginx/proxy.conf
@@ -0,0 +1,23 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name blog.nsfisis.dev;
+
+    ssl_certificate     /etc/letsencrypt/live/nsfisis.dev/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/nsfisis.dev/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Server $host;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    location / {
+        proxy_pass http://blog_nsfisis_nginx:80;
+    }
+}