diff options
| -rw-r--r-- | Makefile | 33 | ||||
| -rw-r--r-- | acme-challenge/.gitignore | 2 | ||||
| -rw-r--r-- | docker-compose.yml | 38 | ||||
| -rw-r--r-- | letsencrypt/.gitignore | 2 | ||||
| -rw-r--r-- | nginx/acme-challange.conf | 9 | ||||
| -rw-r--r-- | nginx/proxy.conf | 23 |
6 files changed, 107 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..fe0d95bf --- /dev/null +++ b/Makefile @@ -0,0 +1,33 @@ +.PHONY: all +all: deploy + +.PHONY: deploy +deploy: build serve + +.PHONY: setup +setup: certbot + cd vhosts/blog; make setup + +.PHONY: build +build: + docker-compose build + cd vhosts/blog; make build + +.PHONY: serve +serve: .nsfisis_dev_shared_network + docker-compose up -d + cd vhosts/blog; make serve + +.PHONY: clean +clean: + cd vhosts/blog; make clean + docker-compose down + docker network ls | grep nsfisis_dev_shared > /dev/null && docker network rm nsfisis_dev_shared + +.PHONY: .nsfisis_dev_shared_network +.nsfisis_dev_shared_network: + docker network ls | grep nsfisis_dev_shared > /dev/null || docker network create nsfisis_dev_shared + +.PHONY: certbot +certbot: + docker-compose run --rm certbot certonly --webroot -w /var/letsencrypt/www -d nsfisis.dev,blog.nsfisis.dev diff --git a/acme-challenge/.gitignore b/acme-challenge/.gitignore new file mode 100644 index 00000000..d6b7ef32 --- /dev/null +++ b/acme-challenge/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 00000000..f6879ffa --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,38 @@ +version: '3' + +services: + proxy: + image: nginx + volumes: + - ./nginx/proxy.conf:/etc/nginx/conf.d/default.conf + - ./letsencrypt:/etc/letsencrypt + ports: + - 443:443 + environment: + TZ: Asia/Tokyo + restart: always + + acme-challenge: + image: nginx + volumes: + - ./nginx/acme-challenge.conf:/etc/nginx/conf.d/default.conf + - ./acme-challenge:/var/letsencrypt/www + ports: + - 80:80 + environment: + TZ: Asia/Tokyo + command: "/bin/sh -c 'while :; do sleep 36h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" + restart: always + + certbot: + image: certbot/certbot + volumes: + - ./acme-challenge:/var/letsencrypt/www + - ./letsencrypt:/etc/letsencrypt + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + restart: always + +networks: + default: + external: + name: nsfisis_dev_shared diff --git a/letsencrypt/.gitignore b/letsencrypt/.gitignore new file mode 100644 index 00000000..d6b7ef32 --- /dev/null +++ b/letsencrypt/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/nginx/acme-challange.conf b/nginx/acme-challange.conf new file mode 100644 index 00000000..66ed996e --- /dev/null +++ b/nginx/acme-challange.conf @@ -0,0 +1,9 @@ +server { + listen 80 default; + listen [::]:80; + server_name nsfisis.dev; + + location ^~ /.well-known/acme-challenge { + root /var/letsencrypt/www; + } +} diff --git a/nginx/proxy.conf b/nginx/proxy.conf new file mode 100644 index 00000000..6725c4c4 --- /dev/null +++ b/nginx/proxy.conf @@ -0,0 +1,23 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name blog.nsfisis.dev; + + ssl_certificate /etc/letsencrypt/live/nsfisis.dev/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/nsfisis.dev/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://blog_nsfisis_nginx:80; + } +} |