From fa24c3c8b1922cbd5bbf330c45f5788c08d1cb43 Mon Sep 17 00:00:00 2001 From: nsfisis Date: Wed, 26 Oct 2022 19:24:38 +0900 Subject: setup docker --- Makefile | 33 +++++++++++++++++++++++++++++++++ acme-challenge/.gitignore | 2 ++ docker-compose.yml | 38 ++++++++++++++++++++++++++++++++++++++ letsencrypt/.gitignore | 2 ++ nginx/acme-challange.conf | 9 +++++++++ nginx/proxy.conf | 23 +++++++++++++++++++++++ 6 files changed, 107 insertions(+) create mode 100644 Makefile create mode 100644 acme-challenge/.gitignore create mode 100644 docker-compose.yml create mode 100644 letsencrypt/.gitignore create mode 100644 nginx/acme-challange.conf create mode 100644 nginx/proxy.conf diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..fe0d95bf --- /dev/null +++ b/Makefile @@ -0,0 +1,33 @@ +.PHONY: all +all: deploy + +.PHONY: deploy +deploy: build serve + +.PHONY: setup +setup: certbot + cd vhosts/blog; make setup + +.PHONY: build +build: + docker-compose build + cd vhosts/blog; make build + +.PHONY: serve +serve: .nsfisis_dev_shared_network + docker-compose up -d + cd vhosts/blog; make serve + +.PHONY: clean +clean: + cd vhosts/blog; make clean + docker-compose down + docker network ls | grep nsfisis_dev_shared > /dev/null && docker network rm nsfisis_dev_shared + +.PHONY: .nsfisis_dev_shared_network +.nsfisis_dev_shared_network: + docker network ls | grep nsfisis_dev_shared > /dev/null || docker network create nsfisis_dev_shared + +.PHONY: certbot +certbot: + docker-compose run --rm certbot certonly --webroot -w /var/letsencrypt/www -d nsfisis.dev,blog.nsfisis.dev diff --git a/acme-challenge/.gitignore b/acme-challenge/.gitignore new file mode 100644 index 00000000..d6b7ef32 --- /dev/null +++ b/acme-challenge/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 00000000..f6879ffa --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,38 @@ +version: '3' + +services: + proxy: + image: nginx + volumes: + - ./nginx/proxy.conf:/etc/nginx/conf.d/default.conf + - ./letsencrypt:/etc/letsencrypt + ports: + - 443:443 + environment: + TZ: Asia/Tokyo + restart: always + + acme-challenge: + image: nginx + volumes: + - ./nginx/acme-challenge.conf:/etc/nginx/conf.d/default.conf + - ./acme-challenge:/var/letsencrypt/www + ports: + - 80:80 + environment: + TZ: Asia/Tokyo + command: "/bin/sh -c 'while :; do sleep 36h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" + restart: always + + certbot: + image: certbot/certbot + volumes: + - ./acme-challenge:/var/letsencrypt/www + - ./letsencrypt:/etc/letsencrypt + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + restart: always + +networks: + default: + external: + name: nsfisis_dev_shared diff --git a/letsencrypt/.gitignore b/letsencrypt/.gitignore new file mode 100644 index 00000000..d6b7ef32 --- /dev/null +++ b/letsencrypt/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/nginx/acme-challange.conf b/nginx/acme-challange.conf new file mode 100644 index 00000000..66ed996e --- /dev/null +++ b/nginx/acme-challange.conf @@ -0,0 +1,9 @@ +server { + listen 80 default; + listen [::]:80; + server_name nsfisis.dev; + + location ^~ /.well-known/acme-challenge { + root /var/letsencrypt/www; + } +} diff --git a/nginx/proxy.conf b/nginx/proxy.conf new file mode 100644 index 00000000..6725c4c4 --- /dev/null +++ b/nginx/proxy.conf @@ -0,0 +1,23 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name blog.nsfisis.dev; + + ssl_certificate /etc/letsencrypt/live/nsfisis.dev/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/nsfisis.dev/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://blog_nsfisis_nginx:80; + } +} -- cgit v1.2.3-70-g09d2