Browse Source

init checkin

master
Charles Reid 7 years ago
commit
f410c3c3d5
  1. 1
      .gitignore
  2. 60
      README.md
  3. 35
      docker-compose.yml
  4. 67
      nginx/nginx.conf
  5. 44
      nginx/sites-available/charlesreid1.blue-http
  6. 46
      nginx/sites-available/charlesreid1.blue-https

1
.gitignore vendored

@ -0,0 +1 @@ @@ -0,0 +1 @@
letsencrypt

60
README.md

@ -0,0 +1,60 @@ @@ -0,0 +1,60 @@
# pod-charlesreid1-site
This repo contains docker compose file for running
the charlesreid1.com site.
The services are:
* nginx
* Lets Encrypt
Pretty simple, right?
## Volumes
No data volumes are used.
* nginx static content is a bind-mounted host directory
* lets encrypt container generates site certs into bind-mounted host directory
* nginx certificates come from docker secrets (?)
```
web:
volumes:
- ./letsencrypt_certs:/etc/nginx/certs
- ./letsencrypt_www:/var/www/letsencrypt
letsencrypt:
image: certbot/certbot
command: /bin/true
volumes:
- ./letsencrypt_certs:/etc/letsencrypt
- ./letsencrypt_www:/var/www/letsencrypt
```
## Certs and Secrets
Lets Encrypt generates certs in a container
with a one-liner, dumps them to bind-mounted
host directory.
This file can be generated
## Backups
Site content comes from github.
Nothing to back up.
## Static Content
Question: should we bake the site's
static content into the container,
and require rebuild/redeploy when
site content changes?
Answer: No. We clone a local copy of
the gh-pages branch, and bind-mount
that into the container.
Updating the site is as simple as
`git pull origin gh-pages`.

35
docker-compose.yml

@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
# https://hub.docker.com/r/kvaps/letsencrypt-webroot/
version: "3.1"
services:
stormy_nginx:
restart: always
image: nginx
hostname: example.com
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "./nginx:/etc/nginx:ro"
- "./letsencrypt/conf:/etc/letsencrypt"
- "./letsencrypt/html:/tmp/letsencrypt"
ports:
- "80:80"
- "443:443"
environment:
- LE_RENEW_HOOK=docker kill -s HUP @CONTAINER_NAME@
stormy_le:
restart: always
image: kvaps/letsencrypt-webroot
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "/var/run/docker.sock:/var/run/docker.sock"
- "./letsencrypt/conf:/etc/letsencrypt"
- "./letsencrypt/html:/tmp/letsencrypt"
links:
- stormy_nginx:nginx
environment:
- DOMAINS=charlesreid1.blue www.charlesreid1.blue git.charlesreid1.blue charlesreid1.red www.charlesreid1.red git.charlesreid1.red
- EMAIL=charles@charlesreid1.com
- WEBROOT_PATH=/tmp/letsencrypt
- EXP_LIMIT=30
- CHECK_FREQ=30

67
nginx/nginx.conf

@ -0,0 +1,67 @@ @@ -0,0 +1,67 @@
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

44
nginx/sites-available/charlesreid1.blue-http

@ -0,0 +1,44 @@ @@ -0,0 +1,44 @@
####################
#
# charlesreid1.blue
# http
# 80
#
# basically, just redirects to https
#
####################
server {
# http://charlesreid1.blue --> https://charlesreid1.blue
listen 80;
listen [::]:80;
server_name charlesreid1.blue;
return 301 https://$server_name$request_uri;
}
server {
# http://www.charlesreid1.blue --> https://charlesreid1.blue
listen 80;
listen [::]:80;
server_name www.charlesreid1.blue;
return 301 https://charlesreid1.blue$request_uri;
}
server {
# http://git.charlesreid1.blue --> https://git.charlesreid1.blue
listen 80;
server_name git.charlesreid1.blue;
return 301 https://git.charlesreid1.blue$request_uri;
}

46
nginx/sites-available/charlesreid1.blue-https

@ -0,0 +1,46 @@ @@ -0,0 +1,46 @@
####################
#
# charlesreid1.blue
# https
# 443
#
####################
server {
# https://charlesreid1.blue
listen 443;
listen [::]:443;
ssl on;
ssl_certificate /etc/letsencrypt/live/charlesreid1.blue/cert.pem
ssl_certificate_key /etc/letsencrypt/live/charlesreid1.blue/privkey.pem
root /www/charlesreid1.blue/htdocs;
index index.html;
server_name charlesreid1.blue;
client_max_body_size 100m;
location / {
try_files $uri $uri/ =404;
}
location /wiki/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080/wiki/;
}
location /w/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080/w/;
}
}
Loading…
Cancel
Save