Charles Reid
7 years ago
commit
f410c3c3d5
6 changed files with 253 additions and 0 deletions
@ -0,0 +1,60 @@
@@ -0,0 +1,60 @@
|
||||
# pod-charlesreid1-site |
||||
|
||||
This repo contains docker compose file for running |
||||
the charlesreid1.com site. |
||||
|
||||
The services are: |
||||
* nginx |
||||
* Lets Encrypt |
||||
|
||||
Pretty simple, right? |
||||
|
||||
## Volumes |
||||
|
||||
No data volumes are used. |
||||
|
||||
* nginx static content is a bind-mounted host directory |
||||
* lets encrypt container generates site certs into bind-mounted host directory |
||||
* nginx certificates come from docker secrets (?) |
||||
|
||||
``` |
||||
web: |
||||
volumes: |
||||
- ./letsencrypt_certs:/etc/nginx/certs |
||||
- ./letsencrypt_www:/var/www/letsencrypt |
||||
|
||||
letsencrypt: |
||||
image: certbot/certbot |
||||
command: /bin/true |
||||
volumes: |
||||
- ./letsencrypt_certs:/etc/letsencrypt |
||||
- ./letsencrypt_www:/var/www/letsencrypt |
||||
``` |
||||
|
||||
## Certs and Secrets |
||||
|
||||
Lets Encrypt generates certs in a container |
||||
with a one-liner, dumps them to bind-mounted |
||||
host directory. |
||||
|
||||
This file can be generated |
||||
|
||||
## Backups |
||||
|
||||
Site content comes from github. |
||||
Nothing to back up. |
||||
|
||||
## Static Content |
||||
|
||||
Question: should we bake the site's |
||||
static content into the container, |
||||
and require rebuild/redeploy when |
||||
site content changes? |
||||
|
||||
Answer: No. We clone a local copy of |
||||
the gh-pages branch, and bind-mount |
||||
that into the container. |
||||
|
||||
Updating the site is as simple as |
||||
`git pull origin gh-pages`. |
||||
|
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
# https://hub.docker.com/r/kvaps/letsencrypt-webroot/ |
||||
version: "3.1" |
||||
services: |
||||
|
||||
stormy_nginx: |
||||
restart: always |
||||
image: nginx |
||||
hostname: example.com |
||||
volumes: |
||||
- "/etc/localtime:/etc/localtime:ro" |
||||
- "./nginx:/etc/nginx:ro" |
||||
- "./letsencrypt/conf:/etc/letsencrypt" |
||||
- "./letsencrypt/html:/tmp/letsencrypt" |
||||
ports: |
||||
- "80:80" |
||||
- "443:443" |
||||
environment: |
||||
- LE_RENEW_HOOK=docker kill -s HUP @CONTAINER_NAME@ |
||||
|
||||
stormy_le: |
||||
restart: always |
||||
image: kvaps/letsencrypt-webroot |
||||
volumes: |
||||
- "/etc/localtime:/etc/localtime:ro" |
||||
- "/var/run/docker.sock:/var/run/docker.sock" |
||||
- "./letsencrypt/conf:/etc/letsencrypt" |
||||
- "./letsencrypt/html:/tmp/letsencrypt" |
||||
links: |
||||
- stormy_nginx:nginx |
||||
environment: |
||||
- DOMAINS=charlesreid1.blue www.charlesreid1.blue git.charlesreid1.blue charlesreid1.red www.charlesreid1.red git.charlesreid1.red |
||||
- EMAIL=charles@charlesreid1.com |
||||
- WEBROOT_PATH=/tmp/letsencrypt |
||||
- EXP_LIMIT=30 |
||||
- CHECK_FREQ=30 |
@ -0,0 +1,67 @@
@@ -0,0 +1,67 @@
|
||||
user www-data; |
||||
worker_processes 4; |
||||
pid /run/nginx.pid; |
||||
|
||||
events { |
||||
worker_connections 768; |
||||
# multi_accept on; |
||||
} |
||||
|
||||
http { |
||||
|
||||
## |
||||
# Basic Settings |
||||
## |
||||
|
||||
sendfile on; |
||||
tcp_nopush on; |
||||
tcp_nodelay on; |
||||
keepalive_timeout 65; |
||||
types_hash_max_size 2048; |
||||
# server_tokens off; |
||||
|
||||
server_names_hash_bucket_size 64; |
||||
# server_name_in_redirect off; |
||||
|
||||
include /etc/nginx/mime.types; |
||||
default_type application/octet-stream; |
||||
|
||||
## |
||||
# SSL Settings |
||||
## |
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE |
||||
ssl_prefer_server_ciphers on; |
||||
|
||||
|
||||
|
||||
|
||||
## |
||||
# Logging Settings |
||||
## |
||||
|
||||
access_log /var/log/nginx/access.log; |
||||
error_log /var/log/nginx/error.log; |
||||
|
||||
## |
||||
# Gzip Settings |
||||
## |
||||
|
||||
gzip on; |
||||
gzip_disable "msie6"; |
||||
|
||||
# gzip_vary on; |
||||
# gzip_proxied any; |
||||
# gzip_comp_level 6; |
||||
# gzip_buffers 16 8k; |
||||
# gzip_http_version 1.1; |
||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; |
||||
|
||||
## |
||||
# Virtual Host Configs |
||||
## |
||||
|
||||
include /etc/nginx/conf.d/*.conf; |
||||
include /etc/nginx/sites-enabled/*; |
||||
} |
||||
|
@ -0,0 +1,44 @@
@@ -0,0 +1,44 @@
|
||||
#################### |
||||
# |
||||
# charlesreid1.blue |
||||
# http |
||||
# 80 |
||||
# |
||||
# basically, just redirects to https |
||||
# |
||||
#################### |
||||
|
||||
server { |
||||
|
||||
# http://charlesreid1.blue --> https://charlesreid1.blue |
||||
|
||||
listen 80; |
||||
listen [::]:80; |
||||
|
||||
server_name charlesreid1.blue; |
||||
|
||||
return 301 https://$server_name$request_uri; |
||||
|
||||
} |
||||
server { |
||||
|
||||
# http://www.charlesreid1.blue --> https://charlesreid1.blue |
||||
|
||||
listen 80; |
||||
listen [::]:80; |
||||
|
||||
server_name www.charlesreid1.blue; |
||||
|
||||
return 301 https://charlesreid1.blue$request_uri; |
||||
} |
||||
server { |
||||
|
||||
# http://git.charlesreid1.blue --> https://git.charlesreid1.blue |
||||
|
||||
listen 80; |
||||
|
||||
server_name git.charlesreid1.blue; |
||||
|
||||
return 301 https://git.charlesreid1.blue$request_uri; |
||||
} |
||||
|
@ -0,0 +1,46 @@
@@ -0,0 +1,46 @@
|
||||
#################### |
||||
# |
||||
# charlesreid1.blue |
||||
# https |
||||
# 443 |
||||
# |
||||
#################### |
||||
|
||||
server { |
||||
|
||||
# https://charlesreid1.blue |
||||
|
||||
listen 443; |
||||
listen [::]:443; |
||||
|
||||
ssl on; |
||||
ssl_certificate /etc/letsencrypt/live/charlesreid1.blue/cert.pem |
||||
ssl_certificate_key /etc/letsencrypt/live/charlesreid1.blue/privkey.pem |
||||
|
||||
root /www/charlesreid1.blue/htdocs; |
||||
index index.html; |
||||
|
||||
server_name charlesreid1.blue; |
||||
|
||||
client_max_body_size 100m; |
||||
|
||||
location / { |
||||
try_files $uri $uri/ =404; |
||||
} |
||||
|
||||
location /wiki/ { |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Forwarded-For $remote_addr; |
||||
proxy_set_header Host $host; |
||||
proxy_pass http://127.0.0.1:8080/wiki/; |
||||
} |
||||
|
||||
location /w/ { |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Forwarded-For $remote_addr; |
||||
proxy_set_header Host $host; |
||||
proxy_pass http://127.0.0.1:8080/w/; |
||||
} |
||||
|
||||
} |
||||
|
Loading…
Reference in new issue