updated docker conf for standalone
parent
c77093b2d4
commit
27d6095ec5
@ -0,0 +1,61 @@
|
||||
upstream gunicorn {
|
||||
server web:80;
|
||||
}
|
||||
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name tagesschule.mprofiag.ch;
|
||||
server_tokens off;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name tagesschule.mprofiag.ch;
|
||||
server_tokens off;
|
||||
sendfile on;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/tagesschule.mprofiag.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/tagesschule.mprofiag.ch/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
|
||||
add_header X-Frame-Options "";
|
||||
|
||||
gzip on;
|
||||
gzip_http_version 1.1;
|
||||
gzip_disable "MSIE [1-6]\.";
|
||||
gzip_min_length 256;
|
||||
gzip_vary on;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
gzip_comp_level 9;
|
||||
|
||||
location /static/ {
|
||||
sendfile on;
|
||||
alias /app/static_collected/;
|
||||
}
|
||||
|
||||
location /media/ {
|
||||
sendfile on;
|
||||
alias /app/data/media/;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_hide_header X-Frame-Options;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_redirect off;
|
||||
proxy_pass http://gunicorn;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,21 +1,63 @@
|
||||
version: "2"
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
nginx:
|
||||
image: nginx:1.16-alpine
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./conf/nginx:/etc/nginx/conf.d
|
||||
- ./conf/certbot/conf:/etc/letsencrypt
|
||||
- ./conf/certbot/www:/var/www/certbot
|
||||
- ./static_collected:/app/static_collected
|
||||
- ./data/media:/app/data/media
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
|
||||
depends_on:
|
||||
- web
|
||||
networks:
|
||||
- nginx_network
|
||||
|
||||
certbot:
|
||||
image: certbot/certbot
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./conf/certbot/conf:/etc/letsencrypt
|
||||
- ./conf/certbot/www:/var/www/certbot
|
||||
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
|
||||
|
||||
web:
|
||||
build: "."
|
||||
links:
|
||||
- "db:postgres"
|
||||
ports:
|
||||
- "8009:80"
|
||||
volumes:
|
||||
- ".:/app:rw"
|
||||
- "./data:/data:rw"
|
||||
command: python manage.py runserver 0.0.0.0:80
|
||||
env_file: .env-local
|
||||
|
||||
- ./static_collected:/app/static_collected
|
||||
- ./data/media:/app/data/media
|
||||
networks:
|
||||
- nginx_network
|
||||
- db_network
|
||||
command: "/bin/sh -c '/app/wait-for-postgres.sh postgres /app/run.sh'"
|
||||
environment:
|
||||
SECRET_KEY: "TEST---asdg4hr63453452542h4sdf25g42s3df54hj38rd4sg3f2d54h3sd5f4g53"
|
||||
DEBUG: "False"
|
||||
SENTRY_DSN: "https://460e310d034c49a794941e087c4fcc6e@sentry.io/1196285"
|
||||
DEFAULT_HAYSTACK_URL: "es+https://tcjf1ngoog:qj70l67kk2@tagesschule-elementa-8329801232.eu-west-1.bonsaisearch.net/index-*"
|
||||
DATABASE_URL: "postgres://postgres@postgres:5432/db"
|
||||
db:
|
||||
image: postgres:9.6-alpine
|
||||
environment:
|
||||
POSTGRES_DB: "db"
|
||||
volumes:
|
||||
- ".:/app:rw"
|
||||
- "./pgdata:/var/lib/postgresql/data:rw"
|
||||
networks:
|
||||
- db_network
|
||||
|
||||
networks:
|
||||
nginx_network:
|
||||
driver: bridge
|
||||
db_network:
|
||||
driver: bridge
|
||||
@ -0,0 +1,81 @@
|
||||
#!/bin/bash
|
||||
|
||||
if ! [ -x "$(command -v docker-compose)" ]; then
|
||||
echo 'Error: docker-compose is not installed.' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
domains=(tagesschule.mprofiag.ch)
|
||||
rsa_key_size=4096
|
||||
data_path="./conf/certbot"
|
||||
email="simon@baker-street.ch" # Adding a valid address is strongly recommended
|
||||
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
|
||||
|
||||
if [ -d "$data_path" ]; then
|
||||
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
|
||||
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
|
||||
echo "### Downloading recommended TLS parameters ..."
|
||||
mkdir -p "$data_path/conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
|
||||
echo
|
||||
fi
|
||||
|
||||
echo "### Creating dummy certificate for $domains ..."
|
||||
path="/etc/letsencrypt/live/$domains"
|
||||
mkdir -p "$data_path/conf/live/$domains"
|
||||
docker-compose run --rm --entrypoint "\
|
||||
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
|
||||
-keyout '$path/privkey.pem' \
|
||||
-out '$path/fullchain.pem' \
|
||||
-subj '/CN=localhost'" certbot
|
||||
echo
|
||||
|
||||
|
||||
echo "### Starting nginx ..."
|
||||
docker-compose up --force-recreate -d nginx
|
||||
echo
|
||||
|
||||
echo "### Deleting dummy certificate for $domains ..."
|
||||
docker-compose run --rm --entrypoint "\
|
||||
rm -Rf /etc/letsencrypt/live/$domains && \
|
||||
rm -Rf /etc/letsencrypt/archive/$domains && \
|
||||
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
|
||||
echo
|
||||
|
||||
|
||||
echo "### Requesting Let's Encrypt certificate for $domains ..."
|
||||
#Join $domains to -d args
|
||||
domain_args=""
|
||||
for domain in "${domains[@]}"; do
|
||||
domain_args="$domain_args -d $domain"
|
||||
done
|
||||
|
||||
# Select appropriate email arg
|
||||
case "$email" in
|
||||
"") email_arg="--register-unsafely-without-email" ;;
|
||||
*) email_arg="--email $email" ;;
|
||||
esac
|
||||
|
||||
# Enable staging mode if needed
|
||||
if [ $staging != "0" ]; then staging_arg="--staging"; fi
|
||||
|
||||
|
||||
docker-compose run --rm --entrypoint "\
|
||||
certbot certonly --webroot -w /var/www/certbot \
|
||||
$staging_arg \
|
||||
$email_arg \
|
||||
$domain_args \
|
||||
--rsa-key-size $rsa_key_size \
|
||||
--agree-tos \
|
||||
--force-renewal" certbot
|
||||
echo
|
||||
|
||||
echo "### Reloading nginx ..."
|
||||
docker-compose exec nginx nginx -s reload
|
||||
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
python manage.py collectstatic --noinput
|
||||
python manage.py migrate
|
||||
gunicorn wsgi -b :80
|
||||
@ -0,0 +1,16 @@
|
||||
#!/bin/sh
|
||||
# wait-for-postgres.sh
|
||||
|
||||
set -e
|
||||
|
||||
host="$1"
|
||||
shift
|
||||
cmd="$@"
|
||||
|
||||
until PGPASSWORD=$POSTGRES_PASSWORD psql -h "$host" -U "postgres" -c '\q'; do
|
||||
>&2 echo "Postgres is unavailable - sleeping"
|
||||
sleep 1
|
||||
done
|
||||
|
||||
>&2 echo "Postgres is up - executing command"
|
||||
exec $cmd
|
||||
Loading…
Reference in New Issue