Skip to content

Commit

Permalink
Merge pull request #228 from misilot/acme-update
Browse files Browse the repository at this point in the history
Add ability to enable ACME generation of SSL Certs
  • Loading branch information
DonRichards authored Apr 5, 2022
2 parents 10c3e32 + 8d26bd9 commit 9bfab80
Show file tree
Hide file tree
Showing 5 changed files with 73 additions and 19 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,4 @@ Dockerfile
#===================
# User provided certs for TLS.
certs
acme
7 changes: 6 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ ifeq ($(INCLUDE_TRAEFIK_SERVICE), true)
TRAEFIK_SERVICE := traefik
endif

# The service traefik may be optional if we are sharing one from another project.
ifeq ($(USE_ACME), true)
ACME := acme
endif

# The service traefik may be optional if we are sharing one from another project.
ifeq ($(INCLUDE_CODE_SERVER_SERVICE), true)
CODE_SERVER_SERVICE := code-server
Expand Down Expand Up @@ -79,7 +84,7 @@ DATABASE_SERVICES := $(sort $(DATABASE_SERVICES))
# The services to be run (order is important), as services can override one
# another. Traefik must be last if included as otherwise its network
# definition for `gateway` will be overriden.
SERVICES := $(REQUIRED_SERVICES) $(FCREPO_SERVICE) $(WATCHTOWER_SERVICE) $(ETCD_SERVICE) $(DATABASE_SERVICES) $(ENVIRONMENT) $(SECRETS) $(CODE_SERVER_SERVICE) $(TRAEFIK_SERVICE)
SERVICES := $(REQUIRED_SERVICES) $(FCREPO_SERVICE) $(WATCHTOWER_SERVICE) $(ETCD_SERVICE) $(DATABASE_SERVICES) $(ENVIRONMENT) $(SECRETS) $(CODE_SERVER_SERVICE) $(TRAEFIK_SERVICE) $(ACME)

default: download-default-certs docker-compose.yml pull

Expand Down
41 changes: 41 additions & 0 deletions docker-compose.acme.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
version: "3.7"
services:
traefik:
# Do not set `api.insecure`, `api.dashboard`, `api.debug` to `true` in production.
# Also do not expose database 3306/5432, as an entry point.
# If the commands below are changed, please copy the changes to `docker-compose.acme.yml`.
command:
- --api.insecure=${EXPOSE_TRAEFIK_DASHBOARD:-false}
- --api.dashboard=${EXPOSE_TRAEFIK_DASHBOARD:-false}
- --api.debug=${EXPOSE_TRAEFIK_DASHBOARD:-false}
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.mysql.address=:3306
- --entryPoints.postgresql.address=:5432
- --entryPoints.fcrepo.address=:8081
- --entryPoints.blazegraph.address=:8082
- --entryPoints.activemq.address=:8161
- --entryPoints.solr.address=:8983
- --entryPoints.code-server.address=:8443
- --log.level=${TRAEFIK_LOG_LEVEL-ERROR}
- --providers.docker
- --providers.docker.network=gateway
- --providers.docker.exposedByDefault=false
- --providers.file.filename=/etc/traefik/tls.yml
- '--providers.docker.defaultRule=Host(`${DOMAIN}`)'
- --certificatesresolvers.myresolver.acme.httpchallenge=true
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http
- --certificatesresolvers.myresolver.acme.email=${[email protected]}
- --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
- --certificatesResolvers.myresolver.acme.caServer=${ACME_SERVER-https://acme-v02.api.letsencrypt.org/directory}
volumes:
- ./acme:/acme:rw
cantaloupe:
labels:
- traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_https.tls.certresolver=myresolver
drupal:
labels:
- traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_https.tls.certresolver=myresolver
matomo:
labels:
- traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_https.tls.certresolver=myresolver
38 changes: 20 additions & 18 deletions docker-compose.traefik.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,26 @@ services:
container_name: traefik
# Do not set `api.insecure`, `api.dashboard`, `api.debug` to `true` in production.
# Also do not expose database 3306/5432, as an entry point.
command: >-
--api.insecure=${EXPOSE_TRAEFIK_DASHBOARD:-false}
--api.dashboard=${EXPOSE_TRAEFIK_DASHBOARD:-false}
--api.debug=${EXPOSE_TRAEFIK_DASHBOARD:-false}
--entryPoints.http.address=:80
--entryPoints.https.address=:443
--entryPoints.mysql.address=:3306
--entryPoints.postgresql.address=:5432
--entryPoints.fcrepo.address=:8081
--entryPoints.blazegraph.address=:8082
--entryPoints.activemq.address=:8161
--entryPoints.solr.address=:8983
--entryPoints.code-server.address=:8443
--providers.docker
--providers.docker.network=gateway
--providers.docker.exposedByDefault=false
--providers.file.filename=/etc/traefik/tls.yml
'--providers.docker.defaultRule=Host(`${DOMAIN}`)'
# If the commands below are changed, please copy the changes to `docker-compose.acme.yml`.
command:
- --api.insecure=${EXPOSE_TRAEFIK_DASHBOARD:-false}
- --api.dashboard=${EXPOSE_TRAEFIK_DASHBOARD:-false}
- --api.debug=${EXPOSE_TRAEFIK_DASHBOARD:-false}
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.mysql.address=:3306
- --entryPoints.postgresql.address=:5432
- --entryPoints.fcrepo.address=:8081
- --entryPoints.blazegraph.address=:8082
- --entryPoints.activemq.address=:8161
- --entryPoints.solr.address=:8983
- --entryPoints.code-server.address=:8443
- --log.level=${TRAEFIK_LOG_LEVEL-ERROR}
- --providers.docker
- --providers.docker.network=gateway
- --providers.docker.exposedByDefault=false
- --providers.file.filename=/etc/traefik/tls.yml
- '--providers.docker.defaultRule=Host(`${DOMAIN}`)'
ports:
- 80:80 # drupal, cantaloupe, matomo
- 443:443 # https for ^^^
Expand Down
5 changes: 5 additions & 0 deletions sample.env
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,11 @@ PROJECT_DRUPAL_DOCKERFILE=Dockerfile
# from another project.
INCLUDE_TRAEFIK_SERVICE=true

# Should we use ACME to generate a SSL Certificate
USE_ACME=false
# Specify email to tie SSL Certificate to with ACME provider
ACME_EMAIL=[email protected]

# Includes `watchtower` as a service.
INCLUDE_WATCHTOWER_SERVICE=false

Expand Down

0 comments on commit 9bfab80

Please sign in to comment.