Skip to content

Commit

Permalink
Fix SSL settings inside nginx container and update SSL role
Browse files Browse the repository at this point in the history
  • Loading branch information
ml-evs committed Sep 26, 2024
1 parent 0a0fdcb commit cd2bc4b
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 17 deletions.
8 changes: 1 addition & 7 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,8 @@
FROM ghcr.io/datalab-org/datalab-federation:latest AS federation

FROM python:3.12-alpine AS builder
RUN apk add --no-cache make
ARG COMBINED_FILENAME="/app/combined.yaml"
RUN apk add --no-cache make openssl
RUN mkdir -p /app/nginx/ssl && \
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /app/nginx/ssl/nginx.key \
-out /app/nginx/ssl/nginx.crt \
-subj "/C=FI/ST=Uusimaa/L=Helsinki/O=Datalab/CN=purl.datalab-org.io"
WORKDIR /app
RUN pip install uv

Expand All @@ -24,7 +19,6 @@ RUN make build-nginx-config

FROM nginx:1.27-alpine AS nginx
RUN mkdir -p /etc/nginx/include && mkdir -p /var/www
COPY --from=builder /app/nginx/ssl /etc/nginx/ssl
COPY --from=builder /app/nginx/include/providers-nginx.conf /etc/nginx/include/
COPY ./nginx/nginx.conf /etc/nginx/nginx.conf
COPY ./nginx/include/ssl-nginx.conf /etc/nginx/include/ssl-nginx.conf
Expand Down
9 changes: 5 additions & 4 deletions ansible/playbook.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@
hosts: all
gather_facts: false

# roles:
# - role: ssl
# name: Setup certbot for automated renewal
# tags: [setup]
roles:
- role: ssl
name: Setup certbot for automated renewal
tags: [setup]

vars:
ghcr_token: !vault |
Expand Down Expand Up @@ -57,6 +57,7 @@
name: datalab-purl
image: ghcr.io/datalab-org/datalab-purl:latest
state: started
restart_policy: always
volumes:
- certbot-conf:/etc/letsencrypt
- certbot-www:/var/www/certbot
Expand Down
10 changes: 5 additions & 5 deletions ansible/roles/ssl/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,18 @@
- name: Synchronize nginx files to remote
ansible.posix.synchronize:
src: "{{ role_path }}/files/"
dest: "/{{ ansible_user }}/nginx"
dest: /{{ ansible_user }}/nginx

- name: Make directory for rendered configs
ansible.builtin.file:
state: directory
path: "/{{ ansible_user }}/nginx/rendered"
path: /{{ ansible_user }}/nginx/rendered
mode: "0744"

- name: Render templated certbot config
ansible.builtin.template:
src: certbot-docker.sh.j2
dest: "/{{ ansible_user }}/nginx/rendered/certbot-docker.sh"
dest: /{{ ansible_user }}/nginx/rendered/certbot-docker.sh
mode: "0744"

- name: Build nginx image
Expand All @@ -30,7 +30,7 @@
state: present
force_source: true
build:
path: "/{{ ansible_user }}/nginx"
path: /{{ ansible_user }}/nginx

- name: Launch nginx container without services
community.docker.docker_container:
Expand All @@ -50,7 +50,7 @@
volumes:
- certbot-conf:/etc/letsencrypt
- certbot-www:/var/www/certbot
- "/{{ ansible_user }}/nginx/rendered/certbot-docker.sh:/opt/certbot-docker.sh"
- /{{ ansible_user }}/nginx/rendered/certbot-docker.sh:/opt/certbot-docker.sh
restart_policy: false
detach: true
entrypoint:
Expand Down
2 changes: 1 addition & 1 deletion nginx/include/ssl-nginx.conf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
ssl_certificate /etc/letsencrypt/live/purl.datalab-org.io/fullchain.pem
ssl_certificate /etc/letsencrypt/live/purl.datalab-org.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/purl.datalab-org.io/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
Expand Down

0 comments on commit cd2bc4b

Please sign in to comment.