diff --git a/.env.example b/.env.example index b512ac8..62142a7 100644 --- a/.env.example +++ b/.env.example @@ -88,10 +88,3 @@ WP_INIT_MEM_LIMIT=128M # db-backup DB_BACKUP_CPUS=0.5 DB_BACKUP_MEM_LIMIT=256M - -# Certbot -# Email used for Let's Encrypt registration -LETSENCRYPT_EMAIL=admin@example.com - -# Certbot renewal interval (s/m/h/d) -CERTBOT_RENEW_INTERVAL=12h diff --git a/Makefile b/Makefile index 58e06ca..0274c50 100644 --- a/Makefile +++ b/Makefile @@ -41,23 +41,5 @@ down-prod: logs-prod: @$(COMPOSE_PROD) logs -f -certbot-first-issue: - @$(COMPOSE_PROD) run --rm \ - --entrypoint sh \ - certbot \ - /scripts/certbot/certbot-first-issue/certbot-first-issue.sh - -certbot-dry-run: - @$(COMPOSE_PROD) run --rm \ - --entrypoint sh \ - certbot \ - /scripts/certbot/certbot-dry-run/certbot-dry-run.sh - -certbot-renew: - @$(COMPOSE_PROD) run --rm \ - --entrypoint sh \ - certbot \ - /scripts/certbot/certbot-renew/certbot-renew.sh - .PHONY: up down clean reset logs sync-site-url db-backup db-restore \ - up-prod down-prod logs-prod certbot-first-issue certbot-dry-run certbot-renew + up-prod down-prod logs-prod diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 15083ca..8dce94d 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -42,13 +42,12 @@ services: init: true security_opt: - no-new-privileges:true - ports: - - "80:80" - - "443:443" volumes: - ./nginx/prod.conf.template:/etc/nginx/templates/default.conf.template:ro - - certbot_conf:/etc/letsencrypt - - certbot_www:/var/www/certbot + networks: + proxy: + aliases: + - wp-docker-stack-nginx deploy: resources: limits: @@ -80,27 +79,9 @@ services: cpus: '${DB_BACKUP_CPUS:-0.5}' memory: ${DB_BACKUP_MEM_LIMIT:-256M} - certbot: - <<: *default-logging - image: certbot/certbot:v5.2.2 - env_file: .env - environment: - SERVER_NAME: ${SERVER_NAME} - LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL} - CERTBOT_RENEW_INTERVAL: ${CERTBOT_RENEW_INTERVAL:-12h} - tmpfs: - - /var/lib/letsencrypt - volumes: - - ./scripts:/scripts:ro - - certbot_conf:/etc/letsencrypt - - certbot_www:/var/www/certbot - deploy: - resources: - limits: - cpus: '${CERTBOT_CPUS:-0.5}' - memory: ${CERTBOT_MEM_LIMIT:-128M} - volumes: db_backups: - certbot_conf: - certbot_www: + +networks: + proxy: + external: true diff --git a/nginx/dev.conf.template b/nginx/dev.conf.template index faf13c1..7678e8c 100644 --- a/nginx/dev.conf.template +++ b/nginx/dev.conf.template @@ -5,8 +5,8 @@ server { root /var/www/html; index index.php index.html; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; location / { diff --git a/nginx/prod.conf.template b/nginx/prod.conf.template index 2aa53d7..cda159b 100644 --- a/nginx/prod.conf.template +++ b/nginx/prod.conf.template @@ -2,33 +2,9 @@ server { listen 80; server_name ${SERVER_NAME}; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - http2 on; - server_name ${SERVER_NAME}; - root /var/www/html; index index.php; - ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers off; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; diff --git a/scripts/certbot/certbot-dry-run/certbot-dry-run.sh b/scripts/certbot/certbot-dry-run/certbot-dry-run.sh deleted file mode 100755 index 4d18ff1..0000000 --- a/scripts/certbot/certbot-dry-run/certbot-dry-run.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -set -e - -echo "Running Certbot dry-run (renew simulation)" - -certbot renew --dry-run - -echo "Dry-run completed successfully" diff --git a/scripts/certbot/certbot-first-issue/certbot-first-issue.sh b/scripts/certbot/certbot-first-issue/certbot-first-issue.sh deleted file mode 100755 index d249d74..0000000 --- a/scripts/certbot/certbot-first-issue/certbot-first-issue.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -set -e - -. /scripts/utils/check-required-vars.sh - -check_required_vars "SERVER_NAME LETSENCRYPT_EMAIL" - -echo "Requesting first Let's Encrypt certificate for $SERVER_NAME" - -certbot certonly \ - --webroot \ - --webroot-path /var/www/certbot \ - --domain "$SERVER_NAME" \ - --email "$LETSENCRYPT_EMAIL" \ - --agree-tos \ - --no-eff-email \ - --non-interactive - -echo "Certificate successfully issued" diff --git a/scripts/certbot/certbot-renew/certbot-renew.sh b/scripts/certbot/certbot-renew/certbot-renew.sh deleted file mode 100755 index bed3543..0000000 --- a/scripts/certbot/certbot-renew/certbot-renew.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -set -e - -. /scripts/certbot/certbot-renew/lib/terminate.sh - -trap terminate TERM INT - -echo "Certbot renewal service started" -echo "Renewal interval: ${CERTBOT_RENEW_INTERVAL}" - -while true; do - echo "Checking certificates" - - if certbot renew --webroot -w /var/www/certbot --quiet; then - echo "Renewal check completed" - else - echo "Renewal check returned non-zero status (may be expected)" - fi - - echo "Waiting ${CERTBOT_RENEW_INTERVAL} for next check..." - sleep "${CERTBOT_RENEW_INTERVAL}" -done diff --git a/scripts/certbot/certbot-renew/lib/terminate.sh b/scripts/certbot/certbot-renew/lib/terminate.sh deleted file mode 100755 index 079f439..0000000 --- a/scripts/certbot/certbot-renew/lib/terminate.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -terminate() { - echo "Stopping certbot renewal service" - exit 0 -}