From 5c95798fcc4fd31af11fa87887d8f9b6b575ef02 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Mon, 16 Feb 2026 22:30:16 +0100
Subject: [PATCH 1/4] fix: conflit resolution

---
 .env.example                                  |  7 ------
 Makefile                                      | 20 +---------------
 docker-compose.prod.yml                       | 24 -------------------
 .../certbot-dry-run/certbot-dry-run.sh        |  8 -------
 .../certbot-first-issue.sh                    | 19 ---------------
 .../certbot/certbot-renew/certbot-renew.sh    | 22 -----------------
 .../certbot/certbot-renew/lib/terminate.sh    |  6 -----
 7 files changed, 1 insertion(+), 105 deletions(-)
 delete mode 100755 scripts/certbot/certbot-dry-run/certbot-dry-run.sh
 delete mode 100755 scripts/certbot/certbot-first-issue/certbot-first-issue.sh
 delete mode 100755 scripts/certbot/certbot-renew/certbot-renew.sh
 delete mode 100755 scripts/certbot/certbot-renew/lib/terminate.sh

diff --git a/.env.example b/.env.example
index b512ac8..62142a7 100644
--- a/.env.example
+++ b/.env.example
@@ -88,10 +88,3 @@ WP_INIT_MEM_LIMIT=128M
 # db-backup
 DB_BACKUP_CPUS=0.5
 DB_BACKUP_MEM_LIMIT=256M
-
-# Certbot
-# Email used for Let's Encrypt registration
-LETSENCRYPT_EMAIL=admin@example.com
-
-# Certbot renewal interval (s/m/h/d)
-CERTBOT_RENEW_INTERVAL=12h
diff --git a/Makefile b/Makefile
index 58e06ca..0274c50 100644
--- a/Makefile
+++ b/Makefile
@@ -41,23 +41,5 @@ down-prod:
 logs-prod:
 	@$(COMPOSE_PROD) logs -f
 
-certbot-first-issue:
-	@$(COMPOSE_PROD) run --rm \
-		--entrypoint sh \
-		certbot \
-		/scripts/certbot/certbot-first-issue/certbot-first-issue.sh
-
-certbot-dry-run:
-	@$(COMPOSE_PROD) run --rm \
-		--entrypoint sh \
-		certbot \
-		/scripts/certbot/certbot-dry-run/certbot-dry-run.sh
-
-certbot-renew:
-	@$(COMPOSE_PROD) run --rm \
-		--entrypoint sh \
-		certbot \
-		/scripts/certbot/certbot-renew/certbot-renew.sh
-
 .PHONY: up down clean reset logs sync-site-url db-backup db-restore \
-        up-prod down-prod logs-prod certbot-first-issue certbot-dry-run certbot-renew
+        up-prod down-prod logs-prod
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 15083ca..3038d6e 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -47,8 +47,6 @@ services:
       - "443:443"
     volumes:
       - ./nginx/prod.conf.template:/etc/nginx/templates/default.conf.template:ro
-      - certbot_conf:/etc/letsencrypt
-      - certbot_www:/var/www/certbot
     deploy:
       resources:
         limits:
@@ -80,27 +78,5 @@ services:
           cpus: '${DB_BACKUP_CPUS:-0.5}'
           memory: ${DB_BACKUP_MEM_LIMIT:-256M}
 
-  certbot:
-    <<: *default-logging
-    image: certbot/certbot:v5.2.2
-    env_file: .env
-    environment:
-      SERVER_NAME: ${SERVER_NAME}
-      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
-      CERTBOT_RENEW_INTERVAL: ${CERTBOT_RENEW_INTERVAL:-12h}
-    tmpfs:
-      - /var/lib/letsencrypt
-    volumes:
-      - ./scripts:/scripts:ro
-      - certbot_conf:/etc/letsencrypt
-      - certbot_www:/var/www/certbot
-    deploy:
-      resources:
-        limits:
-          cpus: '${CERTBOT_CPUS:-0.5}'
-          memory: ${CERTBOT_MEM_LIMIT:-128M}
-
 volumes:
   db_backups:
-  certbot_conf:
-  certbot_www:
diff --git a/scripts/certbot/certbot-dry-run/certbot-dry-run.sh b/scripts/certbot/certbot-dry-run/certbot-dry-run.sh
deleted file mode 100755
index 4d18ff1..0000000
--- a/scripts/certbot/certbot-dry-run/certbot-dry-run.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-
-echo "Running Certbot dry-run (renew simulation)"
-
-certbot renew --dry-run
-
-echo "Dry-run completed successfully"
diff --git a/scripts/certbot/certbot-first-issue/certbot-first-issue.sh b/scripts/certbot/certbot-first-issue/certbot-first-issue.sh
deleted file mode 100755
index d249d74..0000000
--- a/scripts/certbot/certbot-first-issue/certbot-first-issue.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-set -e
-
-. /scripts/utils/check-required-vars.sh
-
-check_required_vars "SERVER_NAME LETSENCRYPT_EMAIL"
-
-echo "Requesting first Let's Encrypt certificate for $SERVER_NAME"
-
-certbot certonly \
-  --webroot \
-  --webroot-path /var/www/certbot \
-  --domain "$SERVER_NAME" \
-  --email "$LETSENCRYPT_EMAIL" \
-  --agree-tos \
-  --no-eff-email \
-  --non-interactive
-
-echo "Certificate successfully issued"
diff --git a/scripts/certbot/certbot-renew/certbot-renew.sh b/scripts/certbot/certbot-renew/certbot-renew.sh
deleted file mode 100755
index bed3543..0000000
--- a/scripts/certbot/certbot-renew/certbot-renew.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-set -e
-
-. /scripts/certbot/certbot-renew/lib/terminate.sh
-
-trap terminate TERM INT
-
-echo "Certbot renewal service started"
-echo "Renewal interval: ${CERTBOT_RENEW_INTERVAL}"
-
-while true; do
-  echo "Checking certificates"
-
-  if certbot renew --webroot -w /var/www/certbot --quiet; then
-    echo "Renewal check completed"
-  else
-    echo "Renewal check returned non-zero status (may be expected)"
-  fi
-
-  echo "Waiting ${CERTBOT_RENEW_INTERVAL} for next check..."
-  sleep "${CERTBOT_RENEW_INTERVAL}"
-done
diff --git a/scripts/certbot/certbot-renew/lib/terminate.sh b/scripts/certbot/certbot-renew/lib/terminate.sh
deleted file mode 100755
index 079f439..0000000
--- a/scripts/certbot/certbot-renew/lib/terminate.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-terminate() {
-  echo "Stopping certbot renewal service"
-  exit 0
-}

From e4bcff0587fb8af03aeaabbff4ffe0611200a0b5 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Sun, 15 Feb 2026 00:38:16 +0100
Subject: [PATCH 2/4] fix: nginx conf

---
 docker-compose.prod.yml  |  9 ++++++---
 nginx/dev.conf.template  |  4 ++--
 nginx/prod.conf.template | 24 ------------------------
 3 files changed, 8 insertions(+), 29 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 3038d6e..d75f076 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -42,11 +42,10 @@ services:
     init: true
     security_opt:
       - no-new-privileges:true
-    ports:
-      - "80:80"
-      - "443:443"
     volumes:
       - ./nginx/prod.conf.template:/etc/nginx/templates/default.conf.template:ro
+    networks:
+      - proxy
     deploy:
       resources:
         limits:
@@ -80,3 +79,7 @@ services:
 
 volumes:
   db_backups:
+
+networks:
+  proxy:
+    external: true
diff --git a/nginx/dev.conf.template b/nginx/dev.conf.template
index faf13c1..7678e8c 100644
--- a/nginx/dev.conf.template
+++ b/nginx/dev.conf.template
@@ -5,8 +5,8 @@ server {
   root /var/www/html;
   index index.php index.html;
 
-  add_header X-Frame-Options "SAMEORIGIN";
-  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
 
   location / {
diff --git a/nginx/prod.conf.template b/nginx/prod.conf.template
index 2aa53d7..cda159b 100644
--- a/nginx/prod.conf.template
+++ b/nginx/prod.conf.template
@@ -2,33 +2,9 @@ server {
   listen 80;
   server_name ${SERVER_NAME};
 
-  location /.well-known/acme-challenge/ {
-    root /var/www/certbot;
-  }
-
-  location / {
-    return 301 https://$host$request_uri;
-  }
-}
-
-server {
-  listen 443 ssl;
-  http2 on;
-  server_name ${SERVER_NAME};
-
   root /var/www/html;
   index index.php;
 
-  ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
-
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_prefer_server_ciphers off;
-
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-
-  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
   add_header X-Content-Type-Options nosniff;
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-XSS-Protection "1; mode=block";

From f3cf537f04166d94a4b08d62891c8de8931a0403 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 19 Feb 2026 23:31:33 +0100
Subject: [PATCH 3/4] feat: alias network

---
 docker-compose.prod.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index d75f076..16a9ba9 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -45,7 +45,9 @@ services:
     volumes:
       - ./nginx/prod.conf.template:/etc/nginx/templates/default.conf.template:ro
     networks:
-      - proxy
+      proxy:
+        aliases:
+          - wp-nginx
     deploy:
       resources:
         limits:

From d7c6ace9f9394d2e657913a93fbf6b982dd5466a Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 19 Feb 2026 23:47:08 +0100
Subject: [PATCH 4/4] fix: more coherent alias for proxy network

---
 docker-compose.prod.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 16a9ba9..8dce94d 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -47,7 +47,7 @@ services:
     networks:
       proxy:
         aliases:
-          - wp-nginx
+          - wp-docker-stack-nginx
     deploy:
       resources:
         limits: