feat: reverse proxy config

.env.example

@@ -88,10 +88,3 @@ WP_INIT_MEM_LIMIT=128M
 # db-backup
 DB_BACKUP_CPUS=0.5
 DB_BACKUP_MEM_LIMIT=256M
-
-# Certbot
-# Email used for Let's Encrypt registration
-LETSENCRYPT_EMAIL=admin@example.com
-
-# Certbot renewal interval (s/m/h/d)
-CERTBOT_RENEW_INTERVAL=12h

Makefile

@@ -41,23 +41,5 @@ down-prod:
 logs-prod:
 	@$(COMPOSE_PROD) logs -f
 
-certbot-first-issue:
-	@$(COMPOSE_PROD) run --rm \
-		--entrypoint sh \
-		certbot \
-		/scripts/certbot/certbot-first-issue/certbot-first-issue.sh
-
-certbot-dry-run:
-	@$(COMPOSE_PROD) run --rm \
-		--entrypoint sh \
-		certbot \
-		/scripts/certbot/certbot-dry-run/certbot-dry-run.sh
-
-certbot-renew:
-	@$(COMPOSE_PROD) run --rm \
-		--entrypoint sh \
-		certbot \
-		/scripts/certbot/certbot-renew/certbot-renew.sh
-
 .PHONY: up down clean reset logs sync-site-url db-backup db-restore \
-        up-prod down-prod logs-prod certbot-first-issue certbot-dry-run certbot-renew
+        up-prod down-prod logs-prod

docker-compose.prod.yml

@@ -1,4 +1,4 @@
 x-logging: &default-logging
   logging:
     driver: json-file
     options:
@@ -42,13 +42,12 @@
     init: true
     security_opt:
       - no-new-privileges:true
-    ports:
-      - "80:80"
-      - "443:443"
     volumes:
       - ./nginx/prod.conf.template:/etc/nginx/templates/default.conf.template:ro
-      - certbot_conf:/etc/letsencrypt
-      - certbot_www:/var/www/certbot
+    networks:
+      proxy:
+        aliases:
+          - wp-docker-stack-nginx
     deploy:
       resources:
         limits:
@@ -80,27 +79,9 @@
           cpus: '${DB_BACKUP_CPUS:-0.5}'
           memory: ${DB_BACKUP_MEM_LIMIT:-256M}
 
-  certbot:
-    <<: *default-logging
-    image: certbot/certbot:v5.2.2
-    env_file: .env
-    environment:
-      SERVER_NAME: ${SERVER_NAME}
-      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
-      CERTBOT_RENEW_INTERVAL: ${CERTBOT_RENEW_INTERVAL:-12h}
-    tmpfs:
-      - /var/lib/letsencrypt
-    volumes:
-      - ./scripts:/scripts:ro
-      - certbot_conf:/etc/letsencrypt
-      - certbot_www:/var/www/certbot
-    deploy:
-      resources:
-        limits:
-          cpus: '${CERTBOT_CPUS:-0.5}'
-          memory: ${CERTBOT_MEM_LIMIT:-128M}
-
 volumes:
   db_backups:
-  certbot_conf:
-  certbot_www:
+
+networks:
+  proxy:
+    external: true

nginx/dev.conf.template

@@ -5,8 +5,8 @@ server {
   root /var/www/html;
   index index.php index.html;
 
-  add_header X-Frame-Options "SAMEORIGIN";
-  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
 
   location / {

nginx/prod.conf.template

@@ -2,33 +2,9 @@ server {
   listen 80;
   server_name ${SERVER_NAME};
 
-  location /.well-known/acme-challenge/ {
-    root /var/www/certbot;
-  }
-
-  location / {
-    return 301 https://$host$request_uri;
-  }
-}
-
-server {
-  listen 443 ssl;
-  http2 on;
-  server_name ${SERVER_NAME};
-
   root /var/www/html;
   index index.php;
 
-  ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
-
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_prefer_server_ciphers off;
-
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-
-  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
   add_header X-Content-Type-Options nosniff;
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-XSS-Protection "1; mode=block";