From d53664dc92ceffffa72d9112fb628d24908fa96c Mon Sep 17 00:00:00 2001
From: Peter Surda <peter@bitmessage.at>
Date: Fri, 21 Feb 2025 08:46:05 +0800
Subject: [PATCH] Add a design document for nginx ingress

---
 nginx-ingress/TODO.md | 57 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 nginx-ingress/TODO.md

diff --git a/nginx-ingress/TODO.md b/nginx-ingress/TODO.md
new file mode 100644
index 0000000..087c7bc
--- /dev/null
+++ b/nginx-ingress/TODO.md
@@ -0,0 +1,57 @@
+# Files needed
+
+- provisioner, certbot and nginx-plain should run on the same node, a master,
+  so that they can share a volume
+- provisioner would create said volume
+- provisioner would create/update the nginx-plain container, since it has a
+  dynamic config (accessing the shared volume)
+- provisioner would also create/update the certbot container, since it needs
+  dynamic access to keys/certs
+- certbot would create/update the nging-ssl container(s)
+- so only the provisioner is in the compose file
+
+## provisioner
+- certbot account (will provision if not exists)
+- create docker volume shared between certbot and nginx-plain, if it doesn't exist
+    - volume is ephemeral so doesn't need to persiste between reboots
+- it itself doesn't need to access the certbot account details since it's not
+  accessing the certificate API, only registration
+- would always update the certbot container, to make sure it has access to
+  all keys
+
+## certbot
+
+- needs to run on master
+- needs to be a dynamically created service so that it doesn't collide with git
+  source
+- would first check if it has access to all keys and if it doesn't, call the
+  provisioner and then wait maybe a minute and return a failure.
+- renew hook to add the configs/secrets and update the nginx-ssl service
+
+### common vars for all domains:
+
+- certbot account
+- main config file (can be generated locally)
+- certbot account file (provisioned first time)
+
+### per domain vars:
+- keys
+- certs
+- chains
+- full chains
+- renewal config (current)
+- nginx config (current)
+
+## nginx-plaintext
+
+- shared ephemeral volume with certbot, so they both need to run on the same system
+- all nodes should point to it
+
+## nginx-ssl
+
+- dynamically created service
+- currently valid private key
+- currently valid cert
+- currently valid chain
+- currently valid full chain
+- per domain config