117 lines
3.0 KiB
YAML
117 lines
3.0 KiB
YAML
services:
|
|
provision:
|
|
deploy:
|
|
placement:
|
|
constraints:
|
|
- node.role == manager
|
|
mode: replicated-job
|
|
replicas: 1
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- check the extent of provisioning and
|
|
- provision basic certbot config and secrets
|
|
- letsencrypt account key
|
|
- 2 private SSL keys, an old and a new, the old is possibly never used
|
|
- functionality to rotate both of these private keys
|
|
certbot:
|
|
depends_on:
|
|
nginx:
|
|
condition: service_healthy
|
|
deploy:
|
|
placement:
|
|
constraints:
|
|
- node.role == manager
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
secrets:
|
|
- source: certbot_key
|
|
target: /etc/certbot/priv.key
|
|
uid: "0"
|
|
gid: "0"
|
|
mode: 0400
|
|
- source: ssl_key_old
|
|
target: /etc/certbot/ssl/old.key
|
|
uid: "0"
|
|
gid: "0"
|
|
mode: 0400
|
|
- source: ssl_key_new
|
|
target: /etc/certbot/ssl/new.key
|
|
uid: "0"
|
|
gid: "0"
|
|
mode: 0400
|
|
- populate its own filesystem from live config
|
|
- all the SSL certs and corresponding renewal configs
|
|
- detect missing certs and request them
|
|
- maybe this can be also from a docker config, since the config is
|
|
readable, it wouldn't require a restart of the container
|
|
- then call certbot in a loop or something like that
|
|
- should point to new SSL key
|
|
- post-install and post-renewal script should refresh
|
|
nginx:
|
|
image: nginx:stable-alpine
|
|
depends_on:
|
|
provision:
|
|
condition: service_completed_successfully
|
|
deploy:
|
|
mode: replicated
|
|
endpoint_mode: vip
|
|
replicas: 1
|
|
placement:
|
|
constraints:
|
|
- node.role == manager
|
|
rollback_config:
|
|
order: start-first
|
|
update_config:
|
|
order: start-first
|
|
failure_action: rollback
|
|
configs:
|
|
- source: nginx_plain_conf
|
|
target: /etc/nginx/nginx.conf
|
|
uid: "0"
|
|
gid: "0"
|
|
mode: 0444
|
|
nginx_ssl:
|
|
image: nginx:stable-alpine
|
|
depends_on:
|
|
certbot:
|
|
condition: service_healthy
|
|
deploy:
|
|
mode: global
|
|
endpoint_mode: dnsrr
|
|
placement:
|
|
constraints:
|
|
- node.labels.org.sysdeploy.env == live
|
|
rollback_config:
|
|
parallelism: 2
|
|
delay: 20s
|
|
order: start-first
|
|
update_config:
|
|
parallelism: 2
|
|
delay: 20s
|
|
failure_action: rollback
|
|
order: start-first
|
|
configs:
|
|
- source: nginx_ssl_conf
|
|
target: /etc/nginx/nginx.conf
|
|
uid: "0"
|
|
gid: "0"
|
|
mode: 0444
|
|
networks:
|
|
configs:
|
|
nginx_plain_conf:
|
|
external: true
|
|
name: {{ NGINX_PLAIN_CONF }}
|
|
nginx_ssl_conf:
|
|
external: true
|
|
name: {{ NGINX_SSL_CONF }}
|
|
secrets:
|
|
certbot_key:
|
|
external: true
|
|
name: {{ CERTBOT_KEY }}
|
|
ssl_key_old:
|
|
external: true
|
|
name: {{ SSL_KEY_OLD }}
|
|
ssl_key_new:
|
|
external: true
|
|
name: {{ SSL_KEY_NEW }}
|