1.8 KiB
1.8 KiB
Files needed
- provisioner, certbot and nginx-plain should run on the same node, a master, so that they can share a volume
- provisioner would create said volume
- provisioner would create/update the nginx-plain container, since it has a dynamic config (accessing the shared volume)
- provisioner would also create/update the certbot container, since it needs dynamic access to keys/certs
- certbot would create/update the nging-ssl container(s)
- so only the provisioner is in the compose file
provisioner
- certbot account (will provision if not exists)
- create docker volume shared between certbot and nginx-plain, if it doesn't exist
- volume is ephemeral so doesn't need to persiste between reboots
- it itself doesn't need to access the certbot account details since it's not accessing the certificate API, only registration
- would always update the certbot container, to make sure it has access to all keys
certbot
- needs to run on master
- needs to be a dynamically created service so that it doesn't collide with git source
- would first check if it has access to all keys and if it doesn't, call the provisioner and then wait maybe a minute and return a failure.
- renew hook to add the configs/secrets and update the nginx-ssl service
common vars for all domains:
- certbot account
- main config file (can be generated locally)
- certbot account file (provisioned first time)
per domain vars:
- keys
- certs
- chains
- full chains
- renewal config (current)
- nginx config (current)
nginx-plaintext
- shared ephemeral volume with certbot, so they both need to run on the same system
- all nodes should point to it
nginx-ssl
- dynamically created service
- currently valid private key
- currently valid cert
- currently valid chain
- currently valid full chain
- per domain config