-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.prod.yml
More file actions
77 lines (73 loc) · 3.28 KB
/
docker-compose.prod.yml
File metadata and controls
77 lines (73 loc) · 3.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Quorum Governance Portal — Production TLS overlay
#
# Extends docker-compose.yml with Let's Encrypt HTTPS support.
# Always use together with the base file:
#
# docker compose -f docker-compose.yml -f docker-compose.prod.yml <command>
#
# ── First-time TLS bootstrap (run once per server) ───────────────────────────
#
# Step 1 — Start nginx on HTTP so certbot can complete the ACME challenge:
# docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d nginx web bff postgres
#
# Step 2 — Issue the certificate (runs once then exits):
# docker compose -f docker-compose.yml -f docker-compose.prod.yml \
# --profile init run --rm certbot-init
#
# Step 3 — Bring up the full stack with HTTPS:
# docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
#
# ── Subsequent deploys ────────────────────────────────────────────────────────
#
# docker compose -f docker-compose.yml -f docker-compose.prod.yml pull
# docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
#
# ── Required root .env variables (in addition to base) ───────────────────────
#
# DOMAIN — hostname only, e.g. quorum.snomed.org (no https://)
# CERTBOT_EMAIL — email for Let's Encrypt registration + expiry alerts
# PUBLIC_URL — full URL e.g. https://quorum.snomed.org
# COOKIE_SECURE — must be "true" for HTTPS
#
# See .env.example at the repo root.
services:
nginx:
ports:
# Add HTTPS port on top of the HTTP port defined in docker-compose.yml
- "${HTTPS_PORT:-443}:443"
volumes:
# Override: swap HTTP-only config for the full HTTPS config.
# Docker Compose appends volumes lists; a later mount to the same
# container path shadows the earlier one — so this wins over nginx.conf.
- ./deploy/docker/nginx-prod.conf:/etc/nginx/conf.d/default.conf:ro
- letsencrypt:/etc/letsencrypt:ro
- certbot_webroot:/var/www/certbot:ro
# ── One-shot cert issuance (bootstrap only) ─────────────────────────────────
# Run with: docker compose ... --profile init run --rm certbot-init
certbot-init:
image: certbot/certbot:latest
volumes:
- letsencrypt:/etc/letsencrypt
- certbot_webroot:/var/www/certbot
command: >
certonly --webroot -w /var/www/certbot
-d ${DOMAIN}
--email ${CERTBOT_EMAIL}
--agree-tos --non-interactive
profiles:
- init
networks:
- internal
# ── Renewal daemon (runs perpetually) ───────────────────────────────────────
# Checks every 12 h; renews automatically when cert is within 30 days of expiry.
certbot:
image: certbot/certbot:latest
restart: unless-stopped
volumes:
- letsencrypt:/etc/letsencrypt
- certbot_webroot:/var/www/certbot
entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --quiet --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done"
networks:
- internal
volumes:
letsencrypt: