- switch to using single ssl cert for all domains

dockerfiles/services/letsencrypt/docker-compose-install.yml

@@ -0,0 +1,47 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-install.yml services_letsencrypt
+
+version: '3'
+services:
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    ports:
+      - 83:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_TESTCERT: "false"
+      LETSENCRYPT_DEBUG: "true"
+      LETSENCRYPT_JOB_TIME: "0 0 1 15 * *"
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN10: www.xai-corp.net
+      LETSENCRYPT_DOMAIN11: mail.xai-corp.net
+    command:
+      - install
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/docker-compose-update.yml

@@ -10,16 +10,15 @@ services:
 
   updates:
     image: "blacklabelops/letsencrypt"
-    container_name: letsencrypt_staging_updates
     ports:
-      - 80:80
+      - 83:80
 #      - 443:443
     volumes:
       - /opt/shared/letsencrypt:/etc/letsencrypt
     environment:
       LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
       LETSENCRYPT_HTTPS_ENABLED: "false"
-      LETSENCRYPT_TESTCERT: "true"
+      LETSENCRYPT_TESTCERT: "false"
       LETSENCRYPT_DEBUG: "true"
       LETSENCRYPT_JOB_TIME: "0 0 1 15 * *"
       LETSENCRYPT_DOMAIN1: xai-corp.net
@@ -31,10 +30,8 @@ services:
       LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
       LETSENCRYPT_DOMAIN8: sql.xai-corp.net
       LETSENCRYPT_DOMAIN9: office.xai-corp.net
-      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+      LETSENCRYPT_DOMAIN10: www.xai-corp.net
-    command:
+      LETSENCRYPT_DOMAIN11: mail.xai-corp.net
-      - install
-      - --expand
 
     deploy:
       mode: replicated
@@ -43,5 +40,5 @@ services:
         condition: none
       resources:
         limits:
-          cpus: '0.1'
+          cpus: '0.5'
-          memory: 256M
+          memory: 16M

dockerfiles/services/letsencrypt/readme.md

@@ -9,7 +9,7 @@ todo: set this up as a cron
 #install new certs
 ```
 DOCKER_HOST=dkhost01:2376 docker run -d \
-    -p 80:80 \
+    -p 83:80 \
     --name letsencrypt \
     -e "LETSENCRYPT_HTTPS_ENABLED=false" \
     -v /opt/shared/letsencrypt-2:/etc/letsencrypt \
@@ -29,7 +29,7 @@ DOCKER_HOST=dkhost01:2376 docker run -d \
 
 ```
 DOCKER_HOST=dkhost01:2376 docker run -d \
-    -p 80:80 \
+    -p 83:80 \
     --name letsencrypt_updates \
     -e "LETSENCRYPT_HTTPS_ENABLED=false" \
     -v /opt/shared/letsencrypt-2:/etc/letsencrypt \
@@ -43,6 +43,6 @@ DOCKER_HOST=dkhost01:2376 docker run -d \
     -e "LETSENCRYPT_DOMAIN7=jenkins.xai-corp.net" \
     -e "LETSENCRYPT_DOMAIN8=sql.xai-corp.net" \
     -e "LETSENCRYPT_DOMAIN9=www.xai-corp.net" \
-    -e "LETSENCRYPT_DOMAIN90=office.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN10=office.xai-corp.net" \
     blacklabelops/letsencrypt
 ```

dockerfiles/services/sslproxy/docker-compose-prod.yml

@@ -10,7 +10,7 @@ services:
   app:
     image: "dkregistry.xai-corp.net:5000/sslproxy:2.0"
     volumes:
-      - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /opt/shared/letsencrypt-2:/etc/letsencrypt:ro
     ports:
       - "443:443"
 

dockerfiles/services/sslproxy/hosts/dkregistry.xai-corp.net.conf

@@ -11,8 +11,8 @@ map $upstream_http_docker_distribution_api_version $docker_distribution_api_vers
 server {
     listen  443 ssl;
     server_name dkregistry.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_protocols TLSv1.1 TLSv1.2;

dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf

@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name dkui.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/dkui.xai-corp.net/fullchain.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;

dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf

@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name fs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/fs.xai-corp.net/fullchain.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf

@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name git.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/git.xai-corp.net/fullchain.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf

@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name jenkins.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/jenkins.xai-corp.net/fullchain.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;

dockerfiles/services/sslproxy/hosts/letsencrypt.conf

@@ -0,0 +1,13 @@
+# proxy for unsecured traffic for letsencrypt verification
+server {
+    listen  80 default_server;
+    server_name _
+
+    client_max_body_size 200m;
+
+    location / {
+        proxy_set_header Connection $http_connection;
+        proxy_pass http://dkhost.xai-corp.net:83;
+    }
+
+}

dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf

@@ -1,15 +0,0 @@
-# logs.xai-corp.net
-server {
-    listen  443 ssl;
-    server_name logs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/logs.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem;
-    #Strict-Transport-Security: max-age=15768000
-    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
-
-    location / {
-        proxy_set_header Connection $http_connection;
-        proxy_pass http://dkhost.xai-corp.net:10090;
-    }
-
-}

dockerfiles/services/sslproxy/hosts/tripbuilder.xai-corp.net.conf

@@ -1,14 +0,0 @@
-# tripbuilder.xai-corp.net
-server {
-    listen  443 ssl;
-    server_name tripbuilder.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/tripbuilder.xai-corp.net/cert.pem;
-    ssl_certificate_key /etc/letsencrypt/live/tripbuilder.xai-corp.net/privkey.pem;
-
-    #Strict-Transport-Security: max-age=15768000
-    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
-
-    location / {
-        proxy_pass http://dkhost.xai-corp.net:8080;
-    }
-}

dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf

@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name xaibox.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/xaibox.xai-corp.net/fullchain.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/xaibox.xai-corp.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     client_max_body_size 200m;
 

roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2

@@ -9,7 +9,7 @@ $TTL 1D
 xai-corp.net.           IN NS   ns.xai-corp.net.
 xai-corp.net.           IN MX   0 mail.xai-corp.net.
 xai-corp.net.           IN TXT  "v=spf1 ip4:192.168.2.11/32 mx ptr mx:mail.xai-corp.net ~all"
-mail                    IN A    192.168.2.12
+;mail                    IN A    192.168.2.12
 
 gateway                 IN A    192.168.2.1
 wireless                IN A    192.168.2.3
@@ -57,3 +57,6 @@ mysql                   IN CNAME    dkhost
 tripbuilder             IN CNAME    dkhost
 xaibox                  IN CNAME    dkhost
 office                  IN CNAME    dkhost
+www                     IN CNAME    dkhost
+mail                    IN CNAME    dkhost
+; xai-corp.net.           IN CNAME    dkhost