reworked letsencrypt to use docker containers instead of certbot on the host.

dockerfiles/owncloud/docker-compose.yml

@@ -1,29 +0,0 @@
----
-# docker-compose file for owncloud server
-
-# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml owncloud
-
-version: '3'
-services:
-
-  owncloud:
-    image: nextcloud:12
-    ports:
-      - 8083:80
-#      - 9083:9000
-    volumes:
-      - /opt/shared/nextcloud/data:/var/www/html/data
-      - /opt/shared/nextcloud/config:/var/www/html/config
-      - /opt/shared/nextcloud/apps:/var/www/html/custom_apps
-
-    deploy:
-      mode: replicated
-      replicas: 1
-      restart_policy:
-        condition: any
-        delay: "1s"
-        max_attempts: 5
-      resources:
-        limits:
-          cpus: '1'
-          memory: 512M

dockerfiles/services/dkregistry/docker-compose.yml

@@ -3,7 +3,7 @@
 # - see https://www.elastic.co/guide/en/logstash/current/_pulling_the_image.html
 #
 # DOCKER_HOST=dkhost03:2376 docker-compose up -d
-# DOCKER_HOST=dkhost03:2376 docker stack deploy -c docker-compose.yml services
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services
 
 version: '3'
 services:

dockerfiles/services/letsencrypt/docker-compose-staging-install.yml

@@ -0,0 +1,48 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up install
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services_letsencrypt
+
+version: '3'
+services:
+
+  install:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_install
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/docker-compose-staging-update.yml

@@ -0,0 +1,45 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-staging-update.yml services_letsencrypt
+
+version: '3'
+services:
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_updates
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/docker-compose-update.yml

@@ -0,0 +1,47 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-update.yml services_letsencrypt
+
+version: '3'
+services:
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_updates
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_TESTCERT: "true"
+      LETSENCRYPT_DEBUG: "true"
+      LETSENCRYPT_JOB_TIME: "0 0 1 15 * *"
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/docker-compose.yml

@@ -0,0 +1,84 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up install
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services_letsencrypt
+
+version: '3'
+services:
+
+  install:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_install
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_updates
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/readme.md

@@ -0,0 +1,48 @@
+#Letsencrypt container 
+
+run this as a regular container via cron job
+
+note that this container only takes 2 parameters, so we can use --staging and --merge. maybe we should build our own.
+
+todo: set this up as a cron
+
+#install new certs
+```
+DOCKER_HOST=dkhost:2376 docker run -d \
+    -p 80:80 \
+    --name letsencrypt \
+    -e "LETSENCRYPT_HTTPS_ENABLED=false" \
+    -v /opt/shared/letsencrypt-2:/opt/shared/letsencrypt \
+    -e "LETSENCRYPT_EMAIL=r_morgan@sympatico.ca" \
+    -e "LETSENCRYPT_DOMAIN1=xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN2=git.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN3=xaibox.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN4=dkui.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN5=dkregistry.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN6=fs.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN7=jenkins.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN8=sql.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN9=www.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN90=office.xai-corp.net" \
+    blacklabelops/letsencrypt install
+```
+
+```
+DOCKER_HOST=dkhost:2376 docker run -d \
+    -p 80:80 \
+    --name letsencrypt_updates \
+    -e "LETSENCRYPT_HTTPS_ENABLED=false" \
+    -v /opt/shared/letsencrypt-2:/opt/shared/letsencrypt \
+    -e "LETSENCRYPT_EMAIL=r_morgan@sympatico.ca" \
+    -e "LETSENCRYPT_DOMAIN1=xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN2=git.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN3=xaibox.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN4=dkui.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN5=dkregistry.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN6=fs.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN7=jenkins.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN8=sql.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN9=www.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN90=office.xai-corp.net" \
+    blacklabelops/letsencrypt
+```

dockerfiles/services/owncloud/Dockerfile

@@ -0,0 +1,4 @@
+FROM nextcloud:12
+
+RUN apt-get update && apt-get install -y smbclient && rm -rf /var/lib/apt/lists/*
+

dockerfiles/services/owncloud/docker-compose-prod.yml

@@ -0,0 +1,51 @@
+---
+# docker-compose file for owncloud server
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-prod.yml owncloud
+
+version: '3'
+services:
+
+  owncloud:
+    image: dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+    ports:
+      - 8083:80
+#      - 9083:9000
+    volumes:
+      - /opt/shared/nextcloud/data:/var/www/html/data
+      - /opt/shared/nextcloud/config:/var/www/html/config
+      - /opt/shared/nextcloud/apps:/var/www/html/custom_apps
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: "1s"
+        max_attempts: 5
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+
+  collabora:
+    image: collabora/code
+    ports:
+      - 9980:9980
+    environment:
+      domain: office\\.xai-corp\\.net
+      username: admin
+      password: ah8031qhnbc
+      server_name: office.xai-corp.net
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: "1s"
+        max_attempts: 5
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M

dockerfiles/services/owncloud/docker-compose.yml

@@ -0,0 +1,51 @@
+---
+# docker-compose file for nextcloud server
+
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+# DOCKER_HOST=dkhost:2376 docker stack deploy --with-registry-auth -c docker-compose-prod.yml owncloud
+
+version: '3'
+services:
+
+  owncloud:
+    image: "dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest"
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - 8083:80
+#      - 9083:9000
+    volumes:
+      - ./data:/var/www/html
+
+  collabora:
+    image: collabora/code
+    ports:
+      - 9980:9980
+    environment:
+      domain: office\\.xai-corp\\.net
+      username: admin
+      password: ah8031qhnbc
+      server_name: office.xai-corp.net
+
+#  letsencrypt:
+#    image: linuxserver/letsencrypt
+#    volumes:
+#      - ./letsencrypt:/config
+#    environment:
+#      URL: xai-corp.net
+#      SUBDOMAINS: www,sql,xaibox,office
+#      TZ: America/Montreal
+#      EMAIL: r_morgan@sympatico.ca
+
+
+#TODO:
+#  cron:
+
+  http:
+    image: "dkregistry.xai-corp.net:5000/sslproxy:2.0"
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt:ro
+    ports:
+      - "443:443"

dockerfiles/services/services/cron/docker-compose.yml

@@ -10,7 +10,7 @@ services:
   cron:
     image: "dkregistry.xai-corp.net:5000/cron:latest"
     build:
-      context: .
+      context: ""
       dockerfile: Dockerfile
 
     deploy:

dockerfiles/services/services/minio/docker-compose.yml

@@ -0,0 +1,100 @@
+---
+#minio s3 clone
+#https://docs.minio.io/docs/deploy-minio-on-docker-swarm
+# DOCKER_HOST=dkhost:2376 docker-compose up -d
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml s3
+
+version: '3.1'
+
+services:
+  minio1:
+    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+    volumes:
+      - minio1-data:/export
+    ports:
+      - "9061:9000"
+    networks:
+      - minio_distributed
+    deploy:
+      restart_policy:
+        delay: 10s
+        max_attempts: 10
+        window: 60s
+    command: server http://s3_minio1/export
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+    secrets:
+      - s3_secret_key
+      - s3_access_key
+
+#  minio2:
+#    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+#    volumes:
+#      - minio2-data:/export
+#    ports:
+#      - "9062:9000"
+#    networks:
+#      - minio_distributed
+#    deploy:
+#      restart_policy:
+#        delay: 10s
+#        max_attempts: 10
+#        window: 60s
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+#    secrets:
+#      - s3_secret_key
+#      - s3_access_key
+#
+#  minio3:
+#    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+#    volumes:
+#      - minio3-data:/export
+#    ports:
+#      - "9063:9000"
+#    networks:
+#      - minio_distributed
+#    deploy:
+#      restart_policy:
+#        delay: 10s
+#        max_attempts: 10
+#        window: 60s
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+#    secrets:
+#      - s3_secret_key
+#      - s3_access_key
+#
+#  minio4:
+#    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+#    volumes:
+#      - minio4-data:/export
+#    ports:
+#      - "9064:9000"
+#    networks:
+#      - minio_distributed
+#    deploy:
+#      restart_policy:
+#        delay: 10s
+#        max_attempts: 10
+#        window: 60s
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+#    secrets:
+#      - s3_secret_key
+#      - s3_access_key
+
+volumes:
+  minio1-data:
+
+  minio2-data:
+
+  minio3-data:
+
+  minio4-data:
+
+networks:
+  minio_distributed:
+    driver: overlay
+
+secrets:
+  s3_secret_key:
+    external: true
+  s3_access_key:
+    external: true

dockerfiles/services/sslproxy/docker-compose-prod.yml

@@ -1,7 +1,7 @@
 ---
 # DOCKER_HOST=192.168.2.41:2376 docker-compose up -d
 # docker login dkregistry.xai-corp.net:5000
-# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:latest
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:2.0
 # DOCKER_HOST=dkhost01:2376 docker stack deploy --with-registry-auth -c docker-compose-prod.yml sslproxy
 # DOCKER_HOST=dkhost01:2376 docker stack ps sslproxy
 
@@ -14,11 +14,11 @@ services:
     ports:
       - "443:443"
 
-    logging:
-      driver: syslog
-      options:
-        syslog-address: "tcp+tls://logs6.papertrailapp.com:38577"
-        tag: "{{.Name}}/{{.ID}}"
+#    logging:
+#      driver: syslog
+#      options:
+#        syslog-address: "tcp+tls://logs6.papertrailapp.com:38577"
+#        tag: "{{.Name}}/{{.ID}}"
 
     deploy:
       mode: replicated

dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name dkui.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/dkui.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/dkui.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name fs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/fs.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/fs.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name git.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/git.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/git.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name jenkins.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/jenkins.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/jenkins.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name logs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/logs.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/logs.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem;
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;

dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name xaibox.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/xaibox.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/xaibox.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/xaibox.xai-corp.net/privkey.pem;
 
     client_max_body_size 200m;