iterating on proxy + letsencrypt setup

.dockerignore

@@ -1,7 +1,4 @@
-.dockerignore
 .env
 .git
 .gitignore
-docker-compose*.yml
-
-/docker-compose/
+/docker-compose-state/

.env.docker

@@ -34,7 +34,7 @@ DOCKER_APPLY_NEW_MIGRATIONS_AUTOMATICALLY="0"
 LETSENCRYPT_EMAIL="__CHANGE_ME__"
 
 # Lets Encrypt staging/test servers for certificate requests
-LETSENCRYPT_TEST="true"
+LETSENCRYPT_TEST=
 
 ###############################################################
 # Pixelfed application configuration
@@ -147,7 +147,7 @@ APP_TIMEZONE="${TZ}"
 # Defaults to "15000" (15MB).
 #
 # See: https://docs.pixelfed.org/technical-documentation/config/#max_photo_size-kb
-#MAX_PHOTO_SIZE="15000"
+MAX_PHOTO_SIZE="15000"
 
 # Update the max avatar size, in kB.
 #
@@ -182,7 +182,7 @@ APP_TIMEZONE="${TZ}"
 # Defaults to "4".
 #
 # See: https://docs.pixelfed.org/technical-documentation/config/#max_album_length
-#MAX_ALBUM_LENGTH="4"
+MAX_ALBUM_LENGTH="4"
 
 # Resize and optimize image uploads.
 #
@@ -912,9 +912,14 @@ POSTGRES_PASSWORD="${DB_PASSWORD}"
 POSTGRES_DB="${DB_DATABASE}"
 
 ###############################################################
-# Docker Specific configuration
+# Lets Encrypt configuration
 ###############################################################
 
+LETSENCRYPT_HOST="${APP_DOMAIN}"
+
+###############################################################
+# Docker Specific configuration
+###############################################################
 # Port that Redis will listen on *outside* the container (e.g. the host machine)
 DOCKER_REDIS_PORT_EXTERNAL="${REDIS_PORT}"
 
@@ -933,4 +938,10 @@ DOCKER_WEB_HTTPS_PORT_EXTERNAL="444"
 DOCKER_PROXY_PORT_EXTERNAL_HTTP="8080"
 
 # Port that the web will listen on *outside* the container (e.g. the host machine) for HTTPS traffic
-DOCKER_PROXY_PORT_EXTERNAL_HTTPS="443"
+DOCKER_PROXY_PORT_EXTERNAL_HTTPS="444"
+
+# Path to the Docker socket on the *host*
+DOCKER_HOST_SOCKET_PATH="/var/run/docker.sock"
+
+# Prefix for container names (without any dash at the end)
+DOCKER_CONTAINER_NAME_PREFIX="${APP_DOMAIN}-"

.gitignore

@@ -1,24 +1,21 @@
+.bash_history
+.bash_profile
+.bashrc
+.DS_Store
+.env
+.git-credentials
+.gitconfig
+/.composer/
+/.idea
+/.vagrant
+/.vscode
+/docker-compose-state/
 /node_modules
 /public/hot
 /public/storage
 /storage/*.key
 /vendor
-/.idea
-/.vscode
-/.vagrant
-/docker-volumes
 Homestead.json
 Homestead.yaml
 npm-debug.log
 yarn-error.log
-.env
-.DS_Store
-.bash_profile
-.bash_history
-.bashrc
-.gitconfig
-.git-credentials
-/.composer/
-/nginx.conf
-/docker-compose/
-!/contrib/docker-compose/.env

docker-compose.yml

@@ -11,14 +11,14 @@ services:
   # See: https://github.com/nginx-proxy/nginx-proxy/tree/main/docs
   proxy:
     image: nginxproxy/nginx-proxy:1.4
-    container_name: "${APP_DOMAIN}-proxy"
+    container_name: "${DOCKER_CONTAINER_NAME_PREFIX}-proxy"
     #restart: unless-stopped
     volumes:
-      - "/var/run/docker.sock:/tmp/docker.sock:ro"
-      - "${DOCKER_CONFIG_ROOT}/proxy/certs:/etc/nginx/certs"
+      - "${DOCKER_HOST_SOCKET_PATH}:/tmp/docker.sock:ro"
       - "${DOCKER_CONFIG_ROOT}/proxy/conf.d:/etc/nginx/conf.d"
-      - "${DOCKER_CONFIG_ROOT}/proxy/html:/usr/share/nginx/html"
       - "${DOCKER_CONFIG_ROOT}/proxy/vhost.d:/etc/nginx/vhost.d"
+      - "${DOCKER_CONFIG_ROOT}/proxy/certs:/etc/nginx/certs"
+      - "${DOCKER_DATA_ROOT}/proxy/html:/usr/share/nginx/html"
     ports:
       - "${DOCKER_PROXY_PORT_EXTERNAL_HTTP}:80"
       - "${DOCKER_PROXY_PORT_EXTERNAL_HTTPS}:443"
@@ -28,33 +28,40 @@ services:
   # See: https://github.com/nginx-proxy/acme-companion/tree/main/docs
   proxy-acme:
     image: nginxproxy/acme-companion
-    container_name: "${APP_DOMAIN}-proxy-acme"
+    container_name: "${DOCKER_CONTAINER_NAME_PREFIX}-proxy-acme"
     #restart: unless-stopped
     environment:
+      DEBUG: 0
       DEFAULT_EMAIL: "${LETSENCRYPT_EMAIL}"
-      LETSENCRYPT_TEST: "${LETSENCRYPT_TEST}"
-      NGINX_PROXY_CONTAINER: "${APP_DOMAIN}-proxy"
+      NGINX_PROXY_CONTAINER: "${DOCKER_CONTAINER_NAME_PREFIX}-proxy"
     depends_on:
       - proxy
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - "${DOCKER_CONFIG_ROOT}/proxy/certs:/etc/nginx/certs"
+      - "${DOCKER_HOST_SOCKET_PATH}:/var/run/docker.sock:ro"
       - "${DOCKER_CONFIG_ROOT}/proxy/conf.d:/etc/nginx/conf.d"
-      - "${DOCKER_CONFIG_ROOT}/proxy/html:/usr/share/nginx/html"
       - "${DOCKER_CONFIG_ROOT}/proxy/vhost.d:/etc/nginx/vhost.d"
+      - "${DOCKER_CONFIG_ROOT}/proxy/certs:/etc/nginx/certs"
+      - "${DOCKER_DATA_ROOT}/proxy/html:/usr/share/nginx/html"
+      - "${DOCKER_DATA_ROOT}/proxy-acme:/etc/acme.sh"
 
   web:
     image: "${DOCKER_IMAGE}:${DOCKER_TAG}"
-    # build:
-    #   target: apache-runtime
+    container_name: "${DOCKER_CONTAINER_NAME_PREFIX}-web"
     restart: unless-stopped
+    build:
+      target: apache-runtime
+    deploy:
+      mode: replicated
+      replicas: 1
     volumes:
       - "./.env:/var/www/.env"
       - "${DOCKER_DATA_ROOT}/pixelfed/cache:/var/www/bootstrap/cache"
       - "${DOCKER_DATA_ROOT}/pixelfed/storage:/var/www/storage"
     environment:
-      LETSENCRYPT_HOST: "${APP_DOMAIN},*.${APP_DOMAIN}"
-      VIRTUAL_HOST: "${APP_DOMAIN},*.${APP_DOMAIN}"
+      LETSENCRYPT_HOST: "${LETSENCRYPT_HOST}"
+      LETSENCRYPT_EMAIL: "${LETSENCRYPT_EMAIL}"
+      LETSENCRYPT_TEST: "${LETSENCRYPT_TEST}"
+      VIRTUAL_HOST: "${APP_DOMAIN}"
       VIRTUAL_PORT: "80"
     labels:
       com.github.nginx-proxy.nginx-proxy.keepalive: 30
@@ -69,10 +76,14 @@ services:
 
   worker:
     image: "${DOCKER_IMAGE}:${DOCKER_TAG}"
-    # build:
-    #   target: apache-runtime
+    container_name: "${DOCKER_CONTAINER_NAME_PREFIX}-worker"
     command: gosu www-data php artisan horizon
     restart: unless-stopped
+    deploy:
+      mode: replicated
+      replicas: 1
+    build:
+      target: apache-runtime
     volumes:
       - "./.env:/var/www/.env"
       - "${DOCKER_DATA_ROOT}/pixelfed/cache:/var/www/bootstrap/cache"
@@ -83,8 +94,11 @@ services:
 
   db:
     image: mariadb:11.2
+    container_name: "${DOCKER_CONTAINER_NAME_PREFIX}-db"
     command: --default-authentication-plugin=mysql_native_password
     restart: unless-stopped
+    env_file:
+      - ".env"
     volumes:
       - "${DOCKER_DATA_ROOT}/db:/var/lib/mysql"
     ports:
@@ -92,7 +106,10 @@ services:
 
   redis:
     image: redis:7
+    container_name: "${DOCKER_CONTAINER_NAME_PREFIX}-redis"
     restart: unless-stopped
+    env_file:
+      - ".env"
     volumes:
       - "${DOCKER_CONFIG_ROOT}/redis:/etc/redis"
       - "${DOCKER_DATA_ROOT}/redis:/data"

docker/shared/root/docker/entrypoint.d/11-first-time-setup.sh

@@ -3,6 +3,7 @@ source /docker/helpers.sh
 
 entrypoint-set-script-name "$0"
 
+load-config-files
 await-database-ready
 
 only-once "storage:link" run-as-runtime-user php artisan storage:link

docker/shared/root/docker/helpers.sh

@@ -283,7 +283,7 @@ function is-directory-empty() {
 # @exitcode 0 If $1 If the path exists *or* was created
 # @exitcode 1 If $1 If the path does *NOT* exists and could *NOT* be created
 function ensure-directory-exists() {
-    mkdir -pv "$@"
+    stream-prefix-command-output mkdir -pv "$@"
 }
 
 # @description Find the relative path for a entrypoint script by removing the ENTRYPOINT_ROOT prefix
@@ -314,7 +314,7 @@ function only-once() {
         return 1
     fi
 
-    touch "${file}"
+    stream-prefix-command-output touch "${file}"
     return 0
 }
 
@@ -334,7 +334,7 @@ function acquire-lock() {
         staggered-sleep
     done
 
-    touch "${file}"
+    stream-prefix-command-output touch "${file}"
 
     log-info "🔐 Lock acquired [${file}]"
 
@@ -349,7 +349,7 @@ function release-lock() {
 
     log-info "🔓 Releasing lock [${file}]"
 
-    rm -f "${file}"
+    stream-prefix-command-output rm -fv "${file}"
 }
 
 # @description Helper function to append multiple actions onto
@@ -410,7 +410,7 @@ function await-database-ready() {
         ;;
 
     *)
-        log-error-and-exit "Unknown database type: [${DB_CONNECTION}]"
+        log-error-and-exit "Unknown database type: [${DB_CONNECTION:-}]"
         ;;
     esac