Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify deployment process #10

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

yvolchkov
Copy link

My 2cents to simplify building service. Includes

  • acme.sh certificates generation
  • htpass done within containers
  • geoip service as a part of docker-compose

Yuri Volchkov added 5 commits June 11, 2022 16:43
where it makes sense. So far it makes sense only for
elasticsearch. More is comming with a bit of restructuring of the
services.

Also bump docker-compose version while at it.

Signed-off-by: Yuri Volchkov <[email protected]>
I did not follow the default recepies of restarting nginx on
sertificates renewal, as it requires to pass /var/run/docker.sock to
the acme container, so it able to restart nginx container. The problem
is acme would've got the full control over the docker, which is not
ideal from the security point of view.

Instead, a crontab entry is added to the nginx container to reload
sertificaes weekly. From the up time (if it even matters), this is
even beter, because "nginx -s reload" compleates in no time. While a
full container reloading might take a second or two.

Signed-off-by: Yuri Volchkov <[email protected]>
Make parsedmarc service even more self contained. Do not rely on the
geoip running on the host, include it in the compose

Signed-off-by: Yuri Volchkov <[email protected]>
as newver version requres

Signed-off-by: Yuri Volchkov <[email protected]>
@yvolchkov yvolchkov changed the title Staging 2 Simplify deployment process Jun 15, 2022
@dragoangel
Copy link
Owner

dragoangel commented Aug 2, 2022

Thank you for your PR, but I do not want put acme stuff here as not everyone will host that on public network or even has option to do so, or use another proxy in front of it. If people want acme sh they can do this by acme on host and do postdeploy to restart docker container. I think this not much hard and provide freedom for both cases to coexist.

About password and readme stuff - I not had time to update this repo, but locally I had success with configuring security pack so Kibana had properly working authorization. Just need find time to automate creation of all nessesary staff in docker entrypoint and this httpdpass will be removed with nicely working user auth :)

About geoip, yes I will change this as well with time. I know about this option.

@dragoangel dragoangel closed this Aug 2, 2022
@yvolchkov
Copy link
Author

not everyone will host that on public network

That is why solution designed to work from entirely from internal network. That is how I run it. My setup can be accessed only from my hope network and not from the outside.

If people want acme sh they can do this by acme on host and do postdeploy to restart docker container.

that makes the service dependable on the local configuration. From what I met in the other projects it is fairly common practice to include acme.sh to the stack. And user still have this flexibility to do everything manually, it's just a matter of deleting container.

Just need find time to automate creation of all nessesary staff in docker entrypoint and this httpdpass will be removed with nicely working user auth

Well, you can always delete that once you did that. In the mean time it will help people who are less familiar with the stack to deploy with fewer frictions, and not polluting the host OS (this is what docker for on the first place, right? Ok not just for that but still).

About geoip, yes I will change this as well with time. I know about this option.

I really appreciate your efforts. I can't see how I would have pulled this off. But look, my solution might be not ideal, but my point is again, if it helps people to onboard with the project easier, community is going to grow faster right now. And you can throw away all my crap by a single git revert once you have much greater implementation.

@dragoangel
Copy link
Owner

dragoangel commented Aug 2, 2022

not sure what will be in case when user will recreate (rebuild) container with nginx and there no volume to store acme.sh account and cron to reissue new cert, etc. It should be rechecked.

@dragoangel dragoangel reopened this Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants