elpatron/dawaric-nginx-ssl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Configure FQDN centrally via .env

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
elpatron
2026-02-15 12:24:42 +01:00
parent 7272017ff8
commit 397d8e7d29
5 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.env.example
View File

@@ -1,2 +1,5 @@
# Vollqualifizierter Domainname (FQDN) der Anwendung
FQDN=dawarich.example.com
# E-Mail fuer Let's Encrypt Zertifikatsanforderung (erforderlich fuer SSL) # E-Mail fuer Let's Encrypt Zertifikatsanforderung (erforderlich fuer SSL)
CERTBOT_EMAIL=elpatron@mailbox.org CERTBOT_EMAIL=mail@example.com

9
docker-compose.yml
View File

@@ -51,6 +51,7 @@ services:
networks: networks:
- dawarich - dawarich
environment: environment:
FQDN: ${FQDN:-location.butenostfreesen.de}
CERTBOT_EMAIL: ${CERTBOT_EMAIL:-} CERTBOT_EMAIL: ${CERTBOT_EMAIL:-}
depends_on: depends_on:
dawarich_app: dawarich_app:
@@ -80,9 +81,9 @@ services:
DATABASE_PASSWORD: password DATABASE_PASSWORD: password
DATABASE_NAME: dawarich_development DATABASE_NAME: dawarich_development
MIN_MINUTES_SPENT_IN_CITY: 60 MIN_MINUTES_SPENT_IN_CITY: 60
APPLICATION_HOSTS: "location.butenostfreesen.de,127.0.0.1" APPLICATION_HOSTS: "${FQDN:-location.butenostfreesen.de},127.0.0.1"
TIME_ZONE: Europe/Berlin TIME_ZONE: Europe/Berlin
APPLICATION_PROTOCOL: httpss APPLICATION_PROTOCOL: https
DISTANCE_UNIT: km DISTANCE_UNIT: km
PROMETHEUS_EXPORTER_ENABLED: false PROMETHEUS_EXPORTER_ENABLED: false
PROMETHEUS_EXPORTER_HOST: 0.0.0.0 PROMETHEUS_EXPORTER_HOST: 0.0.0.0
@@ -133,9 +134,9 @@ services:
DATABASE_USERNAME: postgres DATABASE_USERNAME: postgres
DATABASE_PASSWORD: password DATABASE_PASSWORD: password
DATABASE_NAME: dawarich_development DATABASE_NAME: dawarich_development
APPLICATION_HOSTS: "location.butenostfreesen.de,127.0.0.1" APPLICATION_HOSTS: "${FQDN:-location.butenostfreesen.de},127.0.0.1"
BACKGROUND_PROCESSING_CONCURRENCY: 10 BACKGROUND_PROCESSING_CONCURRENCY: 10
APPLICATION_PROTOCOL: httpss APPLICATION_PROTOCOL: https
DISTANCE_UNIT: km DISTANCE_UNIT: km
PROMETHEUS_EXPORTER_ENABLED: false PROMETHEUS_EXPORTER_ENABLED: false
PROMETHEUS_EXPORTER_HOST: dawarich_app PROMETHEUS_EXPORTER_HOST: dawarich_app

13
nginx/entrypoint.sh
View File

@@ -1,16 +1,19 @@
#!/bin/sh #!/bin/sh
set -e set -e
DOMAIN="location.butenostfreesen.de" DOMAIN="${FQDN:-location.butenostfreesen.de}"
EMAIL="${CERTBOT_EMAIL:-}" EMAIL="${CERTBOT_EMAIL:-}"
# FQDN in Config ersetzen
subst() { sed "s/__FQDN__/$DOMAIN/g" "$1"; }
# Entferne Standard-Config # Entferne Standard-Config
rm -f /etc/nginx/conf.d/default.conf rm -f /etc/nginx/conf.d/default.conf
# Bootstrap-Config verwenden, wenn Zertifikate noch nicht existieren # Bootstrap-Config verwenden, wenn Zertifikate noch nicht existieren
if [ ! -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then if [ ! -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
echo "Zertifikate nicht gefunden. Starte mit Bootstrap-Config..." echo "Zertifikate nicht gefunden. Starte mit Bootstrap-Config..."
cp /etc/nginx/templates/nginx-bootstrap.conf /etc/nginx/conf.d/default.conf subst /etc/nginx/templates/nginx-bootstrap.conf > /etc/nginx/conf.d/default.conf
nginx -g "daemon off;" & nginx -g "daemon off;" &
NGINX_PID=$! NGINX_PID=$!
@@ -29,10 +32,10 @@ if [ ! -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
echo "Zertifikat erfolgreich erstellt. Starte nginx mit HTTPS..." echo "Zertifikat erfolgreich erstellt. Starte nginx mit HTTPS..."
kill $NGINX_PID 2>/dev/null || true kill $NGINX_PID 2>/dev/null || true
sleep 2 sleep 2
cp /etc/nginx/templates/nginx.conf /etc/nginx/conf.d/default.conf subst /etc/nginx/templates/nginx.conf > /etc/nginx/conf.d/default.conf
else else
echo "Zertifikatsanforderung fehlgeschlagen. Laeufe mit HTTP (Port 80)." echo "Zertifikatsanforderung fehlgeschlagen. Laeufe mit HTTP (Port 80)."
echo "Stelle sicher, dass location.butenostfreesen.de auf diesen Server zeigt." echo "Stelle sicher, dass ${DOMAIN} auf diesen Server zeigt."
exec wait $NGINX_PID exec wait $NGINX_PID
fi fi
else else
@@ -41,7 +44,7 @@ if [ ! -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
exec wait $NGINX_PID exec wait $NGINX_PID
fi fi
else else
cp /etc/nginx/templates/nginx.conf /etc/nginx/conf.d/default.conf subst /etc/nginx/templates/nginx.conf > /etc/nginx/conf.d/default.conf
fi fi
# Zertifikatserneuerung alle 12 Stunden im Hintergrund # Zertifikatserneuerung alle 12 Stunden im Hintergrund

2
nginx/nginx-bootstrap.conf
View File

@@ -2,7 +2,7 @@
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name location.butenostfreesen.de; server_name __FQDN__;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /var/www/certbot; root /var/www/certbot;

8
nginx/nginx.conf
View File

@@ -1,7 +1,7 @@
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name location.butenostfreesen.de; server_name __FQDN__;
# ACME-Challenge für Let's Encrypt Zertifikatserneuerung # ACME-Challenge für Let's Encrypt Zertifikatserneuerung
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
@@ -17,11 +17,11 @@ server {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
http2 on; http2 on;
server_name location.butenostfreesen.de; server_name __FQDN__;
# Let's Encrypt Zertifikate # Let's Encrypt Zertifikate
ssl_certificate /etc/letsencrypt/live/location.butenostfreesen.de/fullchain.pem; ssl_certificate /etc/letsencrypt/live/__FQDN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/location.butenostfreesen.de/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/__FQDN__/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;