Add Docker Compose for HTTPS support

* Use nginx-proxy and acme-companion * Automated creation and renewal of Let's Encrypt certificates * Automated reload of Nginx config upon certificate creation/renewal * Achieves an A+ on the Qualys SSL Test * Separate docker-gen container to avoid exposing docker.sock
2025-12-18 06:14:20 +01:00 · 2024-09-26 18:49:57 +01:00
parent 1e2ea465b2
commit b509d99d22
5 changed files with 991 additions and 2 deletions
--- a/docker-compose-nginx-ssl.yml
+++ b/docker-compose-nginx-ssl.yml
@@ -0,0 +1,69 @@
+services:
+  relay:
+    container_name: haven-relay
+    build:
+      context: .
+      dockerfile: Dockerfile
+    env_file:
+      - .env
+    environment:
+      - LETSENCRYPT_HOST=${RELAY_URL}
+      - VIRTUAL_HOST=${RELAY_URL}
+      - VIRTUAL_PORT=3355
+    volumes:
+      - "./db:/app/db"
+      - "./haven:/app/haven"
+    user: "${DOCKER_UID:-1000}:${DOCKER_GID:-1000}"
+    network_mode: bridge
+    restart: unless-stopped
+
+  nginx-proxy:
+    image: nginx:alpine
+    container_name: nginx-proxy
+    volumes:
+      # The vhost volume is only required if you
+      # plan to obtain standalone certificates
+      # - vhost:/etc/nginx/vhost.d
+      - conf:/etc/nginx/conf.d
+      - html:/usr/share/nginx/html
+      - certs:/etc/nginx/certs:ro
+    ports:
+      - "80:80"
+      - "443:443"
+    network_mode: bridge
+    restart: unless-stopped
+
+  docker-gen:
+    image: nginxproxy/docker-gen
+    container_name: nginx-proxy-gen
+    command: -notify-sighup nginx-proxy -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    volumes_from:
+      - nginx-proxy
+    volumes:
+      - ./nginx/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+    labels:
+      - "com.github.nginx-proxy.docker-gen"
+    privileged: true
+    network_mode: bridge
+
+  acme-companion:
+    image: nginxproxy/acme-companion
+    container_name: nginx-proxy-acme
+    environment:
+      - DEFAULT_EMAIL=${ACME_EMAIL}
+    volumes_from:
+      - nginx-proxy
+    volumes:
+      - certs:/etc/nginx/certs:rw
+      - acme:/etc/acme.sh
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    privileged: true
+    network_mode: bridge
+
+volumes:
+  # vhost:
+  conf:
+  html:
+  certs:
+  acme: