feat: add optional letsencrypt tls

This commit is contained in:
bisco
2026-06-24 11:06:33 +02:00
parent 1e3685bab8
commit 719cdce9c1
19 changed files with 561 additions and 62 deletions
+40 -10
View File
@@ -10,19 +10,21 @@ stores content, and Docker Compose supplies a reproducible local environment.
aggregate read-only API at `GET /api/site/home/`.
- `frontend/`: Astro components, responsive design system, typed API adapter, and
Italian fallback content for development when the CMS is unavailable.
- `nginx/`: reverse-proxy virtual host for `azionelab.org`, routing public requests to
Astro or Wagtail.
- `nginx/`: reverse proxy for `azionelab.org`, with optional HTTPS termination and
automatic reload after certificate renewal.
- `certbot/`: optional Let's Encrypt HTTP-01 issue/renew loop for direct deployments.
- `db`: persistent PostgreSQL database.
- Docker volumes: `postgres_data` for the database and `media_data` for uploads.
- Docker volumes persist PostgreSQL, media, ACME challenges, and certificates.
See [the architecture document](docs/architecture.md),
[ADR-0001](docs/adr/0001-headless-wagtail-astro.md), and
[ADR-0002](docs/adr/0002-nginx-reverse-proxy.md) for the rationale.
[ADR-0002](docs/adr/0002-nginx-reverse-proxy.md), and
[ADR-0003](docs/adr/0003-optional-letsencrypt.md) for the rationale.
## Prerequisites
- Docker Engine with Docker Compose v2.
- Ports `8080`, `4321`, and `8000` available on localhost.
- Ports `8080`, `8443`, `4321`, and `8000` available on localhost.
- A local hosts-file entry mapping `azionelab.org` to `127.0.0.1`.
No host Python or Node.js installation is required.
@@ -53,7 +55,32 @@ Direct loopback ports `4321` and `8000` remain available for local diagnostics o
The frontend remains usable with curated fallback content if the API is unavailable.
On first startup the backend applies migrations and collects static files before
starting Gunicorn. Wait until all four services report healthy.
starting Gunicorn. Wait until the four default services report healthy. The optional
`certbot` service has zero replicas while `LETSENCRYPT_ENABLED=0`.
## Optional HTTPS with Let's Encrypt
Keep `LETSENCRYPT_ENABLED=0` when a load balancer terminates TLS. For direct public
exposure, first point the domain DNS records to the host and make TCP ports 80 and 443
reachable, then set:
```dotenv
LETSENCRYPT_ENABLED=1
LETSENCRYPT_DOMAIN=azionelab.org
LETSENCRYPT_EMAIL=operator@example.org
LETSENCRYPT_STAGING=1
NGINX_BIND_ADDRESS=0.0.0.0
NGINX_HTTP_PORT=80
NGINX_HTTPS_PORT=443
WAGTAILADMIN_BASE_URL=https://azionelab.org
DJANGO_DEBUG=false
```
Start with the staging CA to validate DNS and firewall configuration without consuming
production rate limits. Then change `LETSENCRYPT_STAGING=0` and remove the staging
certificate volume before requesting the trusted certificate; staging certificates
cannot be converted in place. See [deployment](docs/deployment.md) for the exact reset
and production commands.
## Create an editor account
@@ -99,7 +126,7 @@ working during the transition.
```bash
# Follow application logs
docker compose logs -f db backend frontend proxy
docker compose logs -f db backend frontend proxy certbot
# Run database migrations
docker compose exec backend python manage.py migrate
@@ -112,6 +139,7 @@ docker compose run --rm proxy nginx -t
docker compose -f docker-compose.yml -f docker-compose.test.yml --profile test run --rm backend python manage.py seed_demo
docker compose -f docker-compose.yml -f docker-compose.test.yml --profile test run --build --rm functional-tests
docker compose config --quiet
LETSENCRYPT_ENABLED=1 docker compose config --quiet
# Stop the stack without deleting content
docker compose down
@@ -128,8 +156,9 @@ local environment; run the seed command again after the next startup.
```text
.
├── backend/ # Wagtail/Django CMS and API
├── certbot/ # Optional Let's Encrypt renewal loop
├── frontend/ # Astro public website
├── nginx/ # Reverse-proxy virtual host
├── nginx/ # Reverse proxy and dynamic TLS configuration
├── tests/functional/ # Playwright browser tests
├── docker-compose.test.yml # Functional-test Compose override
├── docs/ # Architecture, operations, security, and ADRs
@@ -173,5 +202,6 @@ cautions. Do not commit database dumps, `.env`, or uploaded media.
## Production TODOs
This repository deliberately targets a simple, working local deployment. Before a
public production launch, add TLS certificates, production-grade static/media
serving, off-host backups, monitoring, and a deployment-specific secret manager.
public production launch, configure either the optional direct TLS mode or TLS at the
load balancer, plus production-grade static/media serving, off-host backups,
monitoring, and a deployment-specific secret manager.