feat: add optional letsencrypt tls

This commit is contained in:
bisco
2026-06-24 11:06:33 +02:00
parent 1e3685bab8
commit 719cdce9c1
19 changed files with 561 additions and 62 deletions
+25 -3
View File
@@ -23,8 +23,27 @@ Apply schema changes with `docker compose exec backend python manage.py migrate`
Create editors with `createsuperuser`; use Wagtail permissions for later non-superuser
accounts.
The backend applies migrations at container startup. To permanently reset local
state, use `docker compose down --volumes`; this deletes both database and media.
The backend applies migrations at container startup. To permanently reset local state,
use `docker compose down --volumes`; this deletes database, media, ACME challenges, and
certificate state.
## Certificate operations
With `LETSENCRYPT_ENABLED=1`, Certbot checks the certificate every 12 hours by default
and renews it when due. NGINX checks the read-only certificate volume every 30 seconds
and reloads only after its configuration validates. Adjust these intervals only for a
documented operational reason.
```bash
docker compose ps -a certbot proxy
docker compose logs --tail=200 certbot proxy
docker compose run --rm --no-deps --entrypoint certbot certbot certificates
```
Certificate state is stored in `letsencrypt_data`; include it in protected host backups
if recovery must preserve the same private key. Never copy its content into the
repository or general application logs. When TLS is terminated by a load balancer,
keep the service disabled and manage certificates at that edge instead.
## Backup and restore
@@ -48,4 +67,7 @@ Keep real backups encrypted and off-host with a defined retention policy.
- Frontend fallback content can mask a CMS outage, so monitor backend health directly.
- Local named volumes are not off-host backups.
- Development media serving is unsuitable for production traffic.
- The local reverse proxy provides HTTP only; it does not manage certificates.
- Automatic issuance depends on public DNS, inbound port 80, Let's Encrypt
availability, and its rate limits. Test with the staging CA first.
- Deleting `letsencrypt_data` loses certificate account/key state and triggers a new
issuance attempt when the service is enabled again.