generated from bisco/codex-bootstrap
feat: add optional letsencrypt tls
This commit is contained in:
+25
-3
@@ -23,8 +23,27 @@ Apply schema changes with `docker compose exec backend python manage.py migrate`
|
||||
Create editors with `createsuperuser`; use Wagtail permissions for later non-superuser
|
||||
accounts.
|
||||
|
||||
The backend applies migrations at container startup. To permanently reset local
|
||||
state, use `docker compose down --volumes`; this deletes both database and media.
|
||||
The backend applies migrations at container startup. To permanently reset local state,
|
||||
use `docker compose down --volumes`; this deletes database, media, ACME challenges, and
|
||||
certificate state.
|
||||
|
||||
## Certificate operations
|
||||
|
||||
With `LETSENCRYPT_ENABLED=1`, Certbot checks the certificate every 12 hours by default
|
||||
and renews it when due. NGINX checks the read-only certificate volume every 30 seconds
|
||||
and reloads only after its configuration validates. Adjust these intervals only for a
|
||||
documented operational reason.
|
||||
|
||||
```bash
|
||||
docker compose ps -a certbot proxy
|
||||
docker compose logs --tail=200 certbot proxy
|
||||
docker compose run --rm --no-deps --entrypoint certbot certbot certificates
|
||||
```
|
||||
|
||||
Certificate state is stored in `letsencrypt_data`; include it in protected host backups
|
||||
if recovery must preserve the same private key. Never copy its content into the
|
||||
repository or general application logs. When TLS is terminated by a load balancer,
|
||||
keep the service disabled and manage certificates at that edge instead.
|
||||
|
||||
## Backup and restore
|
||||
|
||||
@@ -48,4 +67,7 @@ Keep real backups encrypted and off-host with a defined retention policy.
|
||||
- Frontend fallback content can mask a CMS outage, so monitor backend health directly.
|
||||
- Local named volumes are not off-host backups.
|
||||
- Development media serving is unsuitable for production traffic.
|
||||
- The local reverse proxy provides HTTP only; it does not manage certificates.
|
||||
- Automatic issuance depends on public DNS, inbound port 80, Let's Encrypt
|
||||
availability, and its rate limits. Test with the staging CA first.
|
||||
- Deleting `letsencrypt_data` loses certificate account/key state and triggers a new
|
||||
issuance attempt when the service is enabled again.
|
||||
|
||||
Reference in New Issue
Block a user