Add With Certbot Nginx example (#73)

examples/with-certbot/.env

@@ -0,0 +1,7 @@
+SITE_URL=https://www.exemple.com/
+DB_HOST=doli_mysql
+DB_PORT=3306
+DB_USER=doli
+DB_PASS=!ChangeMe!
+DB_ROOT_PASS=ChangeMeToo!
+DB_NAME=dolibarr

examples/with-certbot/Dockerfile

@@ -0,0 +1,7 @@
+FROM nginx:alpine
+
+WORKDIR /etc/nginx
+COPY ./nginx/nginx.conf ./conf.d/default.conf
+EXPOSE 8080
+ENTRYPOINT [ "nginx" ]
+CMD [ "-g", "daemon off;" ]

examples/with-certbot/docker-compose.yml

@@ -0,0 +1,57 @@
+version: "3.4"
+
+services:
+  db:
+    image: mysql:8.0.20
+    container_name: doli_mysql
+    command: mysqld --default-authentication-plugin=mysql_native_password --max_allowed_packet=32505856
+    restart: always
+    env_file:
+      - ./.env
+    environment:
+      - MYSQL_DATABASE=${DB_NAME}
+      - MYSQL_USER=${DB_USER}
+      - MYSQL_ROOT_PASSWORD=${DB_ROOT_PASS}
+      - MYSQL_PASSWORD=${DB_PASS}
+    volumes:
+      - ./docker/db/data:/var/lib/mysql
+
+  web:
+    image: tuxgasy/dolibarr
+    container_name: doli_web
+    env_file:
+      - ./.env
+    environment:
+      DOLI_DB_HOST: ${DB_HOST}
+      DOLI_DB_USER: ${DB_USER}
+      DOLI_DB_PASSWORD: ${DB_PASS}
+      DOLI_DB_HOST_PORT: ${DB_PORT}
+      DOLI_DB_NAME: ${DB_NAME}
+      DOLI_URL_ROOT: ${SITE_URL}
+      PHP_INI_DATE_TIMEZONE: 'Europe/Paris'
+    ports:
+      - "8181:80"
+    links:
+      - db
+    volumes:
+      - ./docker/doli/documents:/var/www/documents
+
+  nginx:
+    container_name: doli_nginx
+    image: nginx:latest
+    ports:
+      - 80:80
+      - 443:443
+    restart: always
+    volumes:
+      - ./docker/nginx:/etc/nginx/conf.d/:ro
+      - ./docker/certbot/www:/var/www/certbot/:ro
+      - ./docker/certbot/conf:/etc/letsencrypt
+
+  certbot:
+    image: certbot/certbot
+    container_name: skreept_certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    volumes:
+      - ./docker/certbot/conf:/etc/letsencrypt
+      - ./docker/certbot/www:/var/www/certbot

examples/with-certbot/dolibarr-with-certbot.md

@@ -0,0 +1,31 @@
+#Dolibarr with Nginx https as proxy pass using certbot
+The purpose is to add an nginx container and a certbot container to auto generate SSL certificates
+
+###containers
+
+- 1 container for Dolibarr original image running on apache 2 port 8181
+- 1 container for DB (mysql8 here)
+- 1 container for Certbot
+- 1 container for Nginx proxy pass and certificates regeneration, forwad port 443 using certificate to 8181 dolibarr
+
+Bonus, in this example docker will auto check and regenerate certificates (entrypoint command in certbot)
+
+
+![https.png](https.png)
+
+###Steps
+
+1. Edit `.env` file
+2. Edit `.init-letsencrypt.sh`  file line 8 and 11 replace example.com.
+3. Edit `nginx/nginx.conf` and replace example.com
+4. Exec `docker-compose up --build`
+5. Exec `sudo ./init-letsencrypt`
+6. Enjoy
+
+###Troubleshoot
+
+If the certbot certificate fail the challenge, comment line 17 to 29 in `nginx.conf` then redo operation 3 and 4. Then restore `nginx.conf` and restart docker `docker-compose down && docker-compose up -d`
+
+###Credits
+
+Based on medium article by Philipp https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71

examples/with-certbot/init-letsencrypt.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+domains=(example.com)
+rsa_key_size=4096
+data_path="./docker/certbot"
+email="contact@example.com" # Adding a valid address is strongly recommended
+staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting nginx ..."
+docker-compose up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose exec nginx nginx -s reload

examples/with-certbot/nginx/nginx.conf

@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name example.com www.example.com;
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://example.com$request_uri;
+    }
+}
+
+server {
+   root /srv/api/public;
+
+   listen 443 ssl http2;
+   server_name www.example.com;
+
+   ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+   ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+   location / {
+   	proxy_pass http://example.com:8181;
+   }
+}