Simplify deployment process #10
Conversation
where it makes sense. So far it makes sense only for elasticsearch. More is comming with a bit of restructuring of the services. Also bump docker-compose version while at it. Signed-off-by: Yuri Volchkov <yuri@volch.org>
I did not follow the default recepies of restarting nginx on sertificates renewal, as it requires to pass /var/run/docker.sock to the acme container, so it able to restart nginx container. The problem is acme would've got the full control over the docker, which is not ideal from the security point of view. Instead, a crontab entry is added to the nginx container to reload sertificaes weekly. From the up time (if it even matters), this is even beter, because "nginx -s reload" compleates in no time. While a full container reloading might take a second or two. Signed-off-by: Yuri Volchkov <yuri@volch.org>
Make parsedmarc service even more self contained. Do not rely on the geoip running on the host, include it in the compose Signed-off-by: Yuri Volchkov <yuri@volch.org>
as newver version requres Signed-off-by: Yuri Volchkov <yuri@volch.org>
|
Thank you for your PR, but I do not want put acme stuff here as not everyone will host that on public network or even has option to do so, or use another proxy in front of it. If people want acme sh they can do this by acme on host and do postdeploy to restart docker container. I think this not much hard and provide freedom for both cases to coexist. About password and readme stuff - I not had time to update this repo, but locally I had success with configuring security pack so Kibana had properly working authorization. Just need find time to automate creation of all nessesary staff in docker entrypoint and this httpdpass will be removed with nicely working user auth :) About geoip, yes I will change this as well with time. I know about this option. |
That is why solution designed to work from entirely from internal network. That is how I run it. My setup can be accessed only from my hope network and not from the outside.
that makes the service dependable on the local configuration. From what I met in the other projects it is fairly common practice to include acme.sh to the stack. And user still have this flexibility to do everything manually, it's just a matter of deleting container.
Well, you can always delete that once you did that. In the mean time it will help people who are less familiar with the stack to deploy with fewer frictions, and not polluting the host OS (this is what docker for on the first place, right? Ok not just for that but still).
I really appreciate your efforts. I can't see how I would have pulled this off. But look, my solution might be not ideal, but my point is again, if it helps people to onboard with the project easier, community is going to grow faster right now. And you can throw away all my crap by a single git revert once you have much greater implementation. |
|
not sure what will be in case when user will recreate (rebuild) container with nginx and there no volume to store acme.sh account and cron to reissue new cert, etc. It should be rechecked. |
My 2cents to simplify building service. Includes