From f855ca40164401349e8bc52f3c520c8a8a4ec8ce Mon Sep 17 00:00:00 2001 From: Tobias Cudnik Date: Wed, 10 May 2023 17:27:53 +0200 Subject: [PATCH] - fixed cert mounting - fixed caddy restart in nm-certs.sh - aligned all configs --- compose/docker-compose-emqx.yml | 3 +-- compose/docker-compose.ee.yml | 7 ++++--- compose/docker-compose.reference.yml | 3 +-- compose/docker-compose.yml | 3 +-- docker/Caddyfile | 12 ++++++------ docker/Caddyfile-EE | 18 +++++++++--------- scripts/nm-certs.sh | 7 ++++--- scripts/nm-quick.sh | 9 ++++++--- 8 files changed, 32 insertions(+), 30 deletions(-) diff --git a/compose/docker-compose-emqx.yml b/compose/docker-compose-emqx.yml index e7711404..c280ec1e 100644 --- a/compose/docker-compose-emqx.yml +++ b/compose/docker-compose-emqx.yml @@ -50,8 +50,7 @@ services: restart: unless-stopped volumes: - /root/Caddyfile:/etc/caddy/Caddyfile - - /root/fullchain.pem:/root/fullchain.pem - - /root/privkey.pem:/root/privkey.pem + - /root/certs:/root/certs - caddy_data:/data - caddy_conf:/config ports: diff --git a/compose/docker-compose.ee.yml b/compose/docker-compose.ee.yml index 9924d2b8..d5b427db 100644 --- a/compose/docker-compose.ee.yml +++ b/compose/docker-compose.ee.yml @@ -57,8 +57,7 @@ services: restart: unless-stopped volumes: - /root/Caddyfile:/etc/caddy/Caddyfile - - /root/fullchain.pem:/root/fullchain.pem - - /root/privkey.pem:/root/privkey.pem + - /root/certs:/root/certs - caddy_data:/data - caddy_conf:/config ports: @@ -120,7 +119,9 @@ services: depends_on: - netmaker environment: - SERVER_BROKER_ENDPOINT: "ws://mq:1883" + MQ_PASSWORD: "REPLACE_MQ_PASSWORD" + MQ_USERNAME: "REPLACE_MQ_USERNAME" + MQ_URL: "ws://mq:1883" BROKER_ENDPOINT: "wss://broker.NETMAKER_BASE_DOMAIN" PROMETHEUS: "on" VERBOSITY: "1" diff --git a/compose/docker-compose.reference.yml b/compose/docker-compose.reference.yml index cd5be69e..6b5951e9 100644 --- a/compose/docker-compose.reference.yml +++ b/compose/docker-compose.reference.yml @@ -64,8 +64,7 @@ services: restart: unless-stopped volumes: - /root/Caddyfile:/etc/caddy/Caddyfile # Config file for Caddy - - /root/fullchain.pem:/root/fullchain.pem - - /root/privkey.pem:/root/privkey.pem + - /root/certs:/root/certs - caddy_data:/data - caddy_conf:/config ports: diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index d4a377ff..fc964902 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -56,8 +56,7 @@ services: - "host.docker.internal:host-gateway" volumes: - /root/Caddyfile:/etc/caddy/Caddyfile - - /root/fullchain.pem:/root/fullchain.pem - - /root/privkey.pem:/root/privkey.pem + - /root/certs:/root/certs - caddy_data:/data - caddy_conf:/config ports: diff --git a/docker/Caddyfile b/docker/Caddyfile index cefdc6ac..ff3a60bf 100644 --- a/docker/Caddyfile +++ b/docker/Caddyfile @@ -1,6 +1,6 @@ # Dashboard https://dashboard.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem # Apply basic security headers header { # Enable cross origin access to *.NETMAKER_BASE_DOMAIN @@ -22,30 +22,30 @@ https://dashboard.NETMAKER_BASE_DOMAIN { # API https://api.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy http://netmaker:8081 } # STUN https://stun.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy netmaker:3478 } # TURN https://turn.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy host.docker.internal:3479 } # TURN API https://turnapi.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy http://host.docker.internal:8089 } # MQ wss://broker.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy ws://mq:8883 # For EMQX websockets use `reverse_proxy ws://mq:8083` } diff --git a/docker/Caddyfile-EE b/docker/Caddyfile-EE index 250dd2f3..c45abd15 100644 --- a/docker/Caddyfile-EE +++ b/docker/Caddyfile-EE @@ -1,6 +1,6 @@ # Dashboard https://dashboard.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem # Apply basic security headers header { # Enable cross origin access to *.NETMAKER_BASE_DOMAIN @@ -22,48 +22,48 @@ https://dashboard.NETMAKER_BASE_DOMAIN { # Netmaker Exporter https://netmaker-exporter.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy http://netmaker-exporter:8085 } # Prometheus https://prometheus.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy http://prometheus:9090 } # Grafana https://grafana.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy http://grafana:3000 } # API https://api.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy http://netmaker:8081 } # STUN https://stun.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy netmaker:3478 } # TURN https://turn.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy host.docker.internal:3479 } # TURN API https://turnapi.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy http://host.docker.internal:8089 } # MQ wss://broker.NETMAKER_BASE_DOMAIN { - tls /root/fullchain.pem /root/privkey.pem + tls /root/certs/fullchain.pem /root/certs/privkey.pem reverse_proxy ws://mq:8883 } diff --git a/scripts/nm-certs.sh b/scripts/nm-certs.sh index c9ebf8fb..07cdbbf4 100755 --- a/scripts/nm-certs.sh +++ b/scripts/nm-certs.sh @@ -83,15 +83,16 @@ if [ ! -f "$CERT_DIR"/fullchain.pem ]; then fi # copy for mounting -cp -L "$CERT_DIR"/fullchain.pem /root/fullchain.pem -cp -L "$CERT_DIR"/privkey.pem /root/privkey.pem +mkdir -p certs +cp -L "$CERT_DIR/fullchain.pem" /root/certs/fullchain.pem +cp -L "$CERT_DIR/privkey.pem" /root/certs/privkey.pem echo "SSL certificates ready" # preserve the env state if [ "$RESTART_CADDY" = true ]; then echo "Starting Caddy..." - docker-compose -f /root/docker-compose.yml start caddy + docker-compose -f /root/docker-compose.yml start caddy --force-recreate fi # install crontab diff --git a/scripts/nm-quick.sh b/scripts/nm-quick.sh index 6a842c61..82353816 100755 --- a/scripts/nm-quick.sh +++ b/scripts/nm-quick.sh @@ -640,6 +640,9 @@ install_netmaker() { wget -qO /root/wait.sh "https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/docker/wait.sh" fi + # cleanup + docker stop netmaker-ui coredns mq turn caddy netmaker + chmod +x /root/wait.sh mkdir -p /etc/netmaker @@ -765,12 +768,12 @@ set -e # 6. get user input for variables set_install_vars -# 7. get and set config files, startup docker-compose -install_netmaker - # Fetch / update certs using certbot "$SCRIPT_DIR"/nm-certs.sh +# 7. get and set config files, startup docker-compose +install_netmaker + set +e # 8. make sure Caddy certs are working