Add certificate config and docs

This commit is contained in:
Dana Lambert 2021-11-29 10:16:24 +13:00
parent 2b1c6cd49f
commit 687a256fff
5 changed files with 76 additions and 9 deletions

View file

@ -113,11 +113,37 @@ A summary of available commands are outlined below. Note that if the command req
| `build` | Builds required images (frontend and backend) for production | No
| `start` | Runs all services in production mode including the frontend, backend and postgres database | No
## Running application for production
## Setting up and running the application for production
1. Ensure the prerequisites are met as defined in [#Initial Setup]
2. Create an `.env` file (if not done prior) in the root directory using `default.env` as an example. Fill in the values as appropriate
3. Update `frontend/config.js` with values as appropriate
4. Run a production build using `./dev build_production`
5. Initialise the database using `./dev init_database`
6. Run the production application using `./dev start_production`
2. Create an `.env` file (if not done prior) in the root directory using `default.env` as an example. Uncomment values relating to production and fill in the values as appropriate.
3. Build backend image `sudo ./dev build_production`
4. Create the database `sudo ./dev create_database`
5. Manually create postgres user with password and add the user to the `righttree` database with all permissions.
Create an interactive terminal into the postgres container
```bash
sudo docker-compose -f docker-compose.production.yaml up postgres
sudo docker exec -it postgres bash
```
Within the interactive terminal. Connect to the database, add the righttree_admin user and give permissions. Please use the same credentials as defined in .env.
```bash
psql -U postgres
/c righttree
CREATE USER righttree_admin;
ALTER USER righttree_admin with encrypted password 'YOUR PASSWORD';
GRANT ALL PRIVILEGES ON DATABASE righttree TO righttree_admin;
```
6. Populate the database using `sudo ./dev populate_database`
7. Build optimised frontend build and collect together staticfiles `sudo ./dev create_staticfiles`
8. Create a django superuser for access to the admin interface. Please use the same credentials as defined in .env `sudo ./dev createsuperuser`
9. Run the production application using `sudo ./dev start_production`
### Setting up certificates
Create certificate using certbot and letsencrypt, choose option 1 and provide an appropriate email. Ensure port 80 and 443 are externally exposed for the domain before running this command. To retrieve a staging certificate, use the `--test-cert` flag.
```
sudo docker run -i --rm --name certbot -p 443:443 -p 80:80 -v /etc/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly -d [YOUR DOMAIN] --logs-dir /etc/letsencrypt/logs
```

View file

@ -88,7 +88,7 @@ DATABASES = {
'NAME': os.getenv("RIGHTTREE_DB", "postgres"),
'USER': os.getenv("RIGHTTREE_DB_USER", "postgres"),
'PASSWORD': os.getenv("RIGHTTREE_DB_PASSWORD", "postgres"),
'HOST': os.getenv("POSTGRES_DB", "postgres"),
'HOST': "postgres",
'PORT': 5432,
}
}

10
dev
View file

@ -123,6 +123,16 @@ cmd_stop_production() {
docker-compose -f docker-compose.production.yaml stop --remove-orphans
}
cmd_stop_production() {
docker-compose -f docker-compose.production.yaml stop --remove-orphans
}
cmd_renew_certifcate() {
cmd_stop_production
sudo docker run -i --rm --name certbot -p 443:443 -p 80:80 -v /etc/letsencrypt:/etc/letsencrypt/ certbot/certbot renew --dry-run -d $BASE_URL --logs-dir /etc/letsencrypt/logs
cmd_start_production
}
# Run the command
cmd="$1"
"cmd_$cmd" "$@"

View file

@ -25,12 +25,13 @@ services:
- postgres
- backend
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./nginx.production.conf:/etc/nginx/nginx.conf
- ./backend/right_tree/staticfiles:/etc/nginx/html/staticfiles
- ./frontend/build:/etc/nginx/html/build
- ./keys:/etc/ssl/private/nginx
- /etc/letsencrypt:/etc/letsencrypt
ports:
- "80:80"
- "443:443"
postgres:
image: postgis/postgis:13-3.0

30
nginx.production.conf Normal file
View file

@ -0,0 +1,30 @@
http {
server {
listen 80;
listen 443 ssl;
index index.html;
include /etc/nginx/mime.types;
proxy_set_header Host $http_host;
ssl_certificate /etc/letsencrypt/live/righttree.maps.net.nz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/righttree.maps.net.nz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/righttree.maps.net.nz/chain.pem;
location / {
root /etc/nginx/html/build;
}
location /staticfiles {
root /etc/nginx/html/;
}
location ~* ^/(api|admin) {
proxy_pass http://backend:8000;
}
}
}
events {
# configuration of connection processing
}