From a9e924a7639de52adab2302bd0a4045bd9ea69c6 Mon Sep 17 00:00:00 2001
From: Giles Bradshaw <giles.bradshaw@sigyl.com>
Date: Wed, 8 Jul 2020 17:36:32 +0100
Subject: [PATCH] enable wellknown acme challenge

---
 docker-compose.yml                   | 193 +--------------------------
 letsencrypt-nginx/conf/git.conf      |   5 +
 letsencrypt-nginx/conf/registry.conf |  18 +++
 3 files changed, 24 insertions(+), 192 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 22c48f0..7c819ee 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,45 +1,5 @@
 version: "3.7"
 services:
-  commento:
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack-data == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    image: registry.gitlab.com/commento/commento:latest
-    environment:
-      COMMENTO_ORIGIN: $COMMENTO_ORIGIN
-      COMMENTO_SMTP_PASSWORD: $COMMENTO_SMTP_PASSWORD
-      COMMENTO_ASKIMET_KEY: $COMMENTO_ASKIMET_KEY
-      COMMENTO_SMTP_HOST: $COMMENTO_SMTP_HOST
-      COMMENTO_SMTP_PORT: $COMMENTO_SMTP_PORT
-      COMMENTO_SMTP_USERNAME: $COMMENTO_SMTP_USERNAME
-      COMMENTO_SMTP_FROM_ADDRESS: $COMMENTO_SMTP_FROM_ADDRESS
-      COMMENTO_GITHUB_KEY: $COMMENTO_GITHUB_KEY
-      COMMENTO_GITHUB_SECRET: $COMMENTO_GITHUB_SECRET
-      COMMENTO_FORBID_NEW_OWNERS: $COMMENTO_FORBID_NEW_OWNERS
-      COMMENTO_PORT: 8080
-      COMMENTO_POSTGRES: postgres://${COMMENTO_POSTGRES_USER}:${COMMENTO_POSTGRES_PASSWORD}@commento-postgres:5432/${COMMENTO_POSTGRES_DB}?sslmode=disable
-    networks:
-      - appnet
-      - externalnet
-  commento-postgres:
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack-data == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    image: postgres:11-alpine
-    environment:
-      POSTGRES_DB: ${COMMENTO_POSTGRES_DB}
-      POSTGRES_USER: ${COMMENTO_POSTGRES_USER}
-      POSTGRES_PASSWORD: ${COMMENTO_POSTGRES_PASSWORD}
-    networks:
-      - appnet
-    volumes:
-      - commento-postgresql-data:/var/lib/postgresql/data
   nagios:
     image: jasonrivers/nagios:latest
     deploy:
@@ -57,158 +17,7 @@ services:
     networks:
       - appnet
       - externalnet
-  matomo:
-    image: matomo:fpm-alpine
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    volumes:
-#      - ./config:/var/www/html/config:rw
-#      - ./logs:/var/www/html/logs
-      - matomo:/var/www/html
-    environment:
-      - MATOMO_DATABASE_HOST=matomo-mariadb
-      - MYSQL_PASSWORD=${MATOMO_MYSQL_PASSWORD}
-      - MYSQL_DATABASE=matomo
-      - MYSQL_USER=matomo
-      - MATOMO_DATABASE_ADAPTER=mysql
-      - MATOMO_DATABASE_TABLES_PREFIX=matomo_
-      - MATOMO_DATABASE_USERNAME=matomo
-      - MATOMO_DATABASE_PASSWORD=${MATOMO_MYSQL_PASSWORD}
-      - MATOMO_DATABASE_DBNAME=matomo
-    networks:
-      - appnet
-  matomo-web:
-    image: nginx:alpine
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    volumes:
-      - matomo:/var/www/html:ro
-      # see https://github.com/matomo-org/matomo-nginx
-      - ./matomo/matomo.conf:/etc/nginx/conf.d/default.conf:ro
-    networks:
-      - appnet
-      - externalnet
-  matomo-mariadb:
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack-data == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    image: mariadb:10
-    command: --max-allowed-packet=128MB
-    networks:
-      - appnet
-    volumes:
-      - matomo-mariadb:/var/lib/mysql
-    environment:
-      MYSQL_ROOT_PASSWORD: ${MATOMO_MYSQL_ROOT_PASSWORD}
-      MYSQL_USER: matomo
-      MYSQL_DATABASE: matomo
-      MYSQL_PASSWORD: ${MATOMO_MYSQL_PASSWORD}
-  zabbix-mariadb:
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack-data == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    image: mariadb:10
-    command: --max-allowed-packet=128MB
-    networks:
-      - appnet
-    volumes:
-      - zabbix-mariadb:/var/lib/mysql
-    environment:
-      MYSQL_ROOT_PASSWORD: ${ZABBIX_MYSQL_ROOT_PASSWORD}
-      MYSQL_USER: zabbix
-      MYSQL_DATABASE: zabbix
-      MYSQL_PASSWORD: ${ZABBIX_MYSQL_PASSWORD}
-  zabbix-server:
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack-data == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    image: zabbix/zabbix-server-mysql
-    networks:
-      - appnet
-    environment:
-      DB_SERVER_HOST: zabbix-mariadb
-      MYSQL_USER: zabbix
-      MYSQL_PASSWORD: ${ZABBIX_MYSQL_PASSWORD}
-    networks:
-      - appnet
-    ports:
-      - 10050:10050
-      - 10051:10051
-  zabbix-web:
-    deploy:
-      placement:
-        constraints: [node.labels.com.sigyl.git-stack-data == yes]
-      replicas: 1
-      restart_policy:
-        condition: any
-    image: zabbix/zabbix-web-nginx-mysql
-    networks:
-      - appnet
-      - externalnet
-    environment:
-      DB_SERVER_HOST: zabbix-mariadb
-      MYSQL_USER: zabbix
-      MYSQL_PASSWORD: ${ZABBIX_MYSQL_PASSWORD}
-      ZBX_SERVER_HOST: zabbix-server
-      PHP_TZ: Europe/London
-  portainer:
-    image: portainer/portainer:1.23.2
-    command: -H tcp://tasks.portainer-agent:9001 --tlsskipverify
-    # command: -H unix:///var/run/docker.sock
-    deploy:
-      replicas: 1
-      placement:
-        constraints: [node.role == manager]
-      restart_policy:
-        condition: any
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - portainer-data:/data
-    networks:
-      #- proxy
-      - appnet
-      - externalnet
-  portainer-agent:
-    image: portainer/agent:1.5.1
-    environment:
-      # REQUIRED: Should be equal to the service name prefixed by "tasks." when
-      # deployed inside an overlay network
-      AGENT_CLUSTER_ADDR: tasks.portainer-agent
-      # AGENT_PORT: 9001
-      # LOG_LEVEL: debug
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - /var/lib/docker/volumes:/var/lib/docker/volumes
-    networks:
-      - appnet
-    deploy:
-      mode: global
-      placement:
-        constraints: [node.platform.os == linux]
-volumes:
-  commento-postgresql-data:
-  portainer-data:
-  matomo:
-  matomo-mariadb:
-  zabbix-mariadb:
-
+  
 networks:
   appnet:
     driver: overlay
diff --git a/letsencrypt-nginx/conf/git.conf b/letsencrypt-nginx/conf/git.conf
index e275f5c..8dc1286 100644
--- a/letsencrypt-nginx/conf/git.conf
+++ b/letsencrypt-nginx/conf/git.conf
@@ -16,6 +16,11 @@ server {
   client_max_body_size 200m;
   # save logs here
   server_name ${SERVER_NAME};
+  # Pass this particular URL off to certbot, to authenticate HTTPS certificates
+  location '/.well-known/acme-challenge' {
+      default_type "text/plain";
+      proxy_pass http://localhost:1337;
+  }
   location / {
     return 301 https://${DOLLAR}host${DOLLAR}request_uri;
   }
diff --git a/letsencrypt-nginx/conf/registry.conf b/letsencrypt-nginx/conf/registry.conf
index 64dd077..2e7781b 100644
--- a/letsencrypt-nginx/conf/registry.conf
+++ b/letsencrypt-nginx/conf/registry.conf
@@ -6,6 +6,24 @@
         map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version {
              '' 'registry/2.0';
         }
+server {
+  # resolver 127.0.0.11 valid=30s; ## internal docker dns
+  #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
+  listen 80;
+  client_header_timeout 120s;
+  client_body_timeout 120s;
+  client_max_body_size 200m;
+  # save logs here
+  server_name ${SERVER_NAME};
+  # Pass this particular URL off to certbot, to authenticate HTTPS certificates
+  location '/.well-known/acme-challenge' {
+      default_type "text/plain";
+      proxy_pass http://localhost:1337;
+  }
+  location / {
+    return 301 https://${DOLLAR}host${DOLLAR}request_uri;
+  }
+}
 
     server {
         # resolver 127.0.0.11 valid=30s; ## internal docker dns