Production Ready

.env.example

@@ -0,0 +1,20 @@
+SERVER_NAME= # URL where this will be hosted.
+
+## Flask Configuration
+SECRET_KEY= # Long, secure, secret string.
+DATA=./data/
+
+## Flask Mail Configuration
+MAIL_SERVER=ref_test_postfix # Must match name of the Docker service
+MAIL_PORT=25
+MAIL_USE_TLS=False
+MAIL_USE_SSL=False
+MAIL_USERNAME= # Username@domain, must match config values below
+MAIL_PASSWORD= # Must match config value below
+MAIL_DEFAULT_SENDER= # NoReply@domain or some such.
+MAIL_MAX_EMAILS=25
+MAIL_ASCII_ATTACHMENTS=True
+
+# Postfix
+maildomain= # Domain must match the section of username above
+smtp_user= # username:password. Must match config values above.

docker-compose.yml

@@ -3,13 +3,14 @@ version: '3.9'
 services:
   ref_test_server:
     container_name: ref_test_server
-    image: nginx:1.21.4-alpine
+    image: nginx:alpine
     volumes:
       - ./certbot:/etc/letsencrypt:ro
       - ./nginx:/etc/nginx
       - ./src/html:/usr/share/nginx/html/
-      - ./ref-test/admin/static:/usr/share/nginx/html/admin/static
-      - ./ref-test/quiz/static:/usr/share/nginx/html/quiz/static
+      - ./ref-test/app/admin/static:/usr/share/nginx/html/admin/static
+      - ./ref-test/app/quiz/static:/usr/share/nginx/html/quiz/static
+      - ./ref-test/app/root:/usr/share/nginx/html/root
     ports:
       - 80:80
       - 443:443
@@ -18,6 +19,7 @@ services:
       - frontend
     depends_on:
       - ref_test_app
+    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
   
   ref_test_app:
     container_name: ref_test_app
@@ -28,30 +30,14 @@ services:
     ports:
       - 5000
     volumes:
-      - ./.security:/ref-test/.security
       - ./ref-test/data:/ref-test/data
     restart: unless-stopped
     networks:
       - frontend
       - backend
     depends_on:
-      - ref_test_db
       - ref_test_postfix
 
-  ref_test_db:
-    container_name: ref_test_db
-    image: mongo:5.0.4-focal
-    restart: unless-stopped
-    volumes:
-      - ./database/data:/data/db
-      - ./database/initdb.d/:/docker-entrypoint-initdb.d/
-    env_file:
-      - ./.env
-    ports:
-      - 27017
-    networks:
-      - backend
-  
   ref_test_postfix:
     container_name: ref_test_postfix
     image: catatnight/postfix:latest
@@ -65,13 +51,11 @@ services:
   
   ref_test_certbot:
     container_name: ref_test_certbot
-    image: certbot/certbot:v1.21.0
+    image: certbot/certbot
     volumes:
       - ./certbot:/etc/letsencrypt
       - ./src/html:/var/www/html
-    depends_on:
-      - ref_test_server
-    # command: certonly --webroot --webroot-path=/var/www/html --email (email) --agree-tos --no-eff-email -d (domain)
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
   
 networks:
   frontend:

init-letsencrypt.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Source https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+domains=(example.org www.example.org)
+rsa_key_size=4096
+data_path="./certbot"
+email="" # Adding a valid address is strongly recommended
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+if [ ! -e "$data_path/ssl-dhparams.pem" ]; then
+  echo "### Generating ssl-dhparams.pem ..."
+  docker-compose run --rm --entrypoint "\
+    openssl dhparam 4096 -out /etc/letsencrypt/ssl-dhparams.pem" certbot
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+echo "### Starting nginx ..."
+docker-compose up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose exec nginx nginx -s reload

nginx/conf.d/ref-test-app.conf

@@ -3,7 +3,7 @@ upstream reftest {
 }
 
 server {
-
+    server_name domain_name;
     listen 80 default_server;
     listen [::]:80 default_server;
     # Redirect to ssl
@@ -11,7 +11,7 @@ server {
 }
 
 server {
-
+    server_name domain_name;
     listen 443 ssl http2 default_server;
     listen [::]:443 ssl http2 default_server;
 

nginx/ssl.conf

@@ -1,2 +1,13 @@
-ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem; # managed by Certbot
-ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem; # managed by Certbot
+ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
+
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/letsencrypt/lets-encrypt-x3-cross-signed.pem;
+add_header Strict-Transport-Security "max-age=31536000" always;
+ssl_session_cache   shared:SSL:40m;
+ssl_session_timeout 4h;
+ssl_session_tickets on;