fix(nginx,compose): mount certbot volumes and use correct LE cert paths

.github/workflows/main.yaml

@@ -56,7 +56,7 @@ jobs:
 
     - name: Create environment variables files
       run: |
-        envsubst < .env.tpl > .env
+        envsubst < .envs/.env.tpl > .envs/.env
 
     - name: Check if poetry.lock is updated
       run: poetry check

.gitignore

@@ -78,7 +78,7 @@ celerybeat-schedule
 *.sage.py
 
 # dotenv
-.env
+.envs/.env
 
 # virtualenv
 .venv
@@ -106,7 +106,8 @@ containers/nginx/*
 **containers/elasticsearch/**
 
 # env vars
-.env*
+*.env
+.envs/*
 
 # certificates
 *.pem

.makim.yaml

@@ -1,5 +1,5 @@
 backend: bash
-env-file: .env
+env-file: .envs/.env
 env:
   DOCKER_BUILDKIT: "0"
 groups:
@@ -37,7 +37,7 @@ groups:
 
       unittest:
         help: Run tests with pytest
-        env-file: .env
+        env-file: .envs/.env
         run: |
           pytest "tests/"
 
@@ -59,7 +59,7 @@ groups:
   develop:
     tasks:
       test-certs:
-        env-file: .env
+        env-file: .envs/.env
         help: Generate and copy certs
         backend: bash
         run: |
@@ -84,7 +84,7 @@ groups:
           python scripts/es_index_doc_counter.py ${{ args.index_name }}
 
       setup-dev-env:
-        help: Setup development environment and prepare .env file if it doesn't exist.
+        help: Setup development environment and prepare .envs/.env file if it doesn't exist.
         args:
           index-name:
             help: Specify the server name to prepare environment for (e.g., 'biorxiv' or 'medrxiv').
@@ -107,16 +107,16 @@ groups:
           ls -la ${download_dir}/${output_filename}
           echo "Prepared development environment for index: ${{ args.index_name }}"
 
-          if [ -f ".env" ]; then
-              echo ".env file already exists. Exiting without modifying environment variables."
+          if [ -f ".envs/.env" ]; then
+              echo ".envs/.env file already exists. Exiting without modifying environment variables."
           else
-              env_template="./.env.tpl"
+              env_template="./.envs/.env.tpl"
               if [ ! -f "${env_template}" ]; then
                   echo "The template file ${env_template} does not exist."
                   exit 1
               fi
-              envsubst < "${env_template}" > ".env"
-              echo "Environment variables prepared and saved to .env"
+              envsubst < "${env_template}" > ".envs/.env"
+              echo "Environment variables prepared and saved to .envs/.env"
           fi
 
   scheduler:

.sugar.yaml

@@ -1,33 +1,48 @@
 backend: compose
-env-file: .env
+env-file: .envs/.env
 defaults:
-  group: ${{ env.SUGAR_ENV or env.ENV }}
+  profile: ${{ env.SUGAR_ENV or env.ENV }}
   project-name: literev-es
-groups:
+
+profiles:
   prod:
     config-path:
-      - containers/compose.nginx.yaml
       - containers/compose.elasticsearch.yaml
-    env-file: .env
+    env-file: .envs/.env
     services:
-      default: es01,nginx,certbot
+      default:
+        - es
       available:
-        - name: es01
-        - name: nginx
-        - name: certbot
+        - name: es
+
   dev:
     config-path:
       - containers/compose.elasticsearch.dev.yaml
-    env-file: .env
+    env-file: .envs/.env
     services:
-      default: es
+      default:
+       - es01-dev
       available:
-        - name: es
+        - name: es01-dev
+
   staging:
     config-path:
       - containers/compose.elasticsearch.staging.yaml
-    env-file: .env
+    env-file: .envs/.env
     services:
-      default: es
+      default:
+        - es
       available:
         - name: es
+
+  nginx-prod:
+    config-path:
+      - containers/compose.nginx.yaml
+    env-file: .envs/.env
+    services:
+      default:
+        - nginx
+        - certbot
+      available:
+        - name: nginx
+        - name: certbot

containers/compose.elasticsearch.dev.yaml

@@ -1,34 +1,34 @@
 services:
-  es:
+  es01-dev:
     image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
-    container_name: es
-    user: "1000:1000"
+    volumes:
+      - esdata_dev:/usr/share/elasticsearch/data
+    ports:
+      - "${ES_PORT}:9200"
     env_file:
-      ../.env
+      - ../.envs/.env
     environment:
-      - node.name=es
       - discovery.type=single-node
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=false
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=false
+      - xpack.security.transport.ssl.enabled=false
       - ELASTIC_PASSWORD=${ES_PASSWORD}
+    mem_limit: ${MEM_LIMIT:-4g}
     ulimits:
       memlock:
         soft: -1
         hard: -1
-    volumes:
-      - esdata:/usr/share/elasticsearch/data
-    ports:
-      - 9200:9200
+    healthcheck:
+      test: ["CMD-SHELL", "curl -k -u elastic:${ES_PASSWORD} http://localhost:9200/_cluster/health"]
+      interval: 10s
+      timeout: 10s
+      retries: 120
     networks:
-      - elastic
-
-
-volumes:
-  esdata:
-    driver: local
-    name: es_data
+      - literev
 
 networks:
-  elastic:
+  literev:
     driver: bridge
-    name: elastic_dev_xnet
+
+volumes:
+  esdata_dev:

containers/compose.elasticsearch.staging.yaml

@@ -1,15 +1,14 @@
 services:
   es:
-    container_name: es
     image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
-    user: "1000:1000" # Set the UID:GID to run the container
+    user: "1000:1000"
     env_file:
-      - ../.env
+      - ../.envs/.env
     environment:
       - discovery.type=single-node
       - node.name=es
       - ELASTIC_PASSWORD=${ES_PASSWORD}
-      - ES_JAVA_OPTS=-Xms1g -Xmx1g  # Ensure proper memory allocation
+      - ES_JAVA_OPTS=-Xms1g -Xmx1g
       - bootstrap.memory_lock=true
       - "xpack.security.enabled=false"
       - "xpack.security.enrollment.enabled=false"
@@ -37,8 +36,8 @@ services:
       timeout: 5s
       start_period: 20s
     networks:
-      - literev_literev
+      - literev_staging
 
 networks:
-  literev_literev:
+  literev_staging:
     external: true

containers/compose.elasticsearch.yaml

@@ -1,46 +1,50 @@
+version: "3.9"
+
 services:
-  es01:
+  es:
+    profiles: ["ssl"]
     image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
-    volumes:
-      - type: bind
-        source: ${NGINX_CONFIG}/certificates
-        target: /usr/share/elasticsearch/config/certs
-      - type: bind
-        source: ../containers/init-scripts
-        target: /usr/share/elasticsearch/init-scripts
-        read_only: true
-      - type: bind
-        source: ${ES_HOST_VOLUME}
-        target: /usr/share/elasticsearch/data
-    ports:
-      - "${ES_PORT}:9200"
-    env_file: ../.env
+    container_name: es
+    env_file:
+      - ../.envs/.env
     environment:
-      - node.name=es01
+      - node.name=es
       - cluster.name=${CLUSTER_NAME}
-      - cluster.initial_master_nodes=${SEED_HOSTS}
-      - discovery.seed_hosts=${SEED_HOSTS}
-      - ES_PASSWORD=${ES_PASSWORD}
+      - discovery.type=single-node
       - bootstrap.memory_lock=true
-      - "xpack.security.enabled=true"
-      - "xpack.security.http.ssl.enabled=true"
-      - "xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem"
-      - "xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem"
-      - "xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem"
-      - "xpack.security.http.ssl.verification_mode=${SSL_VERIFY_MODE}"
-      - "xpack.security.transport.ssl.enabled=true"
-      - "xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem"
-      - "xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem"
-      - "xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem"
-      - "xpack.security.transport.ssl.verification_mode=${SSL_VERIFY_MODE}"
-      - "xpack.license.self_generated.type=${LICENSE}"
-    mem_limit: ${MEM_LIMIT:-4g}
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/live/es.literev.com/fullchain.pem
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/live/es.literev.com/privkey.pem
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/live/es.literev.com/chain.pem
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/live/es.literev.com/fullchain.pem
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/live/es.literev.com/privkey.pem
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/live/es.literev.com/chain.pem
+      - path.repo=/usr/share/elasticsearch/snapshots
+      - ELASTIC_PASSWORD=${ES_PASSWORD}
+    volumes:
+      - certbot_conf:/usr/share/elasticsearch/config/certs:ro
+      - esdata:/usr/share/elasticsearch/data
+      - es_snapshots:/usr/share/elasticsearch/snapshots
+    ports:
+      - "${ES_PORT}:9200"
+    networks: [literev]
     healthcheck:
-      test: ["CMD-SHELL", "curl -k -u elastic:$(cat /run/secrets/es_password) https://es01:9200/_cluster/health"]
-      interval: 10s
-      timeout: 10s
-      retries: 120
+      test: ["CMD-SHELL", "curl -kfSs -u elastic:${ES_PASSWORD} https://es01:9200/_cluster/health || exit 1"]
+
+
+volumes:
+  esdata:
+    driver: local
+    name: es_data
+  certbot_conf:
+    name: certbot_conf
+  certbot_www:
+    name: certbot_www
+  es_snapshots:
+    name: es_snapshots
+
+
+networks:
+  literev:

containers/compose.nginx.yaml

@@ -1,32 +1,46 @@
+version: "3.9"
+
 services:
   nginx:
     build:
       context: ".."
-      dockerfile: "containers/dockerfile.nginx" # Relative path
+      dockerfile: "containers/dockerfile.nginx"
       args:
-        HOST_UID: ${HOST_UID}
-        HOST_GID: ${HOST_GID}
+        HOST_UID: "${HOST_UID}"
+        HOST_GID: "${HOST_GID}"
     env_file:
-      - ../.env
+      - ../.envs/.env
     container_name: nginx
     ports:
       - "80:80"
       - "443:443"
     volumes:
-      - ${NGINX_CONFIG}:/etc/nginx # Relative path
-      - ${NGINX_CONFIG}/certbot/conf:/etc/nginx/letsencrypt
-    networks:
-      - elastic
+      - ../containers/nginx/data/config/prod:/etc/nginx/conf.d
+      - certbot_conf:/etc/letsencrypt
+      - certbot_www:/var/www/certbot    
+    networks: [literev]
+    restart: unless-stopped
 
   certbot:
     image: certbot/certbot
     container_name: certbot
     volumes:
-      - ${NGINX_CONFIG}/certbot/conf:/etc/letsencrypt
-      - ${NGINX_CONFIG}/certbot/www:/var/www/certbot
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
-    networks:
-      - elastic
+      - certbot_conf:/etc/letsencrypt
+      - certbot_www:/var/www/certbot
+    entrypoint: >
+      /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'
+    networks: [literev]
+    restart: unless-stopped
+
+
+
+volumes:
+  certbot_conf:
+    name: certbot_conf
+  certbot_www:
+    name: certbot_www
 
 networks:
-  elastic:
+  literev: {}
+
+