nginx, compose, certs

Author: why-not-try-calmer

.github/workflows/build-then-store.yml

@@ -36,5 +36,5 @@ jobs:
 
       - name: Build
         run: |
-          docker compose --profile prod build
-          docker compose --profile prod push
+          docker compose build
+          docker compose push

.github/workflows/push-then-deploy.yml

@@ -27,5 +27,5 @@ jobs:
           script: |
             cd /opt/app
             docker-compose down --remove-orphans
-            docker-compose --profile prod pull   
-            docker-compose --profile prod up -d
+            docker-compose pull   
+            docker-compose up -d

.gitignore

@@ -4,3 +4,5 @@
 playgrounds/
 .vscode/settings.json
 .venv/
+cert.pem
+private.key

docker-compose.yml

@@ -4,7 +4,7 @@ services:
       profiles: [test]
       depends_on: [mongo, redis]
       container_name: feedfarer-test
-      restart: no
+      restart: "no"
       build: 
         context: .
         dockerfile: Dockerfile-test
@@ -19,12 +19,13 @@ services:
         - TEST=1
 
     app:
-      profiles: [prod]
       depends_on: [mongo, redis]
       image: ghcr.io/why-not-try-calmer/feedo:latest
-      restart: on-failure
-      build: .
-      command: ./feefarer-exe
+      restart: "on-failure"
+      build:
+        context: .
+        dockerfile: Dockerfile
+      command: ./feedfarer-exe
       environment:
         API_KEY: ${API_KEY}
         TELEGRAM_TOKEN: ${TELEGRAM_TOKEN}
@@ -37,20 +38,17 @@ services:
 
     mongo:
       image: mongo:5.0 # `auth` doesn't work with 6.0 and beyond!
-      restart: on-failure
+      restart: "on-failure"
       environment:
         - MONGO_INITDB_ROOT_USERNAME
         - MONGO_INITDB_ROOT_PASSWORD
       volumes:
        - mongo-data:/data/db
-      ports:
-       - 27017:27017
-
+       
     nginx:
-      profiles: [prod]
       depends_on: [app]
       image: nginx:latest
-      restart: on-failure
+      restart: "on-failure"
       volumes:
         - ./nginx.conf:/etc/nginx/nginx.conf:ro
         - ./private.key:/etc/nginx/private.key:ro
@@ -61,12 +59,11 @@ services:
 
     redis:
       image: redis:latest
-      expose: [6379]
-      restart: on-failure
+      restart: "on-failure"
       command: redis-server --maxmemory 250mb --maxmemory-policy volatile-lfu
       volumes:
         - redis-data:/data/redis-store
 
 volumes:
   mongo-data:
-  redis-data:
+  redis-data:

nginx.conf

@@ -19,7 +19,11 @@ http {
         add_header Strict-Transport-Security "max-age=31536000" always;
 
         location /webhook {
-            proxy_pass http://feedo:8000;
+            proxy_pass http://app:8000;
+        }
+	
+        location /digests {
+            proxy_pass http://app:8000;
         }
     }
 }

scripts/setWebhook.sh

@@ -1,7 +1,4 @@
-#!/bin/bash                                                                                                                                                                                   
+#!/usr/bin/bash                                                                                                                                                                              
 source .env
-
-openssl req -newkey rsa:2048 -sha256 -nodes -keyout private.key -x509 -days 365 -out cert.pem -subj "/C=US/ST=Bern/L=Bern/O=MyOwn/CN=$SERVER_URL"
-                                                                                                                                                                                              
-curl -F "url=https://feedo.cloudns.ph/webhook/$TELEGRAM_TOKEN" https://api.telegram.org/bot$TELEGRAM_TOKEN/setWebhook -F "certificate=@/opt/app/cert.pem"
-
+openssl req -newkey rsa:2048 -sha256 -nodes -keyout private.key -x509 -days 365 -out cert.pem -subj "/C=US/ST=Bern/L=Bern/O=MyOwn/CN=$DOMAIN_NAME"
+curl -F "url=https://feedo.cloudns.ph/webhook/bot$TELEGRAM_TOKEN" https://api.telegram.org/bot$TELEGRAM_TOKEN/setWebhook -F "certificate=@/opt/app/cert.pem"

src/Server.hs

@@ -169,21 +169,21 @@ startApp = do
   -- no longer using registerWebhook as it needs updating to use TLS certification
   -- registerWebhook config
   runApp config initStart
-  finds_ssl_keys <- (&&) <$> doesFileExist sslCert <*> doesFileExist sslKey
-  if finds_ssl_keys
-    then do
-      print $ "Server (HTTPS) now listening to port " <> show port
-      runTLS tlsOpts (warpOpts port) . withServer $ config
-    else do
-      dir <- getCurrentDirectory
-      print $ "WARNING: Missing SSL keys from " <> dir
-      print $
-        "TLS will need to rely on gateway (if any). \
-        \ Server (PLAIN HTTP) now listening to port "
-          <> show port
-      run port $ withServer config
- where
-  warpOpts p
-    | p == 80 = setPort 443 defaultSettings
-    | otherwise = setPort p defaultSettings
-  tlsOpts = tlsSettings sslCert sslKey
+  -- finds_ssl_keys <- (&&) <$> doesFileExist sslCert <*> doesFileExist sslKey
+  -- if finds_ssl_keys
+  --   then do
+  --     print $ "Server (HTTPS) now listening to port " <> show port
+  --     runTLS tlsOpts (warpOpts port) . withServer $ config
+  --   else do
+  --     dir <- getCurrentDirectory
+  --     print $ "WARNING: Missing SSL keys from " <> dir
+  --     print $
+  --       "TLS will need to rely on gateway (if any). \
+  --       \ Server (PLAIN HTTP) now listening to port "
+  --         <> show port
+  run port $ withServer config
+--  where
+--   warpOpts p
+--     | p == 80 = setPort 443 defaultSettings
+--     | otherwise = setPort p defaultSettings
+--   tlsOpts = tlsSettings sslCert sslKey