adding ssl support w/certbot & let's encrypt

.env.dist

@@ -1 +1,7 @@
 HOST_PORT=8080
+DOMAIN=localhost
+DB_NAME=boltium
+DB_USER=boltium
+DB_PASSWORD=secret
+DB_ROOT_PASSWORD=topsecret
+# ENABLE_SSL=1

docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   # Servicio para la aplicación PHP
   php:
@@ -11,10 +9,10 @@ services:
       - ./project:/var/www/html
       - verdor_data:/var/www/html/vendor
     environment:
-      - DATABASE_HOST=db
-      - DATABASE_NAME=bolt
-      - DATABASE_USER=bolt
-      - DATABASE_PASSWORD=secret
+      DATABASE_HOST: db
+      DATABASE_NAME: ${DB_NAME}
+      DATABASE_USER: ${DB_USER}
+      DATABASE_PASSWORD: ${DB_PASSWORD}
     depends_on:
       - db
 
@@ -25,23 +23,56 @@ services:
     volumes:
       - db_data:/var/lib/mysql
     environment:
-      MYSQL_ROOT_PASSWORD: root
-      MYSQL_DATABASE: bolt
-      MYSQL_USER: bolt
-      MYSQL_PASSWORD: secret
+      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
+      MYSQL_DATABASE: ${DB_NAME}
+      MYSQL_USER: ${DB_USER}
+      MYSQL_PASSWORD: ${DB_PASSWORD}
 
   # Servicio para Nginx
   webserver:
     image: nginx:latest
     container_name: bolt_webserver_x
     volumes:
-      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
+      - ./nginx/default.conf.template:/etc/nginx/conf.d/default.conf.template
+      - ./nginx/ssl.conf.template:/etc/nginx/conf.d/ssl.conf.template
+      - ./nginx/startup.sh:/var/www/startup.sh
       - ./project/public:/var/www/html/public
+      - certbot_certs:/etc/letsencrypt
+      - certbot_challenges:/var/www/certbot
     depends_on:
       - php
     ports:
       - "${HOST_PORT}:80"
+      - 443:443
+    environment:
+      ENABLE_SSL: ${ENABLE_SSL:+1}
+      DOMAIN: ${DOMAIN}
+    command: ["/bin/sh", "-c", "/var/www/startup.sh"]
 
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - certbot_certs:/etc/letsencrypt
+      - certbot_challenges:/var/www/certbot
+    environment:
+      ENABLE_SSL: ${ENABLE_SSL:+1}
+    entrypoint: >
+      /bin/sh -c '
+      if [ "${ENABLE_SSL}" = "1" ]; then
+        trap exit TERM; 
+        while :; do 
+          certbot renew; 
+          sleep 12h & wait $${!}; 
+        done; 
+      else 
+        echo "Certbot is disabled."; 
+        tail -f /dev/null;
+      fi
+      '
+    depends_on:
+      - webserver
 volumes:
   db_data:
   verdor_data:
+  certbot_certs:
+  certbot_challenges:

nginx/default.conf → nginx/default.conf.template

@@ -1,10 +1,14 @@
 server {
     listen 80;
-    server_name localhost;
+    server_name ${DOMAIN};
 
     root /var/www/html/public;
     index index.php index.html index.htm;
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     location / {
         try_files $uri /index.php$is_args$args;
     }
@@ -20,4 +24,4 @@ server {
     location ~ /\.ht {
         deny all;
     }
-}
+}

nginx/ssl.conf.template

@@ -0,0 +1,51 @@
+    server {
+        listen 80;
+        server_name ${DOMAIN};
+
+        root /var/www/html/public;
+        index index.php index.html index.htm;
+
+        location / {
+            return 301 https://$host$request_uri;
+            try_files $uri /index.php$is_args$args;
+        }
+
+        location ~ \.php$ {
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass php:9000;
+            fastcgi_index index.php;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include fastcgi_params;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+    }
+
+    server {
+        listen 443 ssl;
+        server_name ${DOMAIN};
+
+        ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
+
+        root /var/www/html/public;
+        index index.php index.html index.htm;
+
+        location / {
+            try_files $uri /index.php$is_args$args;
+        }
+
+        location ~ \.php$ {
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass php:9000;
+            fastcgi_index index.php;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include fastcgi_params;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+    }

nginx/startup.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+DEFAULT_CONF="/etc/nginx/conf.d/default.conf"
+SSL_CONF="/etc/nginx/conf.d/ssl.conf"
+
+if [ "$ENABLE_SSL" = "1" ]; then
+  echo "SSL habilitado, creando ssl.conf con el dominio."
+
+  envsubst '$DOMAIN' < /etc/nginx/conf.d/ssl.conf.template > "$SSL_CONF"
+
+  [ -f "$DEFAULT_CONF" ] && rm "$DEFAULT_CONF"
+else
+  echo "SSL disabled, creating default.conf."
+  envsubst '$DOMAIN' < /etc/nginx/conf.d/default.conf.template > "$DEFAULT_CONF"
+
+  [ -f "$SSL_CONF" ] && rm "$SSL_CONF"
+fi
+
+nginx -g 'daemon off;'