Merge pull request #52 from BattMoTeam/certibot

Certbot- SSL gateway for secure connections

docker-compose-deploy.yml

@@ -22,10 +22,16 @@ services:
     restart: always
     ports:
       - "8001:8001"
-      - "8002:8002"
+      - "80:80"
+      - "443:443"
     depends_on:
-      - api
-      - gui
+      - genie
+      - streamlit
+    volumes:
+      - /etc/letsencrypt/live/app.batterymodel.com:/etc/letsencrypt/live/app.batterymodel.com:ro
+    command: /bin/bash -c "/renew-certs.sh && nginx -g 'daemon off;'"
+
+
 
   gui:
     image: ghcr.io/battmoteam/battmoapp_gui:latest
@@ -34,4 +40,4 @@ services:
     restart: always
     ports:
       - "80:80"
-    command: streamlit run app.py --global.disableWidgetStateDuplicationWarning true --server.port=80
+    command: streamlit run app.py --global.disableWidgetStateDuplicationWarning true --server.port=80

nginx/Dockerfile

@@ -1,6 +1,24 @@
-FROM nginx:1.15.8
+FROM nginx:latest
 
+# Install Certbot and dependencies
+RUN apt-get update && \
+    apt-get install -y certbot python3-certbot-nginx && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create necessary directories for Let's Encrypt challenge
+RUN mkdir -p /usr/share/nginx/html/.well-known/acme-challenge && \
+    chown -R www-data:www-data /usr/share/nginx/html/.well-known && \
+    chmod -R 755 /usr/share/nginx/html/.well-known
+
+# Remove default Nginx configuration files
 RUN rm /etc/nginx/nginx.conf
-COPY nginx.conf /etc/nginx/
 RUN rm /etc/nginx/conf.d/default.conf
+
+# Copy your custom Nginx configuration
+COPY nginx.conf /etc/nginx/
 COPY project.conf /etc/nginx/conf.d/
+
+# Copy SSL certificate renewal script
+COPY renew-certs.sh /renew-certs.sh
+RUN chmod +x /renew-certs.sh

nginx/project.conf

@@ -1,4 +1,4 @@
-server {
+# server {
 
     # listen 8001;
     # server_name docker_genie_gunicorn_nginx;
@@ -25,28 +25,53 @@ server {
     #     proxy_set_header Connection "Upgrade";
     # }
 
-    location /static {
-        rewrite ^/static(.*) /$1 break;
-        root /static;
-    }
-    location / {
-        proxy_pass http://api:8080;
+#     location /static {
+#         rewrite ^/static(.*) /$1 break;
+#         root /static;
+#     }
+#     location / {
+#         proxy_pass http://api:8080;
 
-        # Do not change this
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-}
+#         # Do not change this
+#         proxy_set_header Host $host;
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#     }
+# }
+
+# server {
+#     listen 80;
+#     server_name app.batterymodel.com;
+
+#     location /.well-known/acme-challenge/ {
+#         root /usr/share/nginx/html;
+#     }
+
+#     location / {
+#         proxy_pass http://streamlit:8080;  # Assuming Streamlit runs on port 80 inside the container
+#         proxy_set_header Host $host;
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto $scheme;
+#     }
+# }
 
 server {
-    listen 8002;
-    server_name app.batterymodel.com;  # Replace with your domain name
+    listen 443 ssl;
+    server_name app.batterymodel.com;
+
+    ssl_certificate /etc/letsencrypt/live/app.batterymodel.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/app.batterymodel.com/privkey.pem;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
 
     location / {
         proxy_pass http://gui:80;  # Assuming Streamlit runs on port 80 inside the container
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
 }

nginx/renew-certs.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+certbot certonly --webroot -w /usr/share/nginx/html -d app.batterymodel.com --email [email protected] --agree-tos --non-interactive
+
+