diff --git a/.env.example b/.env.example index a71feb5..9bd1f07 100644 --- a/.env.example +++ b/.env.example @@ -1,9 +1,12 @@ DOMAIN= +APPLICATION_DOMAIN="" ### TLS certificates configuration TLS_ENABLED="" TLS_CERTIFICATE="" TLS_KEY="" +APP_TLS_CERTIFICATE="" +APP_TLS_KEY="" ### Database configuration DB_HOST="" @@ -17,3 +20,6 @@ EMAIL_PORT=587 EMAIL_SECURE="" EMAIL_USER="" EMAIL_PASSWORD="" + +### Docker Driver options +DOCKER_DRIVER_PRIVATE_CA_PATH="" diff --git a/UPGRADE.md b/UPGRADE.md index 77f4e83..56492cc 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -38,7 +38,6 @@ This allows for easier management of the platform and better separation of conce ```bash curl -o docker-compose-new.yml https://raw.githubusercontent.com/flowfuse/docker-compose/main/docker-compose.yml - curl -o docker-compose-tls.override.new.yml https://raw.githubusercontent.com/flowfuse/docker-compose/main/docker-compose-tls.override.yml curl -o .env https://raw.githubusercontent.com/flowfuse/docker-compose/main/.env.example ``` @@ -48,6 +47,8 @@ This allows for easier management of the platform and better separation of conce * Make sure, that `broker.url` is seto fo `mqtt://broker:1883`. Update if needed. * Copy content of `./etc/flowforge-storage.yml` file to `docker-compose-new.yml` file, to `configs.flowfuse_storage.content` section. Remove all commented lines. Maintain indentation. * Set the `DOMAIN` variable in the `.env` file to the domain used by your instance of FlowFuse platform. +* If FlowFuse application is running outside of the `DOMAIN` scope, set it as a value of `APPLICATION_DOMAIN` variable in the `.env` file. +* If application should be accessible via seured connection (HTTPS), set `TLS_ENABLED` variable to `true` in `.env` file. * If custom certificates are used, copy their content to `.env` file, to `TLS_CERTIFICATE` and `TLS_KEY` variables. They should look like this: ```bash @@ -69,6 +70,28 @@ This allows for easier management of the platform and better separation of conce " ``` +* If custom certificates are used and FlowFuse application is running on a different domain than other stack components (defined in `APPLICATION_DOMAIN` variable), + use `APP_TLS_CERTIFICATE` and `APP_TLS_KEY` variabls to provide certificate and it's key. They should look like this: + + ```bash + APP_TLS_CERTIFICATE=" + -----BEGIN CERTIFICATE----- + MIIFfzCCBKegAwIBAgISA0 + ... + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFfzCCBKegAwIBAgISA0 + ... + -----END CERTIFICATE----- + " + APP_TLS_KEY=" + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD + ... + -----END PRIVATE KEY----- + " + ``` + 4. **Migrate database files** Move the database files from host to the new volume. This will allow you to keep the existing data. @@ -98,7 +121,6 @@ This allows for easier management of the platform and better separation of conce ```bash mv docker-compose.yml docker-compose-old.yml mv docker-compose-new.yml docker-compose.yml - mv docker-compose-tls.override.new.yml docker-compose-tls.override.yml ``` 6. **Start FlowFuse** @@ -107,13 +129,7 @@ This allows for easier management of the platform and better separation of conce * With automatic TLS certificate generation: ```bash - docker compose -f docker-compose.yml -f docker-compose-tls.override.yml --profile autossl -p flowfuse up -d - ``` - - * With custom TLS certificate: - - ```bash - docker compose -f docker-compose.yml -f docker-compose-tls.override.yml -p flowfuse up -d + docker compose -f docker-compose.yml --profile autotls -p flowfuse up -d ``` * In all other cases diff --git a/docker-compose.yml b/docker-compose.yml index 684dc7b..f0c98a5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ configs: port: 3000 host: 0.0.0.0 domain: ${DOMAIN:?error} - base_url: http${TLS_ENABLED:+s}://forge.${DOMAIN:?error} + base_url: http${TLS_ENABLED:+s}://${APPLICATION_DOMAIN:-forge.${DOMAIN}} api_url: http://forge:3000 create_admin: ${CREATE_ADMIN:-false} db: @@ -17,7 +17,7 @@ configs: password: ${DB_PASSWORD:-secret} email: enabled: ${EMAIL_ENABLED:-false} - from: '"FlowFuse" ' + from: '"FlowFuse" ' smtp: host: ${EMAIL_HOST} port: ${EMAIL_PORT:-587} @@ -29,6 +29,7 @@ configs: type: docker options: socket: /tmp/docker.sock + ${DOCKER_DRIVER_PRIVATE_CA_PATH:+privateCA: ${DOCKER_DRIVER_PRIVATE_CA_PATH}} broker: url: mqtt://broker:1883 public_url: ws${TLS_ENABLED:+s}://mqtt.${DOMAIN:?error} @@ -59,10 +60,14 @@ configs: nginx: content: | client_max_body_size 5m; - nginx_tls_crt: + nginx_main_tls_crt: environment: TLS_CERTIFICATE - nginx_tls_key: + nginx_main_tls_key: environment: TLS_KEY + nginx_app_tls_crt: + environment: APP_TLS_CERTIFICATE + nginx_app_tls_key: + environment: APP_TLS_KEY nginx_stream: content: | # stream { @@ -408,10 +413,14 @@ services: configs: - source: nginx target: /etc/nginx/conf.d/my_proxy.conf - - source: nginx_tls_crt + - source: nginx_main_tls_crt target: /etc/nginx/certs/${DOMAIN:?error}.crt - - source: nginx_tls_key + - source: nginx_main_tls_key target: /etc/nginx/certs/${DOMAIN:?error}.key + - source: nginx_app_tls_crt + target: /etc/nginx/certs/${APPLICATION_DOMAIN:-forge.${DOMAIN}}.crt + - source: nginx_app_tls_key + target: /etc/nginx/certs/${APPLICATION_DOMAIN:-forge.${DOMAIN}}.key - source: nginx_stream target: /etc/nginx/toplevel.conf.d/mqtt.conf ports: @@ -419,7 +428,7 @@ services: - "443:443" - "1884:1884" environment: - - "HTTPS_METHOD=redirect" + - HTTPS_METHOD=${TLS_ENABLED:+redirect} postgres: image: postgres:14 @@ -448,9 +457,9 @@ services: timeout: 25s retries: 5 environment: - - "VIRTUAL_HOST=broker.${DOMAIN:?error}" + - "VIRTUAL_HOST=broker.${DOMAIN:?error},mqtt.${DOMAIN:?error}" - "VIRTUAL_PORT=8080" - - "LETSENCRYPT_HOST=broker.${DOMAIN:?error}" + - "LETSENCRYPT_HOST=broker.${DOMAIN:?error},mqtt.${DOMAIN:?error}" - "EMQX_DASHBOARD__DEFAULT_PASSWORD=topSecret" configs: - source: emqx @@ -465,8 +474,8 @@ services: - flowforge restart: always environment: - - "VIRTUAL_HOST=forge.${DOMAIN:?error}" - - "LETSENCRYPT_HOST=forge.${DOMAIN:?error}" + - "VIRTUAL_HOST=${APPLICATION_DOMAIN:-forge.${DOMAIN}}" + - "LETSENCRYPT_HOST=${APPLICATION_DOMAIN:-forge.${DOMAIN}}" configs: - source: flowfuse target: /usr/src/forge/etc/flowforge.yml