From 96d199c605247820f63c06cf9f5b9e0d2b62b321 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Mon, 25 Nov 2024 12:59:32 +0100 Subject: [PATCH 1/9] Add possibility to run app on custom domain --- docker-compose.yml | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 684dc7b..330e0b7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ configs: port: 3000 host: 0.0.0.0 domain: ${DOMAIN:?error} - base_url: http${TLS_ENABLED:+s}://forge.${DOMAIN:?error} + base_url: http${TLS_ENABLED:+s}://${APPLICATION_DOMAIN:-forge.${DOMAIN}} api_url: http://forge:3000 create_admin: ${CREATE_ADMIN:-false} db: @@ -17,7 +17,7 @@ configs: password: ${DB_PASSWORD:-secret} email: enabled: ${EMAIL_ENABLED:-false} - from: '"FlowFuse" ' + from: '"FlowFuse" ' smtp: host: ${EMAIL_HOST} port: ${EMAIL_PORT:-587} @@ -59,10 +59,14 @@ configs: nginx: content: | client_max_body_size 5m; - nginx_tls_crt: + nginx_main_tls_crt: environment: TLS_CERTIFICATE - nginx_tls_key: + nginx_main_tls_key: environment: TLS_KEY + nginx_app_tls_crt: + environment: APP_TLS_CERTIFICATE + nginx_app_tls_key: + environment: APP_TLS_KEY nginx_stream: content: | # stream { @@ -408,10 +412,14 @@ services: configs: - source: nginx target: /etc/nginx/conf.d/my_proxy.conf - - source: nginx_tls_crt + - source: nginx_main_tls_crt target: /etc/nginx/certs/${DOMAIN:?error}.crt - - source: nginx_tls_key + - source: nginx_main_tls_key target: /etc/nginx/certs/${DOMAIN:?error}.key + - source: nginx_app_tls_crt + target: /etc/nginx/certs/${APPLICATION_DOMAIN:-forge.${DOMAIN}}.crt + - source: nginx_app_tls_key + target: /etc/nginx/certs/${APPLICATION_DOMAIN:-forge.${DOMAIN}}.key - source: nginx_stream target: /etc/nginx/toplevel.conf.d/mqtt.conf ports: @@ -448,9 +456,9 @@ services: timeout: 25s retries: 5 environment: - - "VIRTUAL_HOST=broker.${DOMAIN:?error}" + - "VIRTUAL_HOST=broker.${DOMAIN:?error},mqtt.${DOMAIN:?error}" - "VIRTUAL_PORT=8080" - - "LETSENCRYPT_HOST=broker.${DOMAIN:?error}" + - "LETSENCRYPT_HOST=broker.${DOMAIN:?error},mqtt.${DOMAIN:?error}" - "EMQX_DASHBOARD__DEFAULT_PASSWORD=topSecret" configs: - source: emqx @@ -465,8 +473,8 @@ services: - flowforge restart: always environment: - - "VIRTUAL_HOST=forge.${DOMAIN:?error}" - - "LETSENCRYPT_HOST=forge.${DOMAIN:?error}" + - "VIRTUAL_HOST=${APPLICATION_DOMAIN:-forge.${DOMAIN}}" + - "LETSENCRYPT_HOST=${APPLICATION_DOMAIN:-forge.${DOMAIN}}" configs: - source: flowfuse target: /usr/src/forge/etc/flowforge.yml From 5c22f0109df1518adc6cc0acb00efa853dae579e Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Mon, 25 Nov 2024 13:04:40 +0100 Subject: [PATCH 2/9] Add default values for APP_TLS_CERTIFICATE and APP_TLS_KEY --- .env | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .env diff --git a/.env b/.env new file mode 100644 index 0000000..6022b71 --- /dev/null +++ b/.env @@ -0,0 +1,22 @@ +DOMAIN=example.com +APPLICATION_DOMAIN="" + +### TLS certificates configuration +TLS_ENABLED="" +TLS_CERTIFICATE="" +TLS_KEY="" +APP_TLS_CERTIFICATE="" +APP_TLS_KEY="" + +### Database configuration +DB_HOST="" +DB_USER="" +DB_PASSWORD="" + +### Email configuration +EMAIL_ENABLED=false +EMAIL_HOST="" +EMAIL_PORT=587 +EMAIL_SECURE="" +EMAIL_USER="" +EMAIL_PASSWORD="" From 0c43d2ebc3c17ef5ab7596e75cc9d6034424e769 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Mon, 25 Nov 2024 13:09:11 +0100 Subject: [PATCH 3/9] Add default values for APP_TLS_CERTIFICATE and APP_TLS_KEY --- .env.example | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.env.example b/.env.example index a71feb5..79c4ac2 100644 --- a/.env.example +++ b/.env.example @@ -4,6 +4,8 @@ DOMAIN= TLS_ENABLED="" TLS_CERTIFICATE="" TLS_KEY="" +APP_TLS_CERTIFICATE="" +APP_TLS_KEY="" ### Database configuration DB_HOST="" From 60d00ffe3d77a14f86fbbc1d50d6c20085432838 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Mon, 25 Nov 2024 13:10:28 +0100 Subject: [PATCH 4/9] Revert "Add default values for APP_TLS_CERTIFICATE and APP_TLS_KEY" This reverts commit 5c22f0109df1518adc6cc0acb00efa853dae579e. --- .env | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .env diff --git a/.env b/.env deleted file mode 100644 index 6022b71..0000000 --- a/.env +++ /dev/null @@ -1,22 +0,0 @@ -DOMAIN=example.com -APPLICATION_DOMAIN="" - -### TLS certificates configuration -TLS_ENABLED="" -TLS_CERTIFICATE="" -TLS_KEY="" -APP_TLS_CERTIFICATE="" -APP_TLS_KEY="" - -### Database configuration -DB_HOST="" -DB_USER="" -DB_PASSWORD="" - -### Email configuration -EMAIL_ENABLED=false -EMAIL_HOST="" -EMAIL_PORT=587 -EMAIL_SECURE="" -EMAIL_USER="" -EMAIL_PASSWORD="" From 365cdabcadb358b19cf16e37ae0d2a62bbdbcc67 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Mon, 25 Nov 2024 13:34:12 +0100 Subject: [PATCH 5/9] Add APPLICATION_DOMAIN to env example file --- .env.example | 1 + 1 file changed, 1 insertion(+) diff --git a/.env.example b/.env.example index 79c4ac2..3b78896 100644 --- a/.env.example +++ b/.env.example @@ -1,4 +1,5 @@ DOMAIN= +APPLICATION_DOMAIN="" ### TLS certificates configuration TLS_ENABLED="" From 2f3372de9fdc7b399c277ab95c9b326fc76f8153 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Mon, 25 Nov 2024 19:50:34 +0100 Subject: [PATCH 6/9] Handle nginx HTTPS_METHOD env value --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 330e0b7..bbd56bf 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -427,7 +427,7 @@ services: - "443:443" - "1884:1884" environment: - - "HTTPS_METHOD=redirect" + - HTTPS_METHOD=${TLS_ENABLED:+redirect} postgres: image: postgres:14 From b5a1a0404fa47a0842f9991b378c432139ce8de9 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Tue, 26 Nov 2024 11:14:16 +0100 Subject: [PATCH 7/9] Add possibility to configure `driver.options.privateCA` --- .env.example | 3 +++ docker-compose.yml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/.env.example b/.env.example index 3b78896..5144b73 100644 --- a/.env.example +++ b/.env.example @@ -20,3 +20,6 @@ EMAIL_PORT=587 EMAIL_SECURE="" EMAIL_USER="" EMAIL_PASSWORD="" + +### Docker Driver options +DOCKER_DRIVER_PRIVATE_CA="" diff --git a/docker-compose.yml b/docker-compose.yml index bbd56bf..cd27e45 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -29,6 +29,7 @@ configs: type: docker options: socket: /tmp/docker.sock + ${DOCKER_DRIVER_PRIVATE_CA:+privateCA: /mnt/docker_private_ca.pem} broker: url: mqtt://broker:1883 public_url: ws${TLS_ENABLED:+s}://mqtt.${DOMAIN:?error} @@ -37,6 +38,8 @@ configs: fileStore: enable: true url: http://file-server:3001 + flowfuse_docker_ca: + environment: DOCKER_DRIVER_PRIVATE_CA flowfuse_storage: content: | port: 3001 @@ -478,6 +481,8 @@ services: configs: - source: flowfuse target: /usr/src/forge/etc/flowforge.yml + - source: flowfuse_docker_ca + target: /mnt/docker_private_ca.pem volumes: - "/var/run/docker.sock:/tmp/docker.sock" - flowfuse-persistent-storage:/opt/persistent-storage From 9344de6886a0102676c0a533a5da953795400136 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Tue, 26 Nov 2024 13:31:17 +0100 Subject: [PATCH 8/9] Provide private CA as a path to file on docker host --- .env.example | 2 +- docker-compose.yml | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.env.example b/.env.example index 5144b73..9bd1f07 100644 --- a/.env.example +++ b/.env.example @@ -22,4 +22,4 @@ EMAIL_USER="" EMAIL_PASSWORD="" ### Docker Driver options -DOCKER_DRIVER_PRIVATE_CA="" +DOCKER_DRIVER_PRIVATE_CA_PATH="" diff --git a/docker-compose.yml b/docker-compose.yml index cd27e45..f0c98a5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -29,7 +29,7 @@ configs: type: docker options: socket: /tmp/docker.sock - ${DOCKER_DRIVER_PRIVATE_CA:+privateCA: /mnt/docker_private_ca.pem} + ${DOCKER_DRIVER_PRIVATE_CA_PATH:+privateCA: ${DOCKER_DRIVER_PRIVATE_CA_PATH}} broker: url: mqtt://broker:1883 public_url: ws${TLS_ENABLED:+s}://mqtt.${DOMAIN:?error} @@ -38,8 +38,6 @@ configs: fileStore: enable: true url: http://file-server:3001 - flowfuse_docker_ca: - environment: DOCKER_DRIVER_PRIVATE_CA flowfuse_storage: content: | port: 3001 @@ -481,8 +479,6 @@ services: configs: - source: flowfuse target: /usr/src/forge/etc/flowforge.yml - - source: flowfuse_docker_ca - target: /mnt/docker_private_ca.pem volumes: - "/var/run/docker.sock:/tmp/docker.sock" - flowfuse-persistent-storage:/opt/persistent-storage From 2e42dbd02f2283bdcc0dfccce55e82b87057adc6 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Tue, 26 Nov 2024 13:54:36 +0100 Subject: [PATCH 9/9] Update upgrade instructions --- UPGRADE.md | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/UPGRADE.md b/UPGRADE.md index 77f4e83..56492cc 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -38,7 +38,6 @@ This allows for easier management of the platform and better separation of conce ```bash curl -o docker-compose-new.yml https://raw.githubusercontent.com/flowfuse/docker-compose/main/docker-compose.yml - curl -o docker-compose-tls.override.new.yml https://raw.githubusercontent.com/flowfuse/docker-compose/main/docker-compose-tls.override.yml curl -o .env https://raw.githubusercontent.com/flowfuse/docker-compose/main/.env.example ``` @@ -48,6 +47,8 @@ This allows for easier management of the platform and better separation of conce * Make sure, that `broker.url` is seto fo `mqtt://broker:1883`. Update if needed. * Copy content of `./etc/flowforge-storage.yml` file to `docker-compose-new.yml` file, to `configs.flowfuse_storage.content` section. Remove all commented lines. Maintain indentation. * Set the `DOMAIN` variable in the `.env` file to the domain used by your instance of FlowFuse platform. +* If FlowFuse application is running outside of the `DOMAIN` scope, set it as a value of `APPLICATION_DOMAIN` variable in the `.env` file. +* If application should be accessible via seured connection (HTTPS), set `TLS_ENABLED` variable to `true` in `.env` file. * If custom certificates are used, copy their content to `.env` file, to `TLS_CERTIFICATE` and `TLS_KEY` variables. They should look like this: ```bash @@ -69,6 +70,28 @@ This allows for easier management of the platform and better separation of conce " ``` +* If custom certificates are used and FlowFuse application is running on a different domain than other stack components (defined in `APPLICATION_DOMAIN` variable), + use `APP_TLS_CERTIFICATE` and `APP_TLS_KEY` variabls to provide certificate and it's key. They should look like this: + + ```bash + APP_TLS_CERTIFICATE=" + -----BEGIN CERTIFICATE----- + MIIFfzCCBKegAwIBAgISA0 + ... + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFfzCCBKegAwIBAgISA0 + ... + -----END CERTIFICATE----- + " + APP_TLS_KEY=" + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD + ... + -----END PRIVATE KEY----- + " + ``` + 4. **Migrate database files** Move the database files from host to the new volume. This will allow you to keep the existing data. @@ -98,7 +121,6 @@ This allows for easier management of the platform and better separation of conce ```bash mv docker-compose.yml docker-compose-old.yml mv docker-compose-new.yml docker-compose.yml - mv docker-compose-tls.override.new.yml docker-compose-tls.override.yml ``` 6. **Start FlowFuse** @@ -107,13 +129,7 @@ This allows for easier management of the platform and better separation of conce * With automatic TLS certificate generation: ```bash - docker compose -f docker-compose.yml -f docker-compose-tls.override.yml --profile autossl -p flowfuse up -d - ``` - - * With custom TLS certificate: - - ```bash - docker compose -f docker-compose.yml -f docker-compose-tls.override.yml -p flowfuse up -d + docker compose -f docker-compose.yml --profile autotls -p flowfuse up -d ``` * In all other cases