use lego to renew certificates on vps

refactor caddy config
2026-02-23 20:35:57 +03:00
parent c308c5a8d2
commit 7106df52f1
7 changed files with 94 additions and 16 deletions
--- a/hosts/lab-by-02/docker/caddy/Caddyfile
+++ b/hosts/lab-by-02/docker/caddy/Caddyfile
@@ -3,6 +3,14 @@
    admin off
 }

+(tls_catmedved) {
+    tls /etc/caddy/certs/catmedved.com.crt /etc/caddy/certs/catmedved.com.key
+}
+
+(tls_kladovka52) {
+    tls /etc/caddy/certs/kladovka52.com.crt /etc/caddy/certs/kladovka52.com.key
+}
+
 (forward_to_home) {
    reverse_proxy 10.8.0.3:80 {
        header_up Host {host}
@@ -17,28 +25,26 @@
    }
 }

+# HTTP -> HTTPS
+http://*.catmedved.com, http://*.kladovka52.com {
+    redir https://{host}{uri} permanent
+}

-# catmedved.com
-
-beszel.catmedved.com,
-copypaste.kladovka52.com,
-gameyfin.catmedved.com,
-gitea.catmedved.com,
-music.catmedved.com,
-pdf-tools.catmedved.com,
-pdf-tools.kladovka52.com,
-photo.catmedved.com,
-recepies.catmedved.com {
+*.catmedved.com {
+    import tls_catmedved
    import forward_to_home
 }

-# kladovka52.com
-
-media.kladovka52.com,
-photo.kladovka52.com {
-    import forward_to_kladovka
+copypaste.kladovka52.com,
+pdf-tools.kladovka52.com {
+    import tls_kladovka52
+    import forward_to_home
 }

+*.kladovka52.com {
+    import tls_kladovka52
+    import forward_to_kladovka
+}

 # wg-easy
 vpnwg.ulakar.com {
--- a/hosts/lab-by-02/docker/caddy/docker-compose.yml
+++ b/hosts/lab-by-02/docker/caddy/docker-compose.yml
@@ -11,6 +11,7 @@ services:
    #      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
+      - /home/vk/docker/lego/certs/certificates:/etc/caddy/certs:ro
      - caddy_data:/data
      - caddy_config:/config
    environment:
--- a/hosts/lab-by-02/docker/lego/catmedved-compose.yaml
+++ b/hosts/lab-by-02/docker/lego/catmedved-compose.yaml
@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=admin@catmedved.com
+      - --accept-tos
+      - --dns=namecheap
+      - --domains=catmedved.com
+      - --domains=*.catmedved.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60
--- a/hosts/lab-by-02/docker/lego/kladovka52-compose.yaml
+++ b/hosts/lab-by-02/docker/lego/kladovka52-compose.yaml
@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=admin@kladovka52.com
+      - --accept-tos
+      - --dns=porkbun
+      - --domains=kladovka52.com
+      - --domains=*.kladovka52.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60
--- a/hosts/lab-by-02/docker/lego/run.sh
+++ b/hosts/lab-by-02/docker/lego/run.sh
@@ -0,0 +1,5 @@
+docker compose -f catmedved-compose.yaml up
+
+docker compose -f kladovka42-compose.yaml up
+
+docker compose -f ulakar-compose.yaml up
--- a/hosts/lab-by-02/docker/lego/secrets.sops.env
+++ b/hosts/lab-by-02/docker/lego/secrets.sops.env
@@ -0,0 +1,12 @@
+NAMECHEAP_API_USER=ENC[AES256_GCM,data:rg+INH0JJNcb,iv:RkdTvt2EZ8zovoReX7BPJkgXR0BC8cF5R1XuR2BoKEk=,tag:kHdkhUK/wLedphhblDQCJQ==,type:str]
+NAMECHEAP_API_KEY=ENC[AES256_GCM,data:4FNq87vNxlg6Xbzj4EaTKNv5j76FbDqjR40F0E8kkD0=,iv:EqjjK7AY479hc03dEVmYer0uI2j5+jDSwka9VF2BuBk=,tag:tSZE8p6QlVUWjcnvN+J92g==,type:str]
+PORKBUN_API_KEY=ENC[AES256_GCM,data:iQ2MBXQ3NWzNaKp0TQ052pi+ZsRqNSomCYLbORIo3oXQW2AmKwZIDotqo6ypD4p/SB9KS5ArshJRBW6wV+qHt6Sdt+c=,iv:SKzXkFI3krehAsrz6TJn8uy/EMY8zi/VMmAm3kumu5o=,tag:rZMqPIOCdqwp9sy1MqEWUw==,type:str]
+PORKBUN_SECRET_API_KEY=ENC[AES256_GCM,data:MohqAorMfVURpymTqJAPzF7FEWiNh2f75L4XwJjFNwaE3EKlXN/1WASFezoESv5/4/fw1S1XeuXPCdzAWWDlJeo0bpI=,iv:4PROOEMb0SDFaF760vDSyjNQPZQmUw20qsBFjb1lSBo=,tag:yAh/fbdF4ADP4tLX5fwTCA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SU05WXNFMWNrejMrVVFD\nMFUreitrNWhnbnlOUWtadkUyWjFHMG5MaFNnCitpZHNyRTBKdWZaNEJFd1JGaUl5\nWWVNS3djSmpxd2h5OEwrM2lQZ29LMkEKLS0tIHpRKzc1WWxDYlEvemROUDlubkhj\naFlZa2ExV2ZDekwwaW5xaWsyMlFXN1kK9NAxY5WcnIzpjJB4WyRoH37qx/grHdZX\nintmS85J4qzbKM5SqrQm5PCjie+LTdKkKhZAvSk9Xr/9Le/HxT14Ug==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWR0xjQ3FkSTI4Zm00djJX\ndlJqZ2F5UjgzM29wUEhGbmhudGtzcFhrR0M0Ckwybk9xcytKZnRPeTBITk1mK1RV\nTkhmandrYkZSNHhoMGd6S1h5N1lYZ28KLS0tIDVEdnp0TmgyTExNY05uL3kvalpO\ndG0ydlBHNWNXVG1aTHIwcFBFa2JNQnMKg3eqZbaZlgPMBydDI7NaLJh57+JT4EOY\nYCPZqcsFXfnogm2sJ7a7/fZcFy2vb0piz9QpTtBfDCYwNK0FJAK8Vw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+sops_lastmodified=2026-02-23T17:22:43Z
+sops_mac=ENC[AES256_GCM,data:lSsi/0ebF6z+jNNyULF1G0ZYcGGf6A/3jm0JeBbmPZOkFNJVeUC47hg+AB/itOUUYFT8kXT3+1HwWnZQfSjOzEDO7lPZH25D5IM1YhMU//TBN/7se81zjgvV2tA8kofeD03BxYWAbZeAG0J+MHkV1SAN4arL6NnRPV0F0iFAyQ0=,iv:ey7jo/P2SnIVuRyaEL+x9UfETjCMerniakDA4YWIwfo=,tag:NWUl2sFHLCnU5CfhAkrNMw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/hosts/lab-by-02/docker/lego/ulakar-compose.yaml
+++ b/hosts/lab-by-02/docker/lego/ulakar-compose.yaml
@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=ulakar@fastmail.com
+      - --accept-tos
+      - --dns=porkbun
+      - --domains=ulakar.com
+      - --domains=*.ulakar.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60