From 7106df52f16b8b9a6328887c9344fdbf20e23f20 Mon Sep 17 00:00:00 2001 From: "v.karaychentsev" <105486287+vk-aterise@users.noreply.github.com> Date: Mon, 23 Feb 2026 20:35:57 +0300 Subject: [PATCH] use lego to renew certificates on vps refactor caddy config --- hosts/lab-by-02/docker/caddy/Caddyfile | 38 +++++++++++-------- .../lab-by-02/docker/caddy/docker-compose.yml | 1 + .../docker/lego/catmedved-compose.yaml | 18 +++++++++ .../docker/lego/kladovka52-compose.yaml | 18 +++++++++ hosts/lab-by-02/docker/lego/run.sh | 5 +++ hosts/lab-by-02/docker/lego/secrets.sops.env | 12 ++++++ .../lab-by-02/docker/lego/ulakar-compose.yaml | 18 +++++++++ 7 files changed, 94 insertions(+), 16 deletions(-) create mode 100644 hosts/lab-by-02/docker/lego/catmedved-compose.yaml create mode 100644 hosts/lab-by-02/docker/lego/kladovka52-compose.yaml create mode 100644 hosts/lab-by-02/docker/lego/run.sh create mode 100644 hosts/lab-by-02/docker/lego/secrets.sops.env create mode 100644 hosts/lab-by-02/docker/lego/ulakar-compose.yaml diff --git a/hosts/lab-by-02/docker/caddy/Caddyfile b/hosts/lab-by-02/docker/caddy/Caddyfile index 0c50cd6..46558fa 100644 --- a/hosts/lab-by-02/docker/caddy/Caddyfile +++ b/hosts/lab-by-02/docker/caddy/Caddyfile @@ -3,6 +3,14 @@ admin off } +(tls_catmedved) { + tls /etc/caddy/certs/catmedved.com.crt /etc/caddy/certs/catmedved.com.key +} + +(tls_kladovka52) { + tls /etc/caddy/certs/kladovka52.com.crt /etc/caddy/certs/kladovka52.com.key +} + (forward_to_home) { reverse_proxy 10.8.0.3:80 { header_up Host {host} @@ -17,28 +25,26 @@ } } +# HTTP -> HTTPS +http://*.catmedved.com, http://*.kladovka52.com { + redir https://{host}{uri} permanent +} -# catmedved.com - -beszel.catmedved.com, -copypaste.kladovka52.com, -gameyfin.catmedved.com, -gitea.catmedved.com, -music.catmedved.com, -pdf-tools.catmedved.com, -pdf-tools.kladovka52.com, -photo.catmedved.com, -recepies.catmedved.com { +*.catmedved.com { + import tls_catmedved import forward_to_home } -# kladovka52.com - -media.kladovka52.com, -photo.kladovka52.com { - import forward_to_kladovka +copypaste.kladovka52.com, +pdf-tools.kladovka52.com { + import tls_kladovka52 + import forward_to_home } +*.kladovka52.com { + import tls_kladovka52 + import forward_to_kladovka +} # wg-easy vpnwg.ulakar.com { diff --git a/hosts/lab-by-02/docker/caddy/docker-compose.yml b/hosts/lab-by-02/docker/caddy/docker-compose.yml index 334af09..fa8fcf4 100644 --- a/hosts/lab-by-02/docker/caddy/docker-compose.yml +++ b/hosts/lab-by-02/docker/caddy/docker-compose.yml @@ -11,6 +11,7 @@ services: # - "443:443" volumes: - ./Caddyfile:/etc/caddy/Caddyfile + - /home/vk/docker/lego/certs/certificates:/etc/caddy/certs:ro - caddy_data:/data - caddy_config:/config environment: diff --git a/hosts/lab-by-02/docker/lego/catmedved-compose.yaml b/hosts/lab-by-02/docker/lego/catmedved-compose.yaml new file mode 100644 index 0000000..1fed969 --- /dev/null +++ b/hosts/lab-by-02/docker/lego/catmedved-compose.yaml @@ -0,0 +1,18 @@ +services: + lego: + image: goacme/lego:latest + container_name: lego + restart: "no" + env_file: .env + volumes: + - ./certs:/.lego + command: + - --email=admin@catmedved.com + - --accept-tos + - --dns=namecheap + - --domains=catmedved.com + - --domains=*.catmedved.com + - run + # use renew to update existing certificate(s) + # - renew u +# - --days=60 diff --git a/hosts/lab-by-02/docker/lego/kladovka52-compose.yaml b/hosts/lab-by-02/docker/lego/kladovka52-compose.yaml new file mode 100644 index 0000000..7fb6816 --- /dev/null +++ b/hosts/lab-by-02/docker/lego/kladovka52-compose.yaml @@ -0,0 +1,18 @@ +services: + lego: + image: goacme/lego:latest + container_name: lego + restart: "no" + env_file: .env + volumes: + - ./certs:/.lego + command: + - --email=admin@kladovka52.com + - --accept-tos + - --dns=porkbun + - --domains=kladovka52.com + - --domains=*.kladovka52.com + - run + # use renew to update existing certificate(s) + # - renew u +# - --days=60 diff --git a/hosts/lab-by-02/docker/lego/run.sh b/hosts/lab-by-02/docker/lego/run.sh new file mode 100644 index 0000000..08bf627 --- /dev/null +++ b/hosts/lab-by-02/docker/lego/run.sh @@ -0,0 +1,5 @@ +docker compose -f catmedved-compose.yaml up + +docker compose -f kladovka42-compose.yaml up + +docker compose -f ulakar-compose.yaml up diff --git a/hosts/lab-by-02/docker/lego/secrets.sops.env b/hosts/lab-by-02/docker/lego/secrets.sops.env new file mode 100644 index 0000000..62af67c --- /dev/null +++ b/hosts/lab-by-02/docker/lego/secrets.sops.env @@ -0,0 +1,12 @@ +NAMECHEAP_API_USER=ENC[AES256_GCM,data:rg+INH0JJNcb,iv:RkdTvt2EZ8zovoReX7BPJkgXR0BC8cF5R1XuR2BoKEk=,tag:kHdkhUK/wLedphhblDQCJQ==,type:str] +NAMECHEAP_API_KEY=ENC[AES256_GCM,data:4FNq87vNxlg6Xbzj4EaTKNv5j76FbDqjR40F0E8kkD0=,iv:EqjjK7AY479hc03dEVmYer0uI2j5+jDSwka9VF2BuBk=,tag:tSZE8p6QlVUWjcnvN+J92g==,type:str] +PORKBUN_API_KEY=ENC[AES256_GCM,data:iQ2MBXQ3NWzNaKp0TQ052pi+ZsRqNSomCYLbORIo3oXQW2AmKwZIDotqo6ypD4p/SB9KS5ArshJRBW6wV+qHt6Sdt+c=,iv:SKzXkFI3krehAsrz6TJn8uy/EMY8zi/VMmAm3kumu5o=,tag:rZMqPIOCdqwp9sy1MqEWUw==,type:str] +PORKBUN_SECRET_API_KEY=ENC[AES256_GCM,data:MohqAorMfVURpymTqJAPzF7FEWiNh2f75L4XwJjFNwaE3EKlXN/1WASFezoESv5/4/fw1S1XeuXPCdzAWWDlJeo0bpI=,iv:4PROOEMb0SDFaF760vDSyjNQPZQmUw20qsBFjb1lSBo=,tag:yAh/fbdF4ADP4tLX5fwTCA==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SU05WXNFMWNrejMrVVFD\nMFUreitrNWhnbnlOUWtadkUyWjFHMG5MaFNnCitpZHNyRTBKdWZaNEJFd1JGaUl5\nWWVNS3djSmpxd2h5OEwrM2lQZ29LMkEKLS0tIHpRKzc1WWxDYlEvemROUDlubkhj\naFlZa2ExV2ZDekwwaW5xaWsyMlFXN1kK9NAxY5WcnIzpjJB4WyRoH37qx/grHdZX\nintmS85J4qzbKM5SqrQm5PCjie+LTdKkKhZAvSk9Xr/9Le/HxT14Ug==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWR0xjQ3FkSTI4Zm00djJX\ndlJqZ2F5UjgzM29wUEhGbmhudGtzcFhrR0M0Ckwybk9xcytKZnRPeTBITk1mK1RV\nTkhmandrYkZSNHhoMGd6S1h5N1lYZ28KLS0tIDVEdnp0TmgyTExNY05uL3kvalpO\ndG0ydlBHNWNXVG1aTHIwcFBFa2JNQnMKg3eqZbaZlgPMBydDI7NaLJh57+JT4EOY\nYCPZqcsFXfnogm2sJ7a7/fZcFy2vb0piz9QpTtBfDCYwNK0FJAK8Vw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73 +sops_lastmodified=2026-02-23T17:22:43Z +sops_mac=ENC[AES256_GCM,data:lSsi/0ebF6z+jNNyULF1G0ZYcGGf6A/3jm0JeBbmPZOkFNJVeUC47hg+AB/itOUUYFT8kXT3+1HwWnZQfSjOzEDO7lPZH25D5IM1YhMU//TBN/7se81zjgvV2tA8kofeD03BxYWAbZeAG0J+MHkV1SAN4arL6NnRPV0F0iFAyQ0=,iv:ey7jo/P2SnIVuRyaEL+x9UfETjCMerniakDA4YWIwfo=,tag:NWUl2sFHLCnU5CfhAkrNMw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.11.0 diff --git a/hosts/lab-by-02/docker/lego/ulakar-compose.yaml b/hosts/lab-by-02/docker/lego/ulakar-compose.yaml new file mode 100644 index 0000000..a9d31de --- /dev/null +++ b/hosts/lab-by-02/docker/lego/ulakar-compose.yaml @@ -0,0 +1,18 @@ +services: + lego: + image: goacme/lego:latest + container_name: lego + restart: "no" + env_file: .env + volumes: + - ./certs:/.lego + command: + - --email=ulakar@fastmail.com + - --accept-tos + - --dns=porkbun + - --domains=ulakar.com + - --domains=*.ulakar.com + - run + # use renew to update existing certificate(s) + # - renew u +# - --days=60