migrate to coreos

website/.dockerignore

@@ -1,2 +0,0 @@
-gitea
-certbot

website/Dockerfile

@@ -8,12 +8,11 @@ RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y nginx certbot python3-pip
 RUN pip3 install sendgrid --break-system-packages
 
-RUN groupadd -g 2000 me && useradd -u 2000 -g 2000 -m me
-USER me
-WORKDIR /home/me
-RUN mkdir nginx certbot
+WORKDIR /root
 
 # TODO make the website code not terrible ;-;
-COPY --chown=me:me html ./html
-COPY --chown=me:me sendgrid.ke[y] ip_update.py ./
-COPY --chown=me:me server.conf entry.sh ./
+COPY html /var/www/html
+COPY sendgrid.key ip.py ./
+COPY server.conf entry.sh ./
+
+CMD ["/bin/bash", "/root/entry.sh"]

website/entry.sh

@@ -2,10 +2,9 @@
 
 # get certs if needed
 certbot certonly --standalone \
-    --http-01-port 8080 \
-    --config-dir ~/certbot \
-    --work-dir ~/certbot/work \
-    --logs-dir ~/certbot/logs \
+    --config-dir /data \
+    --work-dir /data/work \
+    --logs-dir /data/logs \
     --non-interactive --agree-tos -m matthewlamtran@berkeley.edu \
     -d matthewtran.com \
     -d www.matthewtran.com \
@@ -14,16 +13,16 @@ certbot certonly --standalone \
 # background process to renew certs and check ip changes
 update() {
     certbot renew --quiet \
-        --config-dir ~/certbot \
-        --work-dir ~/certbot/work \
-        --logs-dir ~/certbot/logs
+        --config-dir /data \
+        --work-dir /data/work \
+        --logs-dir /data/logs
     sleep 86400
 }
 update &
-./ip_update.py &
+python3 ip.py &
 
 # run server
 nginx -c ~/server.conf
-trap 'echo "stopping website..."' TERM
+trap 'echo "stopping website..."' SIGTERM SIGINT
 tail -f /dev/null &
 wait $!

website/server.conf

@@ -1,6 +1,5 @@
 # adapted from /etc/nginx/nginx.conf
 worker_processes auto;
-pid /home/me/nginx/site.pid;
 error_log /dev/stderr;
 
 events {
@@ -15,42 +14,37 @@ http {
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_certificate     /home/me/certbot/live/matthewtran.com/fullchain.pem;
-    ssl_certificate_key /home/me/certbot/live/matthewtran.com/privkey.pem;
+    ssl_certificate     /data/live/matthewtran.com/fullchain.pem;
+    ssl_certificate_key /data/live/matthewtran.com/privkey.pem;
 
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
-    access_log            /dev/stdout;
-    client_body_temp_path /home/me/nginx/body;
-    proxy_temp_path       /home/me/nginx/proxy;
-    fastcgi_temp_path     /home/me/nginx/fastcgi;
-    uwsgi_temp_path       /home/me/nginx/uwsgi;
-    scgi_temp_path        /home/me/nginx/scgi;
+    access_log /dev/stdout;
 
     # SSL redirect
     server {
-        listen 8080 default_server;
-        listen [::]:8080 default_server;
+        listen 80 default_server;
+        listen [::]:80 default_server;
         server_name _;
         return 301 https://$host$request_uri;
     }
 
     # default
     server {
-        listen 8443 ssl default_server;
-        listen [::]:8443 ssl default_server;
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
         server_name _;
         return 404;
     }
 
     # website
     server {
-        listen 8443 ssl;
-        listen [::]:8443 ssl;
+        listen 443 ssl;
+        listen [::]:443 ssl;
         server_name matthewtran.com www.matthewtran.com;
 
-        root /home/me/html;
+        root /var/www/html;
         index index.html;
         location / {
             try_files $uri $uri/ =404;
@@ -59,13 +53,13 @@ http {
 
     # gitea
     server {
-        listen 8443 ssl;
-        listen [::]:8443 ssl;
+        listen 443 ssl;
+        listen [::]:443 ssl;
         server_name git.matthewtran.com;
 
         location / {
             client_max_body_size 512M;
-            proxy_pass http://gitea:3000;
+            proxy_pass http://127.0.0.1:3000;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;