snikket behind reverse proxy

docker-compose.yml

services:
  snikket_proxy:
    container_name: snikket-proxy
    image: snikket/snikket-web-proxy:stable
    env_file: snikket.conf
    network_mode: host
    volumes:
      - snikket_data:/snikket
    restart: "unless-stopped"
  snikket_portal:
    container_name: snikket-portal
    image: snikket/snikket-web-portal:stable
    network_mode: host
    env_file: snikket.conf
    restart: "unless-stopped"
  snikket_server:
    container_name: snikket
    image: snikket/snikket-server:stable
    network_mode: host
    volumes:
      - snikket_data:/snikket
      - /some/abs/path/etc/prosody/certs/domain.tld.key:/etc/prosody/certs/domain.tld.key
      - /some/abs/path/etc/prosody/certs/domain.tld.crt:/etc/prosody/certs/domain.tld.crt
      - /some/abs/path/etc/sv/prosody/wait-for-certs:/etc/sv/prosody/wait-for-certs
    env_file: snikket.conf
    restart: "unless-stopped"

volumes:
  snikket_data:

wait-for-certs

#!/bin/sh -e

CERT_PATH_LE_LIVE="/snikket/letsencrypt/live/$SNIKKET_DOMAIN_ASCII"
CERT_PATH="/etc/prosody/certs/$SNIKKET_DOMAIN.crt"

check_cert_path() {
  if test -f "$CERT_PATH"; then
    exit 0;
  fi
}

check_cert_path_le_live() {
  if test -d "$CERT_PATH_LE_LIVE"; then
  	prosodyctl --root cert import /snikket/letsencrypt/live
  	check_cert_path
  fi
}

check_cert_path()

check_cert_path_le_live()

while sleep 10; do
	check_cert_path_le_live()
done

This is a proposal for reverse proxied setup where certificates are handled out of band. As such, we no longer need the "certs" service and we need to update how we detect certs existence.

To explore further:

1. referencing SNIKKET_DOMAIN in compose file for certificate mount destination
2. how to not require absolute file paths for bind mounting certs
3. update wait-for-certs upstream or in Dockerfile?
4. reconsider network-mode: host for portal and proxy and instead expose the one or two ports they require.