From 857a85a92d9e71ac41e21b586744317c9de76894 Mon Sep 17 00:00:00 2001
From: Liam Keegan <liam@keegan.ch>
Date: Mon, 13 Jan 2025 14:29:12 +0100
Subject: [PATCH] Add documentation on running certbot, update
 docker-compose.yml

---
 README_DEPLOYMENT.md | 37 ++++++++++++++++++-------------------
 docker-compose.yml   | 18 +++++++++++++++++-
 frontend/nginx.conf  |  7 +++++--
 3 files changed, 40 insertions(+), 22 deletions(-)

diff --git a/README_DEPLOYMENT.md b/README_DEPLOYMENT.md
index 14c8ad3..cece438 100644
--- a/README_DEPLOYMENT.md
+++ b/README_DEPLOYMENT.md
@@ -5,16 +5,8 @@ Some information on how to deploy the website.
 ## Production deployment
 
 Production docker container images are automatically built by CI.
-To deploy the latest version on a virtual machine with docker compose installed,
-download [docker-compose.yml](https://raw.githubusercontent.com/ssciwr/predicTCR/main/docker-compose.yml), then do
-
-```
-sudo docker compose pull && sudo docker compose up -d && sudo docker system prune -af
-```
-
-The same command can be used to update the running website to use the latest available docker images.
 
-The location of data directory, SSL keys and secret key should be set
+Before running them, the location of the data directory, SSL keys and secret key should be set
 either in env vars or in a file `.env` in the same location as the docker compose.yml.
 
 For example the current test deployment on heicloud looks like this:
@@ -26,29 +18,36 @@ PREDICTCR_SSL_KEY="/etc/letsencrypt/live/predictcr.com/privkey.pem"
 PREDICTCR_JWT_SECRET_KEY="abc123" # to generate a new secret key: `python -c "import secrets; print(secrets.token_urlsafe(64))"`
 ```
 
-The current status of the containers can be checked with
+### docker compose
+
+To deploy the latest version on a virtual machine with docker compose installed,
+download [docker-compose.yml](https://raw.githubusercontent.com/ssciwr/predicTCR/main/docker-compose.yml), then do
+
+```
+sudo docker compose pull && sudo docker compose up -d && sudo docker system prune -af
+```
+
+The same command can be used to update the running website to use the latest available docker images.
+
+The current status of the running containers can be checked with
 
 ```
 sudo docker compose ps
 sudo docker compose logs
 ```
 
-### SSL certificate
+### SSL certificates
 
-To generate SSL certificates for domain `domain.com` from [Let's Encrypt](https://letsencrypt.org/) using [Certbot](https://certbot.eff.org/):
+To generate SSL certificates for the domain `predictcr.com` from [Let's Encrypt](https://letsencrypt.org/) using [Certbot](https://certbot.eff.org/):
 
 ```
-sudo docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -p80:80 -p443:443 certbot/certbot certonly -d domain.com
+sudo docker run -it --rm -v/etc/letsencrypt:/etc/letsencrypt -v/var/www/certbot:/var/www/certbot certbot/certbot certonly --webroot --webroot-path /var/www/certbot/ -n -d predictcr.com
 ```
 
-choose option 1, certs will be saved to `/etc/letsencrypt/live/domain.com/`
-
-They need renewing every three months, to update the certificate manually:
+The certificates needs renewing every three months, which can be done manually using the same command. To automatically renew once a week you can use cron, e.g. `sudo crontab -e`, then add the following line:
 
 ```
-sudo docker compose down
-sudo docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -p80:80 -p443:443 certbot/certbot renew
-sudo docker compose up -d
+0 0 * * 0 docker run -it --rm -v/etc/letsencrypt:/etc/letsencrypt -v/var/www/certbot:/var/www/certbot certbot/certbot certonly --webroot --webroot-path /var/www/certbot/ -n -d predictcr.com
 ```
 
 ### Give users admin rights
diff --git a/docker-compose.yml b/docker-compose.yml
index 9404d7e..fdc397e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,6 +8,11 @@ services:
       - JWT_SECRET_KEY=${PREDICTCR_JWT_SECRET_KEY:-}
     networks:
       - predictcr-network
+    logging:
+      driver: "local"
+      options:
+        max-size: 20m
+        max-file: 25
   frontend:
     image: ghcr.io/ssciwr/predictcr_frontend:${PREDICTCR_DOCKER_IMAGE_TAG:-latest}
     build: ./frontend
@@ -17,15 +22,26 @@ services:
     volumes:
       - ${PREDICTCR_SSL_CERT:-./cert.pem}:/predictcr_ssl_cert.pem
       - ${PREDICTCR_SSL_KEY:-./key.pem}:/predictcr_ssl_key.pem
-      - ${PREDICTCR_CERTBOT_WWW:-/var/www/certbot}:/var/www/certbot:ro
+      # to allow certbot to renew SSL certificates:
+      - /var/www/certbot:/var/www/certbot:ro
     networks:
       - predictcr-network
+    logging:
+      driver: "local"
+      options:
+        max-size: 20m
+        max-file: 25
   email:
     image: "boky/postfix"
     environment:
       - ALLOW_EMPTY_SENDER_DOMAINS="true"
     networks:
       - predictcr-network
+    logging:
+      driver: "local"
+      options:
+        max-size: 20m
+        max-file: 3
 
 networks:
   predictcr-network:
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index d7110f8..4a35f90 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -1,4 +1,5 @@
 server {
+    # allow certbot to renew SSL certificates using port 80
     listen 80;
     listen [::]:80;
 
@@ -9,14 +10,16 @@ server {
         root /var/www/certbot;
     }
 
+    # forward anything else to https://predictcr.com
     location / {
         return 301 https://predictcr.com$request_uri;
     }
 }
 
 server {
-        server_name www.predictcr.com;
-        return 301 $scheme://predictcr.com$request_uri;
+    # redirect www.predictcr to predictcr.com
+    server_name www.predictcr.com;
+    return 301 $scheme://predictcr.com$request_uri;
 }
 
 server {