From eb25d212ad37f99865bcc2890154018babdac2a1 Mon Sep 17 00:00:00 2001
From: Jesse McDonald <nybble41@gmail.com>
Date: Sun, 26 Sep 2021 02:17:04 -0500
Subject: [PATCH] add overrides to control mod_md (TLS) settings

---
 docker-compose.prod.yml            | 11 +++++++++++
 docker-compose.staging.yml         | 11 +++++++++++
 docker-compose.yml                 | 12 +++++++++---
 httpd/conf/sites/pacosako-ssl.conf | 11 +++++++----
 4 files changed, 38 insertions(+), 7 deletions(-)
 create mode 100644 docker-compose.prod.yml
 create mode 100644 docker-compose.staging.yml

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..2b94805
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,11 @@
+services:
+  httpd:
+    ports:
+      - "${HTTP_PORT:-80}:80"
+      - "${HTTPS_PORT:-443}:443"
+    environment:
+      MD_CERTIFICATE_AUTHORITY: "https://acme-v02.api.letsencrypt.org/directory"
+      MD_CERTIFICATE_FILE: ""
+      MD_CERTIFICATE_KEY_FILE: ""
+      SERVER_NAME: "pacosako.jessemcdonald.info"
+    command: [ "httpd", "-D", "FOREGROUND" ]
diff --git a/docker-compose.staging.yml b/docker-compose.staging.yml
new file mode 100644
index 0000000..47ce52d
--- /dev/null
+++ b/docker-compose.staging.yml
@@ -0,0 +1,11 @@
+services:
+  httpd:
+    ports:
+      - "${HTTP_PORT:-80}:80"
+      - "${HTTPS_PORT:-443}:443"
+    environment:
+      MD_CERTIFICATE_AUTHORITY: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      MD_CERTIFICATE_FILE: ""
+      MD_CERTIFICATE_KEY_FILE: ""
+      SERVER_NAME: "pacosako-staging.jessemcdonald.info"
+    command: [ "httpd", "-D", "FOREGROUND" ]
diff --git a/docker-compose.yml b/docker-compose.yml
index c23fc62..28f5cff 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,19 +1,25 @@
 services:
   httpd:
+    image: paco_sako_httpd
     build:
       context: httpd
       network: host
     ports:
-      - "${HTTP_PORT:-80}:80"
-      - "${HTTPS_PORT:-443}:443"
+      - "${HTTP_PORT:-8088}:80"
+      - "${HTTPS_PORT:-8043}:443"
     networks:
       - front-tier
       - back-tier
     environment:
-      SERVER_NAME: "${SERVER_NAME:-pacosako.jessemcdonald.info}"
+      MD_CERTIFICATE_AUTHORITY: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      MD_CERTIFICATE_FILE: "/usr/local/apache2/conf/testing.crt"
+      MD_CERTIFICATE_KEY_FILE: "/usr/local/apache2/conf/testing.key"
+      SERVER_NAME: "pacosako-dev"
       API_SERVER: "app:80"
+    command: [ "httpd", "-D", "FOREGROUND", "-D", "STATIC_CERT" ]
 
   app:
+    image: paco_sako_app
     build:
       context: app
       network: host
diff --git a/httpd/conf/sites/pacosako-ssl.conf b/httpd/conf/sites/pacosako-ssl.conf
index c57b821..8635664 100644
--- a/httpd/conf/sites/pacosako-ssl.conf
+++ b/httpd/conf/sites/pacosako-ssl.conf
@@ -1,12 +1,15 @@
 <IfModule mod_ssl.c>
 <IfModule mod_md.c>
 <MDomainSet ${SERVER_NAME}>
-	#MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
-	MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
+	MDCertificateAuthority ${MD_CERTIFICATE_AUTHORITY}
 	MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+	<IfDefine STATIC_CERT>
+		MDCertificateFile ${MD_CERTIFICATE_FILE}
+		MDCertificateKeyFile ${MD_CERTIFICATE_KEY_FILE}
+		MDRenewMode manual
+	</IfDefine>
 	MDRequireHttps temporary
-	MDCertificateFile /usr/local/apache2/conf/testing.crt
-	MDCertificateKeyFile /usr/local/apache2/conf/testing.key
+	MDPrivateKeys secp256r1 rsa3072
 </MDomainSet>
 
 <VirtualHost *:443>