Add automated TLS renewal and deployment documentation

Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-17 08:44:28 +05:30
parent 249bed66e2
commit 08990f6420
15 changed files with 347 additions and 172 deletions
--- a/README.md
+++ b/README.md
@ -1,34 +1,86 @@
 # Nextcloud on Ubuntu via Docker for nxt.bhatfamily.in
-
-This repo deploys Nextcloud using Docker on Ubuntu, fronted by Nginx on:
-
- HTTP: 8082
- HTTPS: 8446
-
-It is intended to serve the hostname **nxt.bhatfamily.in**.
-
+This repository deploys Nextcloud behind Nginx using Docker Compose.
+Exposed ports:
+- HTTP: `8082`
+- HTTPS: `8446`
+Target hostname:
+- `nxt.bhatfamily.in`
+## What changed
+The stack now includes:
+- Fixed Nginx mount path (`nginx/nginx.conf` mapped correctly)
+- Fixed MariaDB command (`mariadbd`)
+- Nginx reverse proxy mode for `nextcloud:apache` (no FastCGI mismatch)
+- Production TLS provisioning using Let's Encrypt DNS-01 with Cloudflare
+- Automated TLS renewal job support (cron)
 ## Prerequisites
-
- Ubuntu host with Docker and Docker Compose installed
- Static public IP (or Cloudflare Tunnel)
- Domain `bhatfamily.in` managed in Cloudflare
- Basic familiarity with UFW and router port forwarding
-
-## DNS (Cloudflare)
-
-1. In Cloudflare DNS for `bhatfamily.in`, create:
-
-   - Type: A  
-   - Name: `nxt`  
-   - IPv4: your Ubuntu server public IP  
-   - Proxy: DNS only (grey cloud)  
-
-2. Forward ports 8082 and 8446 from your router to the Ubuntu host.
-
-## First-time setup
-
-1. Clone this repo and enter directory:
-
-   ```bash
-   git clone <your-repo-url> nextcloud-docker-nxt.bhatfamily.in
-   cd nextcloud-docker-nxt.bhatfamily.in
+- Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
+- Domain `nxt.bhatfamily.in` in Cloudflare DNS
+- DNS A record for `nxt` pointing to your server public IP (DNS-only)
+- Router/firewall forwarding for ports `8082` and `8446`
+## Initial setup
+1. Create runtime env file:
+```bash
+cp .env.example .env
+```
+2. Edit `.env` with strong values.
+3. Start stack with bootstrap TLS:
+```bash
+./scripts/install.sh
+```
+4. Validate:
+```bash
+./scripts/test.sh
+```
+## Production TLS (Let's Encrypt + Cloudflare DNS-01)
+1. Export credentials in shell:
+```bash
+export CF_DNS_API_TOKEN={{CF_DNS_API_TOKEN}}
+export LETSENCRYPT_EMAIL={{LETSENCRYPT_EMAIL}}
+```
+2. Issue/renew and install production cert:
+```bash
+./scripts/provision-production-tls.sh
+```
+3. Reload Nginx container:
+```bash
+docker compose restart web
+```
+4. Verify cert:
+```bash
+echo | openssl s_client -connect nxt.bhatfamily.in:8446 -servername nxt.bhatfamily.in 2>/dev/null | openssl x509 -noout -subject -issuer -dates
+```
+## Automated renewal job (cron)
+1. Ensure your Cloudflare token export script exists (default path used by renewal wrapper):
+- `~/bin/cloudflare-api-usertoken.sh`
+2. Install/update renewal cron entry:
+```bash
+./scripts/setup-renewal-cron.sh
+```
+This script will:
+- create/update `.tls-renewal.env` (local only, not committed)
+- install a daily cron job (`03:17` by default)
+- write logs to `logs/tls-renew.log`
+3. Manual renewal run (same path cron uses):
+```bash
+./scripts/renew-production-tls.sh
+```
+## Useful commands
+Start/update containers:
+```bash
+docker compose up -d
+```
+Restart all services:
+```bash
+docker compose restart
+```
+Restart web only:
+```bash
+docker compose restart web
+```
+Stop and remove containers/volumes:
+```bash
+./scripts/uninstall.sh
+```
+## Security notes
+- `.env`, `.tls-renewal.env`, and runtime cert material under `nginx/ssl` are intentionally ignored by Git.
+- If secrets were ever committed earlier, rotate them.