Files
ulicraft-server-v1/plan/15-letsencrypt.md
Oier Bravo Urtasun 35be2e6b76 docs(plan): scrub stale pack subdomain + packwiz from live-arch docs
The pack./packwiz service was removed operationally long ago, but several
plan docs still presented pack. as a live caddy vhost / DNS subdomain and
render-pack.sh as a current tool. Remove those references from the
current-architecture docs (overview, caddy, tooling, uptime-kuma,
letsencrypt, mc-backup); leave the migration log (04-mods.md), superseded
banner (04-packwiz.md), commit history (12-build-order.md), and planned
landing rework (18) intact as deliberate history.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 20:15:22 +02:00

2.8 KiB

TLS — Let's Encrypt (OVH DNS-01) + host nginx ingress

Production serves real, publicly-trusted certs via the host's own nginx. nginx terminates TLS and reverse-proxies every vhost to the caddy container (published localhost-only on ${CADDY_HTTP_PORT}) by Host header. caddy is the internal router; nginx is the public TLS terminator. This is the only ingress path — there are no compose overrides.

Certs: one per name, via OVH DNS-01

tooling/issue-letsencrypt.sh issues a separate cert for the apex and each subdomain (${BASE_DOMAIN}, auth.…, plus the rest of LE_SUBDOMAINS) using acme.sh + the OVH DNS-01 challenge — no inbound ports needed, so it works regardless of public reachability.

One-time setup

  1. Install acme.sh:
    curl https://get.acme.sh | sh -s email=you@example.com
    
  2. OVH API credentials → .env (see .env.example OVH_*, LE_EMAIL, LE_SUBDOMAINS). Create a token at https://eu.api.ovh.com/createToken/ with GET/POST/PUT/DELETE on /domain/zone/*, or leave OVH_CK blank and run the script once — acme.sh prints an authorization URL; visit it, then paste the consumer key into OVH_CK and re-run.

Issue

tooling/issue-letsencrypt.sh               # real certs
LE_STAGING=1 tooling/issue-letsencrypt.sh  # dry run against the LE staging CA

Certs install to certs/<name>/{cert.pem,key.pem} (gitignored). acme.sh adds a cron for renewal; --reloadcmd reloads nginx automatically on renew. Override the reload with RELOAD_CMD=... if nginx isn't systemd-managed.

nginx

  1. Bring the stack up (caddy publishes on 127.0.0.1:${CADDY_HTTP_PORT}):
    docker compose up -d --build
    
  2. Render + install the vhost (nginx/ulicraft-caddy.conf.tmpl):
    tooling/render-nginx.sh --install
    
    This substitutes $BASE_DOMAIN $APP_DIR $CADDY_HTTP_PORT, writes to sites-available, symlinks sites-enabled, runs nginx -t, and reloads nginx. nginx then terminates TLS per vhost (certs under $APP_DIR/certs) and reverse-proxies each Host to caddy on 127.0.0.1:${CADDY_HTTP_PORT}. Ensure www-data can read $APP_DIR/certs.

DNS

Point the public DNS for ${BASE_DOMAIN} and every subdomain (auth. avatar. status. distribution. www.) at the host running nginx. DNS is configured outside this repo. The Minecraft container reaches the stack's own names via caddy's mcnet aliases, not public DNS.

Why DNS-01 (not HTTP-01)

DNS-01 only needs the OVH API, so it issues regardless of public reachability — and ulicraft.net is a real OVH-managed domain, which LE requires (it never issues for .lan/.local). HTTP-01/TLS-ALPN-01 would need public inbound on 80/443. The JVM trusts the resulting Let's Encrypt certs with no CA import.