Expect to be using certbot by default
diff --git a/TODO.on.site b/TODO.on.site
index 61ac62b..e9ae803 100644
--- a/TODO.on.site
+++ b/TODO.on.site
@@ -3,9 +3,14 @@
* Set CANONICAL_WEB_URL in `gerrit/environment`
* Enable GitHub OAUTH in `gerrit/environment`
-To build:
-* nginx first because it creates selfsigned certificate `docker-compose build nginx`
-* then everything else `docker-compose build`
+Building using self-signed certificates:
+We always create a temporary, self-signed certificate which
+can be overwritten by certbot. If intending to test with the
+self-signed certificate, build nginx first:
+* `docker-compose build nginx`,
+then everything else:
+* `docker-compose build --build-arg SSL_VARIANT=selfsigned`
+which will register the self-signed certificate with Gerrit.
Get containers up:
* `docker-compose up`
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
index 161f286..7ff4958 100644
--- a/gerrit/Dockerfile
+++ b/gerrit/Dockerfile
@@ -1,22 +1,35 @@
-FROM gerritcodereview/gerrit:3.8.0
+ARG SSL_VARIANT=letsencrypt
+ARG GERRIT_TAG=3.8.0
-COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
-RUN \
+
+FROM gerritcodereview/gerrit:${GERRIT_TAG} as gerrit_letsencrypt
+
+# Nothing to do
+
+
+FROM gerritcodereview/gerrit:${GERRIT_TAG} as gerrit_selfsigned
+
+ONBUILD COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
+ONBUILD RUN \
keytool -importcert -alias sa-selfsigned -file /var/gerrit/etc/sa-selfsigned.crt \
-keystore /var/gerrit/truststore -storepass uiaeuiae -noprompt && \
rm /var/gerrit/etc/sa-selfsigned.crt
-RUN \
+ONBUILD RUN \
echo | keytool -importkeystore \
-srckeystore /usr/lib/jvm/java-*/lib/security/cacerts \
-destkeystore /var/gerrit/truststore \
-deststorepass uiaeuiae -noprompt
-USER root
-RUN \
+ONBUILD USER root
+ONBUILD RUN \
printf 'JAVA_OPTIONS="%s %s"\n' \
-Djavax.net.ssl.trustStore=/var/gerrit/truststore \
-Djavax.net.ssl.trustStorePassword=uiaeuiae >>/etc/default/gerritcodereview
+
+FROM gerrit_${SSL_VARIANT}
+
+USER root
COPY gerrit/Dockerfile.entrypoint /privileged.sh
RUN chmod 544 /privileged.sh
COPY gerrit/Dockerfile.entrypoint-unprivileged /unprivileged.sh
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 9809c58..2f5ae56 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,18 +1,9 @@
-ARG SSL_VARIANT=selfsigned
-ARG NGINX_TAG=1.25-alpine
-
-
-FROM nginx:${NGINX_TAG} as nginx_letsencrypt
-
-ONBUILD RUN echo "Let's encrypt support not implemented yet."; exit 1
-
-
-FROM nginx:${NGINX_TAG} as nginx_selfsigned
+FROM nginx:1.25-alpine
ARG SELFSIGNED_REQ_HOST
ARG SELFSIGNED_REQ_ALT_NAMES
-ONBUILD RUN test "${SELFSIGNED_REQ_HOST}" || { echo "Require SELFSIGNED_REQ_HOST argument."; exit 1; }
-ONBUILD RUN \
+RUN test "${SELFSIGNED_REQ_HOST}" || { echo "Require SELFSIGNED_REQ_HOST argument."; exit 1; }
+RUN \
apk add openssl && \
printf "DE\nHassia\nEschborn\nSource Arcade\nWeb\n${SELFSIGNED_REQ_HOST}\n\n" | \
openssl req -x509 -nodes -days 14 -newkey rsa:2048 \
@@ -21,9 +12,6 @@
-out /etc/ssl/certs/sa-selfsigned.crt && \
apk del openssl
-
-FROM nginx_${SSL_VARIANT}
-
COPY nginx/Dockerfile.entrypoint /nginx-entrypoint
RUN chmod 544 /nginx-entrypoint