tmp

Author: joshmoore

proxy-example/dc

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+exec docker compose -f letsencrypt/docker-compose.yml "$@"

proxy-example/docker-compose.yml

@@ -17,7 +17,7 @@ services:
       - "./jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro"
       # Bind Docker socket on the host so we can connect to the daemon from
       # within the container
-      - "/var/run/docker.sock:/var/run/docker.sock:rw"
+      # "/var/run/docker.sock:/var/run/docker.sock:rw"
       # Bind Docker volume on host for JupyterHub database and cookie secrets
       - "jupyterhub-data:/data"
     ports:

proxy-example/letsencrypt/README.md

@@ -0,0 +1,70 @@
+# Let's Encrypt
+
+copied from: https://github.com/mtnygard/jupyterhub-deploy-docker/blob/master/Dockerfile.jupyterhub
+
+This example includes a Docker Compose configuration file that you can
+use to deploy [JupyterHub](https://github.com/jupyter/jupyterhub) with
+TLS certificate and key files generated by [Let's Encrypt](https://letsencrypt.org).
+
+The `docker-compose.yml` configuration file in this example extends the
+JupyterHub service defined in the `docker-compose.yml` file in the root
+directory of this repository.
+
+When you run the JupyterHub Docker container using the configuration
+file in this directory, Docker mounts an additional volume containing
+the Let's Encrypt TLS certificate and key files, and overrides the
+`SSL_CERT` and `SSL_KEY` environment variables to point to these files.
+
+## Create a secrets volume
+
+This example stores the Let's Encrypt TLS certificate and key files in
+a Docker volume, and mounts the volume to the JupyterHub container at
+runtime.
+
+Create a volume to store the certificate and key files.
+
+```
+# Activate Docker machine where JupyterHub will run
+eval "$(docker-machine env jupyterhub)"
+
+docker volume create --name jupyterhub-secrets
+```
+
+## Generate Let's Encrypt certificate and key
+
+Run the `letsencrypt.sh` script to create a TLS full-chain certificate
+and key.
+
+The script downloads and runs the `letsencrypt` Docker image to create a
+full-chain certificate and private key, and stores the files in a Docker
+volume. You must provide a valid, routable, fully-qualified domain name (you
+must own it), and you must activate the Docker machine host that the domain
+points to before you run this script. You must also provide a valid email
+address and the name of the volume you created above.
+
+_Notes:_ The script hard codes several `letsencrypt` options, one of which
+automatically agrees to the Let's Encrypt Terms of Service.
+
+```
+# Activate Docker machine where JupyterHub will run
+eval "$(docker-machine env jupyterhub)"
+
+./letsencrypt.sh \
+  --domain myhost.mydomain \
+  --email me@mydomain \
+  --volume jupyterhub-secrets
+```
+
+## Run JupyterHub container
+
+To run the JupyterHub container using the Let's Encrypt certificate and key,
+set the `SECRETS_VOLUME` environment variable to the name of the Docker volume
+containing the certificate and key files, and run `docker-compose` **from the
+root directory** of this repository while specifying the `docker-compose.yml`
+configuration in this directory:
+
+```
+export SECRETS_VOLUME=jupyterhub-secrets
+
+docker-compose -f examples/letsencrypt/docker-compose.yml up -d
+```

proxy-example/letsencrypt/docker-compose.yml

@@ -0,0 +1,38 @@
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+# JupyterHub docker-compose configuration that uses Let's Encrypt TLS
+# certificate and key.
+
+# Extends the JupyterHub configuration in the root directory of this repository.
+# Mounts an additional secrets volume that stores the Let's Encrypt TLS
+# certificate and key files, and overrides the `SSL_CERT` and `SSL_KEY`
+# environment variables to point to these files.
+
+version: "2"
+
+services:
+  hub:
+    extends: # hub service in repository root directory
+      file: ../docker-compose.yml
+      service: hub
+    volumes:
+      - "secrets:/etc/letsencrypt"
+    environment:
+      SSL_KEY: "/etc/letsencrypt/privkey.pem"
+      SSL_CERT: "/etc/letsencrypt/cert.pem"
+
+# Explicitly declare volume and network dependencies
+# (they cannot be extended)
+volumes:
+  data:
+    external:
+      name: ${DATA_VOLUME_HOST}
+  secrets:
+    external:
+      name: ${SECRETS_VOLUME}
+
+networks:
+  default:
+    external:
+      name: jupyterhub-network

proxy-example/letsencrypt/letsencrypt.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+# Wrapper script that runs https://letsencrypt.org Docker container to generate
+# a certificate for a single domain and store it in a Docker volume.
+
+set -e
+
+USAGE="
+Usage: `basename $0` --domain FQDN --email EMAIL --volume SECRETS_VOLUME
+       [--staging]
+"
+
+while [[ $# > 0 ]]
+do
+key="$1"
+case $key in
+    --domain)
+    FQDN="$2"
+    shift # past argument
+    ;;
+    --email)
+    EMAIL="$2"
+    shift # past argument
+    ;;
+    --volume)
+    SECRETS_VOLUME="$2"
+    shift # past argument
+    ;;
+    --staging)
+    CERT_SERVER=--staging
+    ;;
+    *) # unknown option
+    ;;
+esac
+shift # past argument or value
+done
+
+if [ -z "${FQDN:+x}" ]; then
+	echo "ERROR: Must provide --domain option or set FQDN environment varable"
+  echo "$USAGE" && exit 1
+fi
+
+if [ -z "${EMAIL:+x}" ]; then
+	echo "ERROR: Must provide --email option set EMAIL environment varable"
+  echo "$USAGE" && exit 1
+fi
+
+if [ -z "${SECRETS_VOLUME:+x}" ]; then
+  echo "ERROR: Must provide --volume option or set SECRETS_VOLUME environment varable"
+  echo "$USAGE" && exit 1
+fi
+
+# letsencrypt certificate server type (default is production).
+# Set `CERT_SERVER=--staging` for staging.
+: ${CERT_SERVER=''}
+
+# Generate the cert and save it to the Docker volume
+docker run --rm -it \
+  -p 80:80 \
+  -v $SECRETS_VOLUME:/etc/letsencrypt \
+  quay.io/letsencrypt/letsencrypt:latest \
+  certonly \
+  --non-interactive \
+  --keep-until-expiring \
+  --standalone \
+  --standalone-supported-challenges http-01 \
+  --agree-tos \
+  --force-renewal \
+  --domain "$FQDN" \
+  --email "$EMAIL" \
+  $CERT_SERVER
+
+# Set permissions so nobody can read the cert and key.
+# Also symlink the certs into the root of the /etc/letsencrypt
+# directory so that the FQDN doesn't have to be known later.
+docker run --rm -it \
+  -v $SECRETS_VOLUME:/etc/letsencrypt \
+  --entrypoint=/bin/bash \
+  quay.io/letsencrypt/letsencrypt:latest \
+  -c "find /etc/letsencrypt/* -maxdepth 1 -type l -delete && \
+    ln -s /etc/letsencrypt/live/$FQDN/* /etc/letsencrypt/ && \
+    find /etc/letsencrypt -type d -exec chmod 755 {} +"