Add automated Let's Encrypt support via certbot

[madest92]

Summary

Adds automated Let's Encrypt certificate management using Certbot.

This introduces two optional Docker Compose services:

• certbot-init – performs the initial certificate issuance using standalone mode
• certbot-renew – runs in the background and periodically renews certificates

Nginx is reloaded automatically after successful renewal using kill -HUP 1

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a8e23fcc-c82b-4fed-9e91-c78d7f5f5a16

📥 Commits

Reviewing files that changed from the base of the PR and between f7a914e and 22b63f1.

📒 Files selected for processing (1)

• docker-compose.nginx.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• docker-compose.nginx.yml

---

📝 Walkthrough

Walkthrough

Adds two Certbot services to docker-compose for one‑time certificate issuance and continuous renewal, and updates environment file comments explaining the ACME workflow and an optional GitLab PKI chain variable.

Changes

Cohort / File(s)	Summary
Certbot services docker-compose.nginx.yml	Added certbot-init (profile: acme-init) for one‑time certbot certonly using HTTP‑01 on ${HTTP_PORT} (checks existing cert and exits if present), and certbot-renew (profile: acme) that loops certbot renew against ${DOMAIN}, mounts cert directories and shared-webroot, depends on nginx, and triggers nginx reload via deploy hook.
Environment docs env.example	Updated comments to document running docker compose with acme-init then acme profiles for Let’s Encrypt automation, and added an optional GITLAB_PKI_CHAIN_PATH explanation (commented example).

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Compose as Docker Compose
    participant CertInit as certbot-init
    participant LE as "Let's Encrypt"
    participant FS as File System
    participant Nginx
    participant CertRenew as certbot-renew

    User->>Compose: Run with acme-init profile
    Compose->>CertInit: Start certbot-init
    CertInit->>FS: Check /etc/letsencrypt/live/$DOMAIN
    alt certificate missing
        CertInit->>LE: Request cert via HTTP-01 on ${HTTP_PORT}
        LE->>CertInit: HTTP-01 challenge
        CertInit->>LE: Respond to challenge
        LE->>FS: Issue and store certificate
    end
    FS-->>Compose: Certificates available

    User->>Compose: Run with acme profile
    Compose->>Nginx: Start nginx
    Compose->>CertRenew: Start certbot-renew
    loop periodic
        CertRenew->>LE: certbot renew for ${DOMAIN}
        alt renewed
            LE->>FS: Update certificate files
            CertRenew->>Nginx: deploy hook (kill -HUP 1)
            Nginx->>Nginx: Reload configuration
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding automated Let's Encrypt support via certbot to the Docker Compose configuration.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of the two new Docker Compose services and how they integrate with nginx.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docker-compose.nginx.yml (1)

33-54: Add restart policy to the renewal sidecar.

If sh or certbot exits unexpectedly, auto-renewal stops until manual intervention. Set a restart policy like the other services.

🔧 Proposed diff

   certbot-renew:
     image: certbot/certbot
     profiles: ["acme"]
+    restart: ${RESTART_POLICY}
     depends_on:
       - nginx

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.nginx.yml` around lines 33 - 54, The certbot-renew service
lacks a Docker restart policy so if sh or certbot exits auto-renewal stops;
update the certbot-renew service (look for the certbot-renew block and its
entrypoint) to include a restart policy (e.g., restart: unless-stopped or
restart: always) matching the other services so the container is automatically
restarted on unexpected exits.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker-compose.nginx.yml`:
- Around line 63-74: The entrypoint script calling certbot certonly is missing
an email parameter and references $HTTP_PORT which isn't set in the service
environment; update the service environment to include HTTP_PORT and an email
variable (e.g., CERTBOT_EMAIL or EMAIL) and modify the certbot invocation in the
entrypoint to pass that email via --email "$CERTBOT_EMAIL" (and keep --agree-tos
--non-interactive). Ensure the environment block contains DOMAIN, HTTP_PORT, and
the chosen email variable so the shell script sees them at container start.

---

Nitpick comments:
In `@docker-compose.nginx.yml`:
- Around line 33-54: The certbot-renew service lacks a Docker restart policy so
if sh or certbot exits auto-renewal stops; update the certbot-renew service
(look for the certbot-renew block and its entrypoint) to include a restart
policy (e.g., restart: unless-stopped or restart: always) matching the other
services so the container is automatically restarted on unexpected exits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 388d7242-a2ff-449d-866b-f397cc82c86d

📥 Commits

Reviewing files that changed from the base of the PR and between 1423a77 and f7a914e.

📒 Files selected for processing (2)

• docker-compose.nginx.yml
• env.example

[madest92]

@coderabbitai approve

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.