mirror of
https://github.com/tomav/docker-mailserver.git
synced 2024-06-28 04:01:20 +02:00
4f91620a7f
Below commit messages are roughly equivalent to what is listed on the PR. The PR provides additional linked resources for reference to support commit message statements. --- * docs: Add CT log warning - Added a warning to make users aware that using a public CA like _Let's Encrypt_ will publicly log information that may be somewhat sensitive, or undesirable to have historic records made public which cannot be redacted. * docs: Revise the manual `certbot` guide - The `letsencrypt` repo that was linked early in this guide now redirects to the [Certbot repo](https://github.com/certbot/certbot). - More explicit volume mount instruction for CertBot; the local location was a tad vague. - Better clarified `/etc/letsencrypt/live` contents structure, as well as FQDN info. Removed the misleading `fqdn:` from `docker-compose.yml` example snippet. * docs: Revise certbot with Docker guide - General rewrite of the Docker Certbot section with additional tips (_renewals with automation, and using a alternative CA_). - Generalized tone and paths in content. - Update volume mount paths to be consistent with recent normalization effort. - Moved some instructions into inline-comments for script examples instead. * docs: Revise Docker with `nginx-proxy` and `acme-companion` - Break apart into individual steps, indenting content into the step as appropriate. - Use normalized volume paths (`docker-data/<service>/` prefix). - `letsencrypt-nginx-proxy-companion` has _changed project name to `acme-companion`_, and _transferred to new maintainers and the `nginx-proxy` organization_. This also affects the DockerHub image references. - `acme-companion` has _switched from using `simp_le` to `acme.sh`_ for provisioning certificates. This requires mounting an additional volume for persisting provisioner state. - The dummy container (_webmail_) is no longer `library/nginx`, just [`nginx`](https://hub.docker.com/_/nginx). This container also doesn't appear to be required. I've verified that the ENV can be given to the `mailserver` service container directly. Retained for now. * docs: Revise Docker Compose with `nginx-proxy` and `acme-companion` Heavy rewrite of this section. Like the previous commit mentions, this content was outdated. It has been simplified with improved documentation and reference links. It also looks like there was a mistake in the existing config example as it uses the regular `nginx` image instead of `nginx-proxy`. - The bulk of the `mailserver` service has been removed, users are advised to have an existing `docker-compose.yml` config for `docker-mailserver` and update only what is relevant to integrate with the cert provisioner. - `DEBUG` is _false_ by default. - The `networks:` portion of the example appears to be taken from upstream, _which that has since dropped it_. While we could continue to document this, I consider it more of an advanced config detail that we don't need to touch on in our docs. - The `htpasswd` volume is unnecessary, only relevant if using _"Basic Authentication"_ to protect access to web service endpoints. `conf.d/` is also not required by default, it can be useful for the `standalone` mode (_documented as a `tip`_). Remaining volumes have inline-comments to document their purpose. - `volumes_from:` is _not supported in v3 Compose format_, _only v2_ and the Docker CLI. I did not want to advise v2, so I've duplicated the volumes between the two containers instead. Internally `acme-companion` would rely on `volumes_from:` to identify the `nginx-proxy` container, it _provides alternative discovery methods_, the label is outdated and refers the legacy label (_their script logic is the same_); using the ENV `NGINX_PROXY_CONTAINER` seemed most appropriate and has been added. - Upstream `acme-companion` docs only cover support for v2 Compose format. _There is a note regarding `nginx-proxy`_ having _volumes configured in it's Dockerfile_. Providing a volume for `/etc/nginx/dhparam` is required to avoid creating anonymous volumes each run of `nginx-proxy`. I've used a named data volume here to make it stick out more, it's not desirable and upstream should fix this, then we can drop it. - I've also opted to only demonstrate the _Two Container (Basic) setup_ that upstream documents. Previously our docs have been showing _`docker-gen` with the Three Container (Advanced) setup_, which allows for not having the Docker API socket attached as a volume to a container exposed to the web. This reduces the security a bit, and I have not mentioned that on our docs. I could caution the reader with a link to upstream about the risk, but I don't think we should maintain the `docker-gen` setup. * docs(fix): Update anchor links These mismatched the current section headers they were meant to link to. |
||
|---|---|---|
| .. | ||
| advanced | ||
| best-practices | ||
| security | ||
| troubleshooting | ||
| user-management | ||
| environment.md | ||
| pop3.md | ||
| setup.sh.md | ||