Add automated Let's Encrypt support via certbot

[madest92]

Summary

Adds automated Let's Encrypt certificate management using Certbot.

This introduces two optional Docker Compose services:

• certbot-init – performs the initial certificate issuance using standalone mode
• certbot-renew – runs in the background and periodically renews certificates

Nginx is reloaded automatically after successful renewal using kill -HUP 1

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bdf20dc2-305a-406e-b7f5-7d46fdce6ae1

📥 Commits

Reviewing files that changed from the base of the PR and between 22b63f1 and 8474f5b.

📒 Files selected for processing (2)

• docker-compose.nginx.yml
• env.example

✅ Files skipped from review due to trivial changes (1)

• env.example

🚧 Files skipped from review as they are similar to previous changes (1)

• docker-compose.nginx.yml

---

📝 Walkthrough

Walkthrough

Adds two Certbot services to docker-compose for one-time certificate issuance and continuous renewal, and updates environment file comments explaining the ACME workflow and an optional GitLab PKI chain variable.

Changes

Let's Encrypt automation

Layer / File(s)	Summary
Certbot renewal and initialization docker-compose.nginx.yml	Added certbot-init (profile: acme-init) for one-time certbot certonly using HTTP-01 on ${HTTP_PORT} with idempotent certificate-existence checks, and certbot-renew (profile: acme) that loops certbot renew every 24 hours, mounts certificate directories and shared webroot, depends on nginx, and triggers nginx reload via deploy hook.
Configuration documentation env.example	Updated comments to document the two-step Let's Encrypt workflow (acme-init profile for initial certificate, then acme profile for automatic renewal), and added an optional GITLAB_PKI_CHAIN_PATH explanation (commented example) to prevent certificate validation failures in GitLab SSO.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Compose as Docker Compose
    participant CertInit as certbot-init
    participant LE as Let's Encrypt
    participant FS as File System
    participant Nginx
    participant CertRenew as certbot-renew

    User->>Compose: Run with acme-init profile
    Compose->>CertInit: Start certbot-init
    CertInit->>FS: Check /etc/letsencrypt/live/$DOMAIN
    alt certificate missing
        CertInit->>LE: Request cert via HTTP-01 on ${HTTP_PORT}
        LE->>CertInit: HTTP-01 challenge
        CertInit->>LE: Respond to challenge
        LE->>FS: Issue and store certificate
    else certificate exists
        CertInit->>CertInit: Exit successfully
    end

    User->>Compose: Run with acme profile
    Compose->>Nginx: Start nginx
    Compose->>CertRenew: Start certbot-renew
    loop Every 24 hours
        CertRenew->>LE: certbot renew for ${DOMAIN}
        alt renewed
            LE->>FS: Update certificate files
            CertRenew->>Nginx: deploy hook (kill -HUP 1)
            Nginx->>Nginx: Reload configuration
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and clearly summarizes the main change: adding automated Let's Encrypt certificate management via Certbot to the Docker setup.
Description check	✅ Passed	The description is directly related to the changeset, providing a clear summary of the two new Docker Compose services and their purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docker-compose.nginx.yml (1)

33-54: Add restart policy to the renewal sidecar.

If sh or certbot exits unexpectedly, auto-renewal stops until manual intervention. Set a restart policy like the other services.

🔧 Proposed diff

   certbot-renew:
     image: certbot/certbot
     profiles: ["acme"]
+    restart: ${RESTART_POLICY}
     depends_on:
       - nginx

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.nginx.yml` around lines 33 - 54, The certbot-renew service
lacks a Docker restart policy so if sh or certbot exits auto-renewal stops;
update the certbot-renew service (look for the certbot-renew block and its
entrypoint) to include a restart policy (e.g., restart: unless-stopped or
restart: always) matching the other services so the container is automatically
restarted on unexpected exits.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker-compose.nginx.yml`:
- Around line 63-74: The entrypoint script calling certbot certonly is missing
an email parameter and references $HTTP_PORT which isn't set in the service
environment; update the service environment to include HTTP_PORT and an email
variable (e.g., CERTBOT_EMAIL or EMAIL) and modify the certbot invocation in the
entrypoint to pass that email via --email "$CERTBOT_EMAIL" (and keep --agree-tos
--non-interactive). Ensure the environment block contains DOMAIN, HTTP_PORT, and
the chosen email variable so the shell script sees them at container start.

---

Nitpick comments:
In `@docker-compose.nginx.yml`:
- Around line 33-54: The certbot-renew service lacks a Docker restart policy so
if sh or certbot exits auto-renewal stops; update the certbot-renew service
(look for the certbot-renew block and its entrypoint) to include a restart
policy (e.g., restart: unless-stopped or restart: always) matching the other
services so the container is automatically restarted on unexpected exits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 388d7242-a2ff-449d-866b-f397cc82c86d

📥 Commits

Reviewing files that changed from the base of the PR and between 1423a77 and f7a914e.

📒 Files selected for processing (2)

• docker-compose.nginx.yml
• env.example

[madest92]

@coderabbitai approve

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.

[mattermost-build]

This PR has been automatically labelled "stale" because it hasn't had recent activity.
A core team member will check in on the status of the PR to help with questions.
Thank you for your contribution!