wip: letsencrypt

2022-10-21 03:50:14 +02:00 · 2022-10-21 03:50:14 +02:00 · 04df1bd919
parent 1203c9f005
commit 04df1bd919
34 changed files with 183 additions and 51 deletions
--- a/docker/certbot/Dockerfile
+++ b/docker/certbot/Dockerfile
@ -0,0 +1,51 @@
+# FROM certbot/certbot:latest as dist
+FROM python:3.8-alpine as dist
+LABEL maintainer aynic.os <support+docker@asycn.io>
+ARG DOCKER_BUILD_DIR
+
+# RUN pip install \
+RUN apk --no-cache add --virtual .build-deps \
+        build-base \
+        libffi-dev \
+ && pip install \
+        certbot \
+        certbot-dns-azure \
+#        certbot-dns-bunny \
+#        certbot-dns-clouddns \
+        certbot-dns-cloudflare \
+#        certbot-dns-cloudxns \
+        certbot-dns-digitalocean \
+#        certbot-dns-dnsmadeeasy \
+#        certbot-dns-dnsimple \
+#        certbot-dns-gehirn \
+#        certbot-dns-godaddy \
+        certbot-dns-google \
+        certbot-dns-infomaniak \
+#        certbot-dns-inwx \
+        certbot-dns-ispconfig \
+#        certbot-dns-lightsail \
+        certbot-dns-linode \
+#        certbot-dns-luadns \
+#        certbot-dns-njalla \
+#        certbot-dns-nsone \
+        certbot-dns-ovh \
+        certbot-dns-rfc2136 \
+        certbot-dns-route53 \
+#        certbot-dns-sakuracloud \
+        certbot-dns-standalone \
+#        certbot-dns-yandexcloud \
+#        certbot-ext-auth future \
+        certbot-plugin-gandi \
+        certbot-s3front \
+#        certbot_dns_duckdns \
+#        certbot_dns_porkbun \
+#        letsencrypt-pritunl \
+#        letsencrypt-proxmox \
+ && apk del .build-deps
+
+COPY ${DOCKER_BUILD_DIR}/certbot-renew /etc/periodic/daily/
+COPY ${DOCKER_BUILD_DIR}/docker-entrypoint.sh /docker-entrypoint.sh
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["--help"]
+
+FROM dist as master
--- a/docker/certbot/certbot-renew
+++ b/docker/certbot/certbot-renew
@ -0,0 +1,4 @@
+#!/bin/sh
+
+mkdir -p /etc/letsencrypt/renewal
+/usr/local/bin/certbot renew > /etc/letsencrypt/renewal/letsencrypt.log
--- a/docker/certbot/docker-entrypoint.sh
+++ b/docker/certbot/docker-entrypoint.sh
@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+set -euo errexit
+
+[ -n "${DEBUG:-}" -a "${DEBUG:-}" != "false" ] && set -x
+
+case "${1:-start}" in
+
+  start)
+    exec /usr/sbin/crond -f -L/dev/stdout
+  ;;
+
+  *)
+    exec /usr/local/bin/certbot "$@"
+  ;;
+
+esac
--- a/make/apps/def.docker.mk
+++ b/make/apps/def.docker.mk
@ -1,6 +1,6 @@
 CMDS                            += docker-run docker-run-%
 COMPOSE_ARGS                    ?= --ansi auto
-COMPOSE_FILE                    ?= $(wildcard docker/docker-compose.yml $(foreach file,$(patsubst docker/docker-compose.%,%,$(basename $(wildcard docker/docker-compose.*.yml))),$(if $(filter true,$(COMPOSE_FILE_$(file)) $(COMPOSE_FILE_$(call UPPERCASE,$(file)))),docker/docker-compose.$(file).yml)))
+COMPOSE_FILE                    ?= $(wildcard docker-compose.yml docker/docker-compose.yml $(foreach file,$(patsubst docker/docker-compose.%,%,$(basename $(wildcard docker/docker-compose.*.yml))),$(if $(filter true,$(COMPOSE_FILE_$(file)) $(COMPOSE_FILE_$(call UPPERCASE,$(file)))),docker/docker-compose.$(file).yml)))
 COMPOSE_FILE_$(ENV)             ?= true
 COMPOSE_FILE_DEBUG              ?= $(if $(DEBUG),true)
 COMPOSE_FILE_NFS                ?= $(MOUNT_NFS)
--- a/make/def.mk
+++ b/make/def.mk
@ -41,6 +41,7 @@ CONFIG_REPOSITORY_URI           ?= $(shell printf '$(CONFIG_REPOSITORY_URL)\n' |
 CONFIG_REPOSITORY_URL           ?= $(call pop,$(APP_UPSTREAM_REPOSITORY))/$(notdir $(CONFIG))
 CONTEXT                         ?= ENV $(shell awk 'BEGIN {FS="="}; $$1 !~ /^(\#|$$)/ {print $$1}' .env.dist 2>/dev/null)
 CONTEXT_DEBUG                   ?= MAKEFILE_LIST DOCKER_ENV_ARGS ENV_ARGS APPS GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME MAKE_DIR MAKE_SUBDIRS MAKE_CMD_ARGS MAKE_ENV_ARGS UID USER
+CERTBOT                         ?=
 DEBUG                           ?= 
 DOCKER                          ?= $(shell type -p docker)
 DOMAIN                          ?= localhost
--- a/stack/drone/drone.yml
+++ b/stack/drone/drone.yml
@ -18,7 +18,7 @@ services:
    - DRONE_USER_FILTER=${DRONE_USER_FILTER}
    labels:
    - SERVICE_80_CHECK_TCP=true
-    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-drone:80
+    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-drone-80
    - SERVICE_80_TAGS=${DRONE_SERVER_SERVICE_80_TAGS}
    - SERVICE_443_IGNORE=true
    networks:
--- a/stack/elastic/apm-server-oss.yml
+++ b/stack/elastic/apm-server-oss.yml
@ -11,7 +11,7 @@ services:
    command: -c apm-server.yml --strict.perms=false -e -E output.elasticsearch.hosts=["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"] -E output.elasticsearch.protocol=${ELASTICSEARCH_PROTOCOL} -E output.elasticsearch.username=${ELASTICSEARCH_USERNAME} -E output.elasticsearch.password=${ELASTICSEARCH_PASSWORD} -E apm-server.register.ingest.pipeline.enabled=false
    labels:
    - SERVICE_8200_CHECK_HTTP=/
-    - SERVICE_8200_NAME=${COMPOSE_SERVICE_NAME}-apm-server-oss:8200
+    - SERVICE_8200_NAME=${COMPOSE_SERVICE_NAME}-apm-server-oss-8200
    - SERVICE_8200_TAGS=${APM_SERVER_SERVICE_8200_TAGS}
    networks:
    - private
--- a/stack/elastic/apm-server.yml
+++ b/stack/elastic/apm-server.yml
@ -6,7 +6,7 @@ services:
    command: -c apm-server.yml --strict.perms=false -e -E output.elasticsearch.hosts=["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"] -E output.elasticsearch.protocol=${ELASTICSEARCH_PROTOCOL} -E output.elasticsearch.username=${ELASTICSEARCH_USERNAME} -E output.elasticsearch.password=${ELASTICSEARCH_PASSWORD}
    labels:
    - SERVICE_8200_CHECK_HTTP=/
-    - SERVICE_8200_NAME=${COMPOSE_SERVICE_NAME}-apm-server:8200
+    - SERVICE_8200_NAME=${COMPOSE_SERVICE_NAME}-apm-server-8200
    - SERVICE_8200_TAGS=${APM_SERVER_SERVICE_8200_TAGS}
    networks:
      private:
--- a/stack/elastic/elasticsearch.yml
+++ b/stack/elastic/elasticsearch.yml
@ -18,10 +18,10 @@ services:
    - http.cors.allow-headers=X-Requested-With,X-Auth-Token,Content-Type,Content-Length
    labels:
    - SERVICE_9200_CHECK_HTTP=/
-    - SERVICE_9200_NAME=${COMPOSE_SERVICE_NAME}-elasticsearch:9200
+    - SERVICE_9200_NAME=${COMPOSE_SERVICE_NAME}-elasticsearch-9200
    - SERVICE_9200_TAGS=${ELASTICSEARCH_SERVICE_9200_TAGS}
    - SERVICE_9300_CHECK_TCP=true
-    - SERVICE_9300_NAME=${COMPOSE_SERVICE_NAME}-elasticsearch:9300
+    - SERVICE_9300_NAME=${COMPOSE_SERVICE_NAME}-elasticsearch-9300
    networks:
    - private
    - public
--- a/stack/elastic/kibana-oss.yml
+++ b/stack/elastic/kibana-oss.yml
@ -4,7 +4,7 @@ services:
  kibana-oss:
    labels:
    - SERVICE_5601_CHECK_HTTP=/app/kibana
-    - SERVICE_5601_NAME=${COMPOSE_SERVICE_NAME}-kibana-oss:5601
+    - SERVICE_5601_NAME=${COMPOSE_SERVICE_NAME}-kibana-oss-5601
    - SERVICE_5601_TAGS=${KIBANA_SERVICE_5601_TAGS}
    networks:
    - private
--- a/stack/elastic/kibana.yml
+++ b/stack/elastic/kibana.yml
@ -4,7 +4,7 @@ services:
  kibana:
    labels:
    - SERVICE_5601_CHECK_HTTP=/app/kibana
-    - SERVICE_5601_NAME=${COMPOSE_SERVICE_NAME}-kibana:5601
+    - SERVICE_5601_NAME=${COMPOSE_SERVICE_NAME}-kibana-5601
    - SERVICE_5601_TAGS=${KIBANA_SERVICE_5601_TAGS}
    networks:
    - private
--- a/stack/grafana/grafana.yml
+++ b/stack/grafana/grafana.yml
@ -17,7 +17,7 @@ services:
    image: ${DOCKER_REPOSITORY}/grafana:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_3000_CHECK_TCP=true
-    - SERVICE_3000_NAME=${COMPOSE_SERVICE_NAME}-grafana:3000
+    - SERVICE_3000_NAME=${COMPOSE_SERVICE_NAME}-grafana-3000
    - SERVICE_3000_TAGS=${GRAFANA_SERVICE_3000_TAGS}
    networks:
    - private
--- a/stack/ipfs/ipfs.yml
+++ b/stack/ipfs/ipfs.yml
@ -57,10 +57,10 @@ services:
    image: ${DOCKER_REPOSITORY}/ipfs:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_4001_CHECK_TCP=true
-    - SERVICE_4001_NAME=${COMPOSE_SERVICE_NAME}-ipfs:4001
-    - SERVICE_5001_NAME=${COMPOSE_SERVICE_NAME}-ipfs:5001
+    - SERVICE_4001_NAME=${COMPOSE_SERVICE_NAME}-ipfs-4001
+    - SERVICE_5001_NAME=${COMPOSE_SERVICE_NAME}-ipfs-5001
    - SERVICE_8080_CHECK_HTTP=${IPFS_SERVICE_8080_CHECK_TCP}
-    - SERVICE_8080_NAME=${COMPOSE_SERVICE_NAME}-ipfs:8080
+    - SERVICE_8080_NAME=${COMPOSE_SERVICE_NAME}-ipfs-8080
    - SERVICE_8080_TAGS=${IPFS_SERVICE_8080_TAGS}
    - SERVICE_8081_IGNORE=true
    networks:
--- a/stack/memcached/memcached.yml
+++ b/stack/memcached/memcached.yml
@ -5,7 +5,7 @@ services:
    image: memcached:alpine
    labels:
    - SERVICE_11211_CHECK_TCP=true
-    - SERVICE_11211_NAME=${COMPOSE_SERVICE_NAME}-memcached:11211
+    - SERVICE_11211_NAME=${COMPOSE_SERVICE_NAME}-memcached-11211
    networks:
    - private
    ports:
--- a/stack/mysql/mysql.yml
+++ b/stack/mysql/mysql.yml
@ -5,7 +5,7 @@ services:
    environment:
    - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
    labels:
-    - SERVICE_3306_NAME=${COMPOSE_SERVICE_NAME}-mysql:3306
+    - SERVICE_3306_NAME=${COMPOSE_SERVICE_NAME}-mysql-3306
    - SERVICE_CHECK_SCRIPT=docker-healthcheck $$SERVICE_IP
    networks:
    - private
--- a/stack/newrelic/php-daemon.yml
+++ b/stack/newrelic/php-daemon.yml
@ -6,7 +6,7 @@ services:
    # command: "/usr/bin/newrelic-daemon --loglevel debug"
    labels:
    - SERVICE_31339_CHECK_TCP=true
-    - SERVICE_31339_NAME=${COMPOSE_SERVICE_NAME}-php-daemon:31339
+    - SERVICE_31339_NAME=${COMPOSE_SERVICE_NAME}-php-daemon-31339
    networks:
    - private
    ports:
--- a/stack/nginx/static.yml
+++ b/stack/nginx/static.yml
@ -6,7 +6,7 @@ services:
    command: /bin/sh -c "grep autoindex /etc/nginx/conf.d/default.conf >/dev/null 2>&1 || sed -i 's|index  index.html index.htm;|index  index.html index.htm;\n        autoindex on;|' /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
    labels:
    - SERVICE_80_CHECK_TCP=true
-    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-nginx:80
+    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-nginx-80
    - SERVICE_80_TAGS=${STATIC_SERVICE_80_TAGS}
    networks:
    - private
--- a/stack/node.mk
+++ b/stack/node.mk
@ -2,9 +2,9 @@ CMDS                            += node-exec stack-node-exec node-exec:% node-ex
 node                            ?= node/node
 ENV_VARS                        += DOCKER_HOST_IFACE DOCKER_HOST_INET4 DOCKER_INTERNAL_DOCKER_HOST

-# target bootstrap-stack-node: Fire node-ssl-certs
+# target bootstrap-stack-node: Fire node-certbot node-ssl-certs
 .PHONY: bootstrap-stack-node
-bootstrap-stack-node: docker-network-create-$(DOCKER_NETWORK_PUBLIC) node-ssl-certs
+bootstrap-stack-node: docker-network-create-$(DOCKER_NETWORK_PUBLIC) $(if $(CERTBOT),node-certbot) node-ssl-certs

 # target node: Fire stack-node-up
 .PHONY: node
@ -14,15 +14,63 @@ node: stack-node-up
 .PHONY: node-%
 node-%: stack-node-%;

-# target node-ssl-certs: Create ${DOMAIN}.key.pem and ${DOMAIN}.crt.pem files
+# target node-ssl-certs: Create invalid ${DOMAIN}/privkey.pem and ${DOMAIN}/cert.pem certificate files
 .PHONY: node-ssl-certs
 node-ssl-certs:
-	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine [ -f /certs/$(DOMAIN).crt.pem -a -f /certs/$(DOMAIN).key.pem ] \
-	 || $(RUN) docker run --rm -e DOMAIN=$(DOMAIN) --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine sh -c "\
+	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine \
+	 [ -f /certs/live/$(DOMAIN)/cert.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
+	  || $(RUN) docker run --rm -e DOMAIN=$(DOMAIN) --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine sh -c "\
 	   apk --no-cache add openssl \
-	   && { [ -f /certs/${DOMAIN}.key.pem ] || openssl genrsa -out /certs/${DOMAIN}.key.pem 2048; } \
-	   && openssl req -key /certs/${DOMAIN}.key.pem -out /certs/${DOMAIN}.crt.pem \
+	   && mkdir -p /certs/live/${DOMAIN} \
+	   && { [ -f /certs/live/${DOMAIN}/privkey.pem ] || openssl genrsa -out /certs/live/${DOMAIN}/privkey.pem 2048; } \
+	   && openssl req -key /certs/live/${DOMAIN}/privkey.pem -out /certs/live/${DOMAIN}/cert.pem \
 		  -addext extendedKeyUsage=serverAuth \
 		  -addext subjectAltName=DNS:${DOMAIN} \
 		  -subj \"/C=/ST=/L=/O=/CN=${DOMAIN}\" \
 		  -x509 -days 365"
+
+# target node-certbot: Create letsencrypt ${DOMAIN}/privkey.pem and ${DOMAIN}/cert.pem files
+.PHONY: node-certbot
+node-certbot: node-docker-build-certbot
+	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine [ -f /certs/live/$(DOMAIN)/cert.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
+	|| $(RUN) docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ --mount source=$(NODE_DOCKER_VOLUME),target=/var/log/letsencrypt/ -e DOMAIN=$(DOMAIN) --network host node/certbot \
+		--non-interactive --agree-tos --email hostmaster@${DOMAIN} certonly \
+		--preferred-challenges dns --authenticator dns-standalone \
+		--dns-standalone-address=0.0.0.0 \
+		--dns-standalone-port=53 \
+		-d ${DOMAIN} \
+	        -d *.${DOMAIN}
+
+# target node-certbot-certificates: List letsencrypt certificates
+.PHONY: node-certbot-certificates
+node-certbot-certificates: node-docker-build-certbot
+	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ node/certbot certificates
+
+# target node-certbot-renew: Renew letsencrypt certificates
+.PHONY: node-certbot-renew
+node-certbot-renew: node-docker-build-certbot
+	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ --network host node/certbot renew
+
+# target node-certbot-staging: Create staging letsencrypt ${DOMAIN}/privkey.pem and ${DOMAIN}/cert.pem files
+.PHONY: node-certbot-staging
+node-certbot-staging: node-docker-build-certbot
+	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine [ -f /certs/live/$(DOMAIN)/cert.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
+	|| $(RUN) docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ --mount source=$(NODE_DOCKER_VOLUME),target=/var/log/letsencrypt/ -e DOMAIN=$(DOMAIN) --network host node/certbot \
+		--non-interactive --agree-tos --email hostmaster@${DOMAIN} certonly \
+		--preferred-challenges dns --authenticator dns-standalone \
+		--dns-standalone-address=0.0.0.0 \
+		--dns-standalone-port=53 \
+		--staging \
+		-d ${DOMAIN} \
+	        -d *.${DOMAIN}
+
+# target node-docker-build-%: Build % docker
+.PHONY: node-docker-build-%
+node-docker-build-%:
+	$(call docker-build,docker/$*,node/$*:$(DOCKER_IMAGE_TAG))
+
+# target node-docker-rebuild-%: Rebuild % docker
+.PHONY: node-docker-rebuild-%
+node-docker-rebuild-%:
+	$(call make,node-docker-build-$* DOCKER_BUILD_CACHE=false)
+
--- a/stack/node/exporter/exporter.yml
+++ b/stack/node/exporter/exporter.yml
@ -7,7 +7,7 @@ services:
    image: google/cadvisor:latest
    labels:
    - SERVICE_8080_CHECK_TCP=true
-    - SERVICE_8080_NAME=${NODE_COMPOSE_SERVICE_NAME}-cadvisor-exporter:8080
+    - SERVICE_8080_NAME=${NODE_COMPOSE_SERVICE_NAME}-cadvisor-exporter-8080
    - SERVICE_8080_TAGS=${NODE_CADVISOR_EXPORTER_SERVICE_8080_TAGS}
    - SERVICE_9200_IGNORE=true
    networks:
@ -31,7 +31,7 @@ services:
    image: prom/node-exporter:latest
    labels:
    - SERVICE_9100_CHECK_TCP=true
-    - SERVICE_9100_NAME=${NODE_COMPOSE_SERVICE_NAME}-node-exporter:9100
+    - SERVICE_9100_NAME=${NODE_COMPOSE_SERVICE_NAME}-node-exporter-9100
    - SERVICE_9100_TAGS=${NODE_EXPORTER_SERVICE_9100_TAGS}
    networks:
    - public
--- a/stack/node/ipfs/ipfs.yml
+++ b/stack/node/ipfs/ipfs.yml
@ -57,11 +57,11 @@ services:
    image: ${NODE_DOCKER_REPOSITORY}/ipfs:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_4001_CHECK_TCP=true
-    - SERVICE_4001_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs:4001
+    - SERVICE_4001_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs-4001
    - SERVICE_5001_CHECK_TCP=true
-    - SERVICE_5001_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs:5001
+    - SERVICE_5001_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs-5001
    - SERVICE_8080_CHECK_HTTP=${NODE_IPFS_SERVICE_8080_CHECK_TCP}
-    - SERVICE_8080_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs:8080
+    - SERVICE_8080_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs-8080
    - SERVICE_8080_TAGS=${NODE_IPFS_SERVICE_8080_TAGS}
    - SERVICE_8081_IGNORE=true
    network_mode: host
--- a/stack/node/node.yml
+++ b/stack/node/node.yml
@ -1,6 +1,19 @@
 version: '3.6'

 services:
+  certbot:
+    build:
+      args:
+      - DOCKER_BUILD_DIR=docker/certbot
+      context: ../..
+      dockerfile: docker/certbot/Dockerfile
+    command: start
+    container_name: ${NODE_COMPOSE_PROJECT_NAME}-certbot
+    image: ${NODE_DOCKER_REPOSITORY}/certbot:${DOCKER_IMAGE_TAG}
+    network_mode: host
+    restart: always
+    volumes:
+    - myos:/etc/letsencrypt
  consul:
    build:
      args:
@ -31,7 +44,7 @@ services:
    - SERVICE_8301_IGNORE=true
    - SERVICE_8302_IGNORE=true
    - SERVICE_8500_CHECK_HTTP=/v1/health/service/consul
-    - SERVICE_8500_NAME=${NODE_COMPOSE_SERVICE_NAME}-consul:8500
+    - SERVICE_8500_NAME=${NODE_COMPOSE_SERVICE_NAME}-consul-8500
    - SERVICE_8500_TAGS=${NODE_CONSUL_SERVICE_8500_TAGS}
    - SERVICE_8600_IGNORE=true
    - SERVICE_ADDRESS=${DOCKER_HOST_INET4}
@ -40,20 +53,19 @@ services:
    restart: always
    volumes:
    - consul:/consul/data:delegated
-    - myos:/certs:ro
    - /var/run/docker.sock:/var/run/docker.sock
  fabio:
    build:
      args:
      - DOCKER_BUILD_DIR=docker/fabio
-      - FABIO_VERSION=1.6.0
+      - FABIO_VERSION=1.6.2
      - SYSTEM=${SYSTEM}
      - MACHINE=${MACHINE}
      context: ../..
      dockerfile: docker/fabio/Dockerfile
    container_name: ${NODE_COMPOSE_PROJECT_NAME}-fabio
    image: ${NODE_DOCKER_REPOSITORY}/fabio:${DOCKER_IMAGE_TAG}
-    command: -registry.backend "consul" -registry.consul.addr "consul:8500" -registry.consul.token "${NODE_CONSUL_HTTP_TOKEN}" -proxy.addr ":80,:443;cs=local" -proxy.cs "cs=local;type=file;cert=/certs/${DOMAIN}.crt.pem;key=/certs/${DOMAIN}.key.pem"
+    command: -registry.backend "consul" -registry.consul.addr "consul:8500" -registry.consul.token "${NODE_CONSUL_HTTP_TOKEN}" -proxy.addr ":80,:443;cs=local" -proxy.cs "cs=local;type=file;cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem;key=/etc/letsencrypt/live/${DOMAIN}/privkey.pem"
    depends_on:
    - consul
    extra_hosts:
@ -61,11 +73,11 @@ services:
    hostname: ${HOSTNAME}
    labels:
    - SERVICE_80_CHECK_TCP=true
-    - SERVICE_80_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio:80
+    - SERVICE_80_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio-80
    - SERVICE_443_CHECK_TCP=true
-    - SERVICE_443_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio:443
+    - SERVICE_443_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio-443
    - SERVICE_9998_CHECK_HTTP=/routes
-    - SERVICE_9998_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio:9998
+    - SERVICE_9998_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio-9998
    - SERVICE_9998_TAGS=${NODE_FABIO_SERVICE_9998_TAGS}
    - SERVICE_9999_IGNORE=true
    ports:
@ -76,7 +88,7 @@ services:
    - public
    restart: always
    volumes:
-    - myos:/certs:ro
+    - myos:/etc/letsencrypt:ro
  registrator:
    build:
      args:
--- a/stack/node/portainer/portainer.yml
+++ b/stack/node/portainer/portainer.yml
@ -7,7 +7,7 @@ services:
    labels:
    - SERVICE_8000_IGNORE=true
    - SERVICE_9000_CHECK_HTTP=/
-    - SERVICE_9000_NAME=${NODE_COMPOSE_SERVICE_NAME}-portainer:9000
+    - SERVICE_9000_NAME=${NODE_COMPOSE_SERVICE_NAME}-portainer-9000
    - SERVICE_9000_TAGS=${NODE_PORTAINER_SERVICE_9000_TAGS}
    networks:
    - public
--- a/stack/node/vsftpd/vsftpd-s3.yml
+++ b/stack/node/vsftpd/vsftpd-s3.yml
@ -28,9 +28,9 @@ services:
    image: ${NODE_DOCKER_REPOSITORY}/vsftpd-s3:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_21_CHECK_TCP=true
-    - SERVICE_21_NAME=${NODE_COMPOSE_SERVICE_NAME}-vsftpd-s3:21
+    - SERVICE_21_NAME=${NODE_COMPOSE_SERVICE_NAME}-vsftpd-s3-21
    - SERVICE_22_CHECK_TCP=true
-    - SERVICE_22_NAME=${NODE_COMPOSE_SERVICE_NAME}-vsftpd-s3:22
+    - SERVICE_22_NAME=${NODE_COMPOSE_SERVICE_NAME}-vsftpd-s3-22
    - SERVICE_65000_IGNORE=true
    security_opt:
    - apparmor:unconfined
--- a/stack/portainer/portainer.yml
+++ b/stack/portainer/portainer.yml
@ -6,7 +6,7 @@ services:
    labels:
    - SERVICE_8000_IGNORE=true
    - SERVICE_9000_CHECK_HTTP=/
-    - SERVICE_9000_NAME=${COMPOSE_SERVICE_NAME}-portainer:9000
+    - SERVICE_9000_NAME=${COMPOSE_SERVICE_NAME}-portainer-9000
    - SERVICE_9000_TAGS=${PORTAINER_SERVICE_9000_TAGS}
    networks:
    - public
--- a/stack/postgres/postgres.yml
+++ b/stack/postgres/postgres.yml
@ -8,7 +8,7 @@ services:
    - POSTGRES_USER=${POSTGRES_USER}
    labels:
    - SERVICE_5432_CHECK_TCP=true
-    - SERVICE_5432_NAME=${COMPOSE_SERVICE_NAME}-postgres:5432
+    - SERVICE_5432_NAME=${COMPOSE_SERVICE_NAME}-postgres-5432
    networks:
    - private
    ports:
--- a/stack/prometheus/alertmanager.yml
+++ b/stack/prometheus/alertmanager.yml
@ -11,7 +11,7 @@ services:
    image: ${DOCKER_REPOSITORY}/alertmanager:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_9093_CHECK_TCP=true
-    - SERVICE_9093_NAME=${COMPOSE_SERVICE_NAME}-alertmanager:9093
+    - SERVICE_9093_NAME=${COMPOSE_SERVICE_NAME}-alertmanager-9093
    - SERVICE_9093_TAGS=${ALERTMANAGER_SERVICE_9093_TAGS}
    networks:
    - private
--- a/stack/prometheus/blackbox-exporter.yml
+++ b/stack/prometheus/blackbox-exporter.yml
@ -10,7 +10,7 @@ services:
    image: ${DOCKER_REPOSITORY}/blackbox:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_9115_CHECK_TCP=true
-    - SERVICE_9115_NAME=${COMPOSE_SERVICE_NAME}-blackbox:9115
+    - SERVICE_9115_NAME=${COMPOSE_SERVICE_NAME}-blackbox-9115
    - SERVICE_9115_TAGS=${BLACKBOX_SERVICE_9115_TAGS}
    networks:
    - private
--- a/stack/prometheus/es-exporter.yml
+++ b/stack/prometheus/es-exporter.yml
@ -11,7 +11,7 @@ services:
    image: ${DOCKER_REPOSITORY}/es-exporter:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_9206_CHECK_TCP=true
-    - SERVICE_9206_NAME=${COMPOSE_SERVICE_NAME}-es-exporter:9206
+    - SERVICE_9206_NAME=${COMPOSE_SERVICE_NAME}-es-exporter-9206
    - SERVICE_9206_TAGS=${ES_EXPORTER_SERVICE_9206_TAGS}
    networks:
    - private
--- a/stack/prometheus/prometheus.yml
+++ b/stack/prometheus/prometheus.yml
@ -12,7 +12,7 @@ services:
    image: ${DOCKER_REPOSITORY}/prometheus:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_9090_CHECK_TCP=true
-    - SERVICE_9090_NAME=${COMPOSE_SERVICE_NAME}-prometheus:9090
+    - SERVICE_9090_NAME=${COMPOSE_SERVICE_NAME}-prometheus-9090
    - SERVICE_9090_TAGS=${PROMETHEUS_SERVICE_9090_TAGS}
    networks:
    - private
--- a/stack/rabbitmq/rabbitmq.yml
+++ b/stack/rabbitmq/rabbitmq.yml
@ -7,10 +7,10 @@ services:
    - SERVICE_4369_IGNORE=true
    - SERVICE_5671_IGNORE=true
    - SERVICE_5672_CHECK_TCP=true
-    - SERVICE_5672_NAME=${COMPOSE_SERVICE_NAME}-rabbitmq:5672
+    - SERVICE_5672_NAME=${COMPOSE_SERVICE_NAME}-rabbitmq-5672
    - SERVICE_15671_IGNORE=true
    - SERVICE_15672_CHECK_HTTP=/
-    - SERVICE_15672_NAME=${COMPOSE_SERVICE_NAME}-rabbitmq:15672
+    - SERVICE_15672_NAME=${COMPOSE_SERVICE_NAME}-rabbitmq-15672
    - SERVICE_15672_TAGS=${RABBITMQ_SERVICE_15672_TAGS}
    - SERVICE_25672_IGNORE=true
    networks:
--- a/stack/redis/redis.yml
+++ b/stack/redis/redis.yml
@ -6,7 +6,7 @@ services:
    command: redis-server --appendonly yes
    labels:
    - SERVICE_6379_CHECK_TCP=true
-    - SERVICE_6379_NAME=${COMPOSE_SERVICE_NAME}-redis:6379
+    - SERVICE_6379_NAME=${COMPOSE_SERVICE_NAME}-redis-6379
    networks:
    - private
    ports:
--- a/stack/redmine/redmine.yml
+++ b/stack/redmine/redmine.yml
@ -23,7 +23,7 @@ services:
    - TZ=Europe/Paris
    labels:
    - SERVICE_80_CHECK_TCP=true
-    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-redmine:80
+    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-redmine-80
    - SERVICE_80_TAGS=${REDMINE_SERVICE_80_TAGS}
    - SERVICE_443_IGNORE=true
    networks:
--- a/stack/redmine/redmine3.yml
+++ b/stack/redmine/redmine3.yml
@ -16,7 +16,7 @@ services:
    - TZ=Europe/Paris
    labels:
    - SERVICE_80_CHECK_TCP=true
-    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-redmine3:80
+    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-redmine3-80
    - SERVICE_80_TAGS=${REDMINE3_SERVICE_80_TAGS}
    - SERVICE_443_IGNORE=true
    networks:
--- a/stack/theia/theia.yml
+++ b/stack/theia/theia.yml
@ -24,7 +24,7 @@ services:
    image: ${DOCKER_REPOSITORY}/theia:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_3000_CHECK_TCP=true
-    - SERVICE_3000_NAME=${COMPOSE_SERVICE_NAME}-theia:3000
+    - SERVICE_3000_NAME=${COMPOSE_SERVICE_NAME}-theia-3000
    - SERVICE_3000_TAGS=${THEIA_SERVICE_3000_TAGS}
    networks:
    - private