Add automatic SSL certificate generation

devops/terraform/modules/forgejo/cloud-init.yaml.tpl

@@ -432,9 +432,9 @@ write_files:
           deploy:
             resources:
               limits:
-                memory: 512M
+                memory: 3G
               reservations:
-                memory: 256M
+                memory: 1G
 
       networks:
         forgejo-internal:
@@ -471,11 +471,11 @@ write_files:
       }
 
       ${domain} {
-          # Rate limiting - 100 requests per minute per IP
+          # Rate limiting - 500 requests per minute per IP
           rate_limit {
               zone forgejo_zone {
                   key {remote_host}
-                  events 100
+                  events 500
                   window 1m
               }
           }

docker-compose.prod.yml

@@ -182,7 +182,7 @@ services:
       JWT_SECRET: ${JWT_SECRET}
     volumes:
       - uploads:/app/uploads:ro
-      - letsencrypt_data:/etc/letsencrypt:ro
+      - /etc/letsencrypt:/etc/letsencrypt:ro
       - certbot_webroot:/var/www/certbot:ro
     networks:
       - frontend
@@ -203,7 +203,7 @@ services:
     image: certbot/certbot:latest
     restart: unless-stopped
     volumes:
-      - letsencrypt_data:/etc/letsencrypt
+      - /etc/letsencrypt:/etc/letsencrypt
       - certbot_webroot:/var/www/certbot
     entrypoint: ["/bin/sh", "-c"]
     command:
@@ -227,5 +227,4 @@ volumes:
   redis_data:
   ome_logs:
   uploads:
-  letsencrypt_data:
   certbot_webroot:

openresty/nginx.conf

@@ -91,17 +91,43 @@ http {
     # Default for most uploads (images, stickers)
     client_max_body_size 5m;
     
+    # ==========================================================================
+    # HTTP Server - Redirect to HTTPS (except ACME challenges)
+    # ==========================================================================
     server {
         listen 80;
-        server_name localhost;
+        server_name _;
 
         # ACME challenge endpoint for Let's Encrypt certificate validation
-        # This must come before any access control blocks
         location /.well-known/acme-challenge/ {
             root /var/www/certbot;
             try_files $uri =404;
         }
 
+        # Redirect all other HTTP traffic to HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # ==========================================================================
+    # HTTPS Server - Main application server
+    # ==========================================================================
+    server {
+        listen 443 ssl http2;
+        server_name beeta.realms.pub;
+
+        # SSL certificates (obtained by certbot on host, mounted via docker-compose)
+        ssl_certificate /etc/letsencrypt/live/beeta.realms.pub/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/beeta.realms.pub/privkey.pem;
+
+        # Modern SSL configuration
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+
         # Site-wide uberban check - blocks banned fingerprints from all endpoints
         access_by_lua_block {
             -- Skip OPTIONS requests (CORS preflight)

terraform/main.tf

@@ -38,20 +38,21 @@ locals {
 module "app_server" {
   source = "./modules/app_server"
 
-  project_name     = var.project_name
+  project_name      = var.project_name
-  environment      = var.environment
+  environment       = var.environment
-  region           = var.region
+  region            = var.region
-  vpc_uuid         = var.vpc_uuid
+  vpc_uuid          = var.vpc_uuid
-  vpc_ip_range     = var.vpc_ip_range
+  vpc_ip_range      = var.vpc_ip_range
-  ssh_keys         = local.all_ssh_key_ids
+  ssh_keys          = local.all_ssh_key_ids
-  droplet_size     = var.app_droplet_size
+  droplet_size      = var.app_droplet_size
-  droplet_image    = var.app_droplet_image
+  droplet_image     = var.app_droplet_image
-  ssh_port         = var.app_ssh_port
+  ssh_port          = var.app_ssh_port
-  domain           = var.app_domain
+  domain            = var.app_domain
-  enable_backups   = var.enable_droplet_backups
+  enable_backups    = var.enable_droplet_backups
-  tags             = local.common_tags
+  tags              = local.common_tags
-  manage_dns       = var.manage_dns
+  manage_dns        = var.manage_dns
-  dns_zone         = var.dns_zone
+  dns_zone          = var.dns_zone
-  dns_record_name  = var.dns_record_name
+  dns_record_name   = var.dns_record_name
-  forgejo_registry = var.forgejo_registry
+  forgejo_registry  = var.forgejo_registry
+  letsencrypt_email = var.letsencrypt_email
 }

terraform/modules/app_server/cloud-init.yaml.tpl

@@ -229,4 +229,20 @@ runcmd:
   - systemctl enable unattended-upgrades
   - systemctl start unattended-upgrades
 
-final_message: "Realms app server ready after $UPTIME seconds. Deploy via Forgejo CI/CD."
+  # Install certbot for SSL certificates
+  - DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y certbot
+
+  # Create directories for certbot webroot
+  - mkdir -p /opt/realms/certbot_webroot
+
+  # Obtain initial SSL certificate (standalone mode - no webserver running yet)
+  # This runs before Docker services start, so port 80 is free
+  - |
+    certbot certonly --standalone \
+      --non-interactive \
+      --agree-tos \
+      --email ${letsencrypt_email} \
+      -d ${domain} \
+      || echo "Certbot failed - certificate may need to be obtained manually after DNS propagates"
+
+final_message: "Realms app server ready after $UPTIME seconds. SSL cert obtained for ${domain}. Deploy via Forgejo CI/CD."

terraform/modules/app_server/main.tf

@@ -15,10 +15,11 @@ resource "digitalocean_droplet" "app" {
   ipv6       = true
 
   user_data = templatefile("${path.module}/cloud-init.yaml.tpl", {
-    ssh_port         = var.ssh_port
+    ssh_port          = var.ssh_port
-    vpc_ip_range     = var.vpc_ip_range
+    vpc_ip_range      = var.vpc_ip_range
-    domain           = var.domain
+    domain            = var.domain
-    forgejo_registry = var.forgejo_registry
+    forgejo_registry  = var.forgejo_registry
+    letsencrypt_email = var.letsencrypt_email
   })
 
   tags = var.tags

terraform/modules/app_server/variables.tf

@@ -99,3 +99,12 @@ variable "forgejo_registry" {
   type        = string
   default     = "qbit.realms.pub"
 }
+
+# =============================================================================
+# SSL Certificate Configuration
+# =============================================================================
+
+variable "letsencrypt_email" {
+  description = "Email for Let's Encrypt certificate notifications"
+  type        = string
+}

terraform/variables.tf

@@ -139,3 +139,12 @@ variable "forgejo_registry" {
   type        = string
   default     = "qbit.realms.pub"
 }
+
+# =============================================================================
+# SSL Certificate Configuration
+# =============================================================================
+
+variable "letsencrypt_email" {
+  description = "Email for Let's Encrypt certificate notifications"
+  type        = string
+}