Implement shared CA certificate system for multi-server TLS security

- Generate shared CA during core deployment for consistent trust across servers - Modify setup_docker_tls() to use shared CA instead of per-server CAs - Update share_certs_with_core() to copy shared CA from core server - Re-enable TLS verification (DOCKER_TLS_VERIFY=1) in Sablier - Fix Sablier certificate mounting for proper TLS connection - Add docker-tls/ to .gitignore to prevent certificate leaks - Update documentation for shared CA approach
2026-01-25 23:08:01 -05:00
parent 1b3c4ff9ff
commit 89ca29918b
6 changed files with 654 additions and 121 deletions
--- a/docker-compose/core/docker-compose.yml
+++ b/docker-compose/core/docker-compose.yml
@@ -99,10 +99,10 @@ services:
  # Sablier - Lazy loading service for Docker containers
  # Controls startup/shutdown of lazy-loaded services, must always run
  # REQUIREMENTS FOR DOCKER API ACCESS:
-  # 1. Docker daemon must be configured to listen on TCP port 2375
+  # 1. Docker daemon must be configured to listen on TCP port 2376 with TLS
  # 2. DOCKER_HOST environment variable must point to accessible Docker API endpoint
-  # 3. Firewall must allow TCP connections to Docker API port (default 2375)
-  # 4. For production, consider using TLS for Docker API communication
+  # 3. Firewall must allow TCP connections to Docker API port (2376)
+  # 4. TLS certificates must be mounted and environment variables set
  # 5. Ensure dockerproxy service is running and accessible
  sablier-service:
    image: sablierapp/sablier:latest
@@ -115,7 +115,11 @@ services:
      - SABLIER_DOCKER_API_VERSION=1.51
      - SABLIER_DOCKER_NETWORK=traefik-network
      - SABLIER_LOG_LEVEL=debug
-      - DOCKER_HOST=tcp://192.168.4.11:2375
+      - DOCKER_HOST=tcp://${SERVER_IP}:2376
+      - DOCKER_TLS_VERIFY=1
+      - DOCKER_CERT_PATH=/certs
+    volumes:
+      - ./sablier-certs:/certs:ro
    ports:
      - 10000:10000
    labels:
--- a/docker-compose/media-management/docker-compose.yml
+++ b/docker-compose/media-management/docker-compose.yml
@@ -28,7 +28,7 @@ services:
      - PGID=${PGID}
      - TZ=${TZ}
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://${SERVER_IP}:8989/"]
+      test: ["CMD", "curl", "-f", "http://localhost:8989/"]
      interval: 30s
      timeout: 10s
      retries: 3
@@ -73,7 +73,7 @@ services:
      - PGID=${PGID}
      - TZ=${TZ}
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://${SERVER_IP}:7878/"]
+      test: ["CMD", "curl", "-f", "http://localhost:7878/"]
      interval: 30s
      timeout: 10s
      retries: 3
@@ -116,7 +116,7 @@ services:
      - PGID=${PGID}
      - TZ=${TZ}
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://${SERVER_IP}:9696/"]
+      test: ["CMD", "curl", "-f", "http://localhost:9696/"]
      interval: 30s
      timeout: 10s
      retries: 3
@@ -315,7 +315,7 @@ services:
      - LOG_LEVEL=info
      - TZ=${TZ}
    healthcheck:
-      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://${SERVER_IP}:5055/"]
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:5055/"]
      interval: 30s
      timeout: 10s
      retries: 3