Dotege is a tool to automatically generate configuration files from templates
based on running docker containers. It also obtains SSL certificates for
domains using Let's Encrypt, and can send a signal (such as HUP) to another
container when the template changes.
Out of the box it supports writing a HAProxy configuration file with
appropriate entries for all containers with `com.chameth.*` labels.
This enables automatic reverse proxying to any container with the
Dotege is configured using environment variables:
The folder where certificates will be placed. Defaults to `/data/certs`.
The DNS provider to use. Must be one https://go-acme.github.io/lego/dns/[supported by Lego].
The DNS provider will also be configured using environmental variables, as documented by
the Lego project. Required.
The path to a JSON file to store ACME credentials and certificates. This file will
contain the private keys for all certificates generated by Dotege, so must not
be accessible to other users or processes. Defaults to `/data/config/certs.json`.
The e-mail address to provide to the ACME service for updates, renewal reminders, etc.
The ACME server to request certificates from. Defaults to the Let's Encrypt production
server at https://acme-v02.api.letsencrypt.org/directory. For staging, this can be set
The key type to use for private keys when generating a certificate using ACME. Valid
* `P256` for EC256
* `P384` for EC384
* `2048` for RSA-2048
* `4096` for RSA-4096
* `8192` for RSA-8192
The default value is `P384`.
The name of a container that should be sent a signal when the template or certificates
are changed. No signal is sent if not specified.
The type of signal to send to the `DOTEGE_SIGNAL_CONTAINER`. Defaults to `HUP`.
Location to write the templated configuration file to. Defaults to `/data/output/haproxy.cfg`.
Path to a template to use to generate configuration. Defaults to `./templates/haproxy.cfg.tpl`,
which is a bundled basic template for generating HAProxy configurations.
A space or comma separated list of domains that should use wildcard certificates.
Defaults to an empty list.
=== Docker labels
Dotege operates by parsing labels applied to docker containers. It understands the following:
Specifies the name of an auth group (which must be defined appropriately in the template file)
that users are required to be in to access the container.
The port on which the container is listening for requests.
Comma- or space-delimited list of hostnames that the container will handle requests for.
Certificates will have the first host as the subject, and any additional hosts will be
alternate names. Certificates are only reused if all hostnames match.
== Example compose file
This creates an instance of Dotege, configured to use `httpreq` to perform DNS
operations in order to generate SSL certificates. You can see the list of
supported providers and their required environment variables in the
The haproxy instance has read-only access to the config and certs volumes that
will be populated by Dotege, and Dotege will send it the `USR2` signal whenever
the config or certs change. With the default haproxy image this will cause it
to reload the configuration.
Container names must be resolvable from the haproxy container with the default
template. This means the haproxy container should be on the same network as
the containers it's proxying to. I recommend creating a global 'web' network
(or similar) that all web-facing containers sit in.
Contributions are welcome!
There is a https://pre-commit.com/[pre-commit] to go fmt and run basic checks on
commit; to enable it simply:
pip install pre-commit