From 74d0628b007f0c92b39ce71fddefc018b3705cce Mon Sep 17 00:00:00 2001
From: Deon George <deon@leenooks.net>
Date: Tue, 20 Jun 2023 15:29:44 +1000
Subject: [PATCH] Update lego, restart NGINX if our certs changed by another
 instance

---
 .gitlab-ci.yml |  2 +-
 Dockerfile     | 10 ++++++----
 init-docker    | 13 +++++++++++++
 ssl.sh         | 24 +++++++++++++++++++++---
 4 files changed, 41 insertions(+), 8 deletions(-)
 create mode 100755 init-docker

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f002037..73a35e4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -19,7 +19,7 @@ services:
 
 before_script:
 - if [ ! -d docker ]; then mkdir docker; fi
-# sed -ie s'/https/http/' /etc/apk/repositories
+# sed -i -e s'/https/http/' /etc/apk/repositories
 # HTTP_PROXY=http://proxy.dege.lan:3128 apk add git curl
 - docker info
 - docker version
diff --git a/Dockerfile b/Dockerfile
index a7cab77..766bcec 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,12 +4,13 @@
 FROM nginx:alpine
 
 # Change to http respositories, so they we can cache the install packages
-RUN if [ -n ${HTTP_PROXY} ] ; then sed -ie s'/https/http/' /etc/apk/repositories; fi
+RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositories; fi
 
 RUN apk add --no-cache nginx nginx-mod-mail bash
 
 # Add acme-lego Certbot
-RUN curl -sL https://github.com/go-acme/lego/releases/download/v4.6.0/lego_v4.6.0_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
+ENV LEGOVER=v4.12.3
+RUN curl -sL https://github.com/go-acme/lego/releases/download/${LEGOVER}/lego_${LEGOVER}_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
 
 # Configuration
 COPY etc/nginx/nginx.conf /etc/nginx
@@ -20,6 +21,7 @@ RUN chmod 444 /etc/nginx/default.d/ssl/* && chmod 400 /etc/nginx/default.d/ssl/d
 # Default SSL cert
 RUN mkdir -p /etc/nginx/conf.d/ssl && ln -s ../../default.d/ssl/default.crt /etc/nginx/conf.d/ssl/mail.crt && ln -s ../../default.d/ssl/default.key /etc/nginx/conf.d/ssl/mail.key
 COPY ssl.sh /usr/sbin/
+COPY init-docker /sbin/
 
 COPY var/www/maintenance /var/www/maintenance
 
@@ -27,6 +29,6 @@ COPY var/www/maintenance /var/www/maintenance
 #VOLUME [ "/etc/nginx/conf.d", "/etc/nginx/default.d", "/etc/nginx/include.d" ]
 
 # Starting
-LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
-ENTRYPOINT [ "/usr/sbin/nginx","-g","daemon off;" ]
 EXPOSE 80 443 25 110 143
+LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
+ENTRYPOINT [ "/sbin/init-docker" ]
diff --git a/init-docker b/init-docker
new file mode 100755
index 0000000..3dcac24
--- /dev/null
+++ b/init-docker
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+TMPDIR=/tmp
+LEGODIR=/etc/nginx/conf.d/ssl/lego
+
+# Create our MD5 of our certifcates in /tmp
+for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
+        OUTPUT=$(basename ${cert})
+        echo "- Creating MD5 of [${cert}] in [${TMPDIR}/${OUTPUT}]"
+        cat ${cert} | md5sum > ${TMPDIR}/${OUTPUT}.md5
+done
+
+exec /usr/sbin/nginx -g "daemon off;"
diff --git a/ssl.sh b/ssl.sh
index b8d03b7..0acde89 100755
--- a/ssl.sh
+++ b/ssl.sh
@@ -1,10 +1,13 @@
 #!/bin/bash
 
+TMPDIR=/tmp
+
 if [ "$1" == "certbot" ]; then
 	certbot renew -q --config-dir /etc/nginx/conf.d/ssl/letsencrypt/ --renew-hook "/usr/sbin/nginx -s reload"
 
 elif [ "$1" == "lego" ]; then
 	CERTDIR=/etc/nginx/conf.d
+	LEGODIR=${CERTDIR}/ssl/lego
 	CERTFILE=${CERTDIR}/lego-cert.ssl
 	RELOAD="/tmp/nginx.reload"
 	TLS_PORT=444
@@ -47,14 +50,29 @@ elif [ "$1" == "lego" ]; then
 		fi
 
 		if [ "$2" == "renew" ]; then
-			lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch $RELOAD"
+			lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch ${RELOAD}"
+		elif [ "$2" == "run" ]; then
+			lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch ${RELOAD}"
 		else
-			lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch $RELOAD"
+			echo "! ERROR: Not doing anything?" && exit 1
+		fi
+	done
+
+	# Checkour MD5s and reload if required
+	for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
+		OUTPUT=$(basename ${cert})
+		SRC=$(cat ${TMPDIR}/${OUTPUT}.md5)
+		TGT=$(cat ${cert} | md5sum)
+
+		echo "- Comparing MD5 of SRC [${SRC}] with [${TGT}]"
+		if [ "${SRC}" != "${TGT}" ]; then
+			touch ${RELOAD}
+			echo ${TGT} > ${TMPDIR}/${OUTPUT}.md5
 		fi
 	done
 
 	if [ -r ${RELOAD} ]; then
-		echo "Reloading NGINX"
+		echo "* Reloading NGINX"
 		/usr/sbin/nginx -s reload
 		rm -f ${RELOAD}
 	fi