Update lego, restart NGINX if our certs changed by another instance
This commit is contained in:
parent
ce2aeb3585
commit
74d0628b00
@ -19,7 +19,7 @@ services:
|
|||||||
|
|
||||||
before_script:
|
before_script:
|
||||||
- if [ ! -d docker ]; then mkdir docker; fi
|
- if [ ! -d docker ]; then mkdir docker; fi
|
||||||
# sed -ie s'/https/http/' /etc/apk/repositories
|
# sed -i -e s'/https/http/' /etc/apk/repositories
|
||||||
# HTTP_PROXY=http://proxy.dege.lan:3128 apk add git curl
|
# HTTP_PROXY=http://proxy.dege.lan:3128 apk add git curl
|
||||||
- docker info
|
- docker info
|
||||||
- docker version
|
- docker version
|
||||||
|
10
Dockerfile
10
Dockerfile
@ -4,12 +4,13 @@
|
|||||||
FROM nginx:alpine
|
FROM nginx:alpine
|
||||||
|
|
||||||
# Change to http respositories, so they we can cache the install packages
|
# Change to http respositories, so they we can cache the install packages
|
||||||
RUN if [ -n ${HTTP_PROXY} ] ; then sed -ie s'/https/http/' /etc/apk/repositories; fi
|
RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositories; fi
|
||||||
|
|
||||||
RUN apk add --no-cache nginx nginx-mod-mail bash
|
RUN apk add --no-cache nginx nginx-mod-mail bash
|
||||||
|
|
||||||
# Add acme-lego Certbot
|
# Add acme-lego Certbot
|
||||||
RUN curl -sL https://github.com/go-acme/lego/releases/download/v4.6.0/lego_v4.6.0_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
|
ENV LEGOVER=v4.12.3
|
||||||
|
RUN curl -sL https://github.com/go-acme/lego/releases/download/${LEGOVER}/lego_${LEGOVER}_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
|
||||||
|
|
||||||
# Configuration
|
# Configuration
|
||||||
COPY etc/nginx/nginx.conf /etc/nginx
|
COPY etc/nginx/nginx.conf /etc/nginx
|
||||||
@ -20,6 +21,7 @@ RUN chmod 444 /etc/nginx/default.d/ssl/* && chmod 400 /etc/nginx/default.d/ssl/d
|
|||||||
# Default SSL cert
|
# Default SSL cert
|
||||||
RUN mkdir -p /etc/nginx/conf.d/ssl && ln -s ../../default.d/ssl/default.crt /etc/nginx/conf.d/ssl/mail.crt && ln -s ../../default.d/ssl/default.key /etc/nginx/conf.d/ssl/mail.key
|
RUN mkdir -p /etc/nginx/conf.d/ssl && ln -s ../../default.d/ssl/default.crt /etc/nginx/conf.d/ssl/mail.crt && ln -s ../../default.d/ssl/default.key /etc/nginx/conf.d/ssl/mail.key
|
||||||
COPY ssl.sh /usr/sbin/
|
COPY ssl.sh /usr/sbin/
|
||||||
|
COPY init-docker /sbin/
|
||||||
|
|
||||||
COPY var/www/maintenance /var/www/maintenance
|
COPY var/www/maintenance /var/www/maintenance
|
||||||
|
|
||||||
@ -27,6 +29,6 @@ COPY var/www/maintenance /var/www/maintenance
|
|||||||
#VOLUME [ "/etc/nginx/conf.d", "/etc/nginx/default.d", "/etc/nginx/include.d" ]
|
#VOLUME [ "/etc/nginx/conf.d", "/etc/nginx/default.d", "/etc/nginx/include.d" ]
|
||||||
|
|
||||||
# Starting
|
# Starting
|
||||||
LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
|
|
||||||
ENTRYPOINT [ "/usr/sbin/nginx","-g","daemon off;" ]
|
|
||||||
EXPOSE 80 443 25 110 143
|
EXPOSE 80 443 25 110 143
|
||||||
|
LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
|
||||||
|
ENTRYPOINT [ "/sbin/init-docker" ]
|
||||||
|
13
init-docker
Executable file
13
init-docker
Executable file
@ -0,0 +1,13 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
TMPDIR=/tmp
|
||||||
|
LEGODIR=/etc/nginx/conf.d/ssl/lego
|
||||||
|
|
||||||
|
# Create our MD5 of our certifcates in /tmp
|
||||||
|
for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
|
||||||
|
OUTPUT=$(basename ${cert})
|
||||||
|
echo "- Creating MD5 of [${cert}] in [${TMPDIR}/${OUTPUT}]"
|
||||||
|
cat ${cert} | md5sum > ${TMPDIR}/${OUTPUT}.md5
|
||||||
|
done
|
||||||
|
|
||||||
|
exec /usr/sbin/nginx -g "daemon off;"
|
24
ssl.sh
24
ssl.sh
@ -1,10 +1,13 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
TMPDIR=/tmp
|
||||||
|
|
||||||
if [ "$1" == "certbot" ]; then
|
if [ "$1" == "certbot" ]; then
|
||||||
certbot renew -q --config-dir /etc/nginx/conf.d/ssl/letsencrypt/ --renew-hook "/usr/sbin/nginx -s reload"
|
certbot renew -q --config-dir /etc/nginx/conf.d/ssl/letsencrypt/ --renew-hook "/usr/sbin/nginx -s reload"
|
||||||
|
|
||||||
elif [ "$1" == "lego" ]; then
|
elif [ "$1" == "lego" ]; then
|
||||||
CERTDIR=/etc/nginx/conf.d
|
CERTDIR=/etc/nginx/conf.d
|
||||||
|
LEGODIR=${CERTDIR}/ssl/lego
|
||||||
CERTFILE=${CERTDIR}/lego-cert.ssl
|
CERTFILE=${CERTDIR}/lego-cert.ssl
|
||||||
RELOAD="/tmp/nginx.reload"
|
RELOAD="/tmp/nginx.reload"
|
||||||
TLS_PORT=444
|
TLS_PORT=444
|
||||||
@ -47,14 +50,29 @@ elif [ "$1" == "lego" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$2" == "renew" ]; then
|
if [ "$2" == "renew" ]; then
|
||||||
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch $RELOAD"
|
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch ${RELOAD}"
|
||||||
|
elif [ "$2" == "run" ]; then
|
||||||
|
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch ${RELOAD}"
|
||||||
else
|
else
|
||||||
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch $RELOAD"
|
echo "! ERROR: Not doing anything?" && exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Checkour MD5s and reload if required
|
||||||
|
for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
|
||||||
|
OUTPUT=$(basename ${cert})
|
||||||
|
SRC=$(cat ${TMPDIR}/${OUTPUT}.md5)
|
||||||
|
TGT=$(cat ${cert} | md5sum)
|
||||||
|
|
||||||
|
echo "- Comparing MD5 of SRC [${SRC}] with [${TGT}]"
|
||||||
|
if [ "${SRC}" != "${TGT}" ]; then
|
||||||
|
touch ${RELOAD}
|
||||||
|
echo ${TGT} > ${TMPDIR}/${OUTPUT}.md5
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -r ${RELOAD} ]; then
|
if [ -r ${RELOAD} ]; then
|
||||||
echo "Reloading NGINX"
|
echo "* Reloading NGINX"
|
||||||
/usr/sbin/nginx -s reload
|
/usr/sbin/nginx -s reload
|
||||||
rm -f ${RELOAD}
|
rm -f ${RELOAD}
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user