Update lego, restart NGINX if our certs changed by another instance

This commit is contained in:
Deon George 2023-06-20 15:29:44 +10:00
parent ce2aeb3585
commit 74d0628b00
4 changed files with 41 additions and 8 deletions

View File

@ -19,7 +19,7 @@ services:
before_script:
- if [ ! -d docker ]; then mkdir docker; fi
# sed -ie s'/https/http/' /etc/apk/repositories
# sed -i -e s'/https/http/' /etc/apk/repositories
# HTTP_PROXY=http://proxy.dege.lan:3128 apk add git curl
- docker info
- docker version

View File

@ -4,12 +4,13 @@
FROM nginx:alpine
# Change to http respositories, so they we can cache the install packages
RUN if [ -n ${HTTP_PROXY} ] ; then sed -ie s'/https/http/' /etc/apk/repositories; fi
RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositories; fi
RUN apk add --no-cache nginx nginx-mod-mail bash
# Add acme-lego Certbot
RUN curl -sL https://github.com/go-acme/lego/releases/download/v4.6.0/lego_v4.6.0_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
ENV LEGOVER=v4.12.3
RUN curl -sL https://github.com/go-acme/lego/releases/download/${LEGOVER}/lego_${LEGOVER}_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
# Configuration
COPY etc/nginx/nginx.conf /etc/nginx
@ -20,6 +21,7 @@ RUN chmod 444 /etc/nginx/default.d/ssl/* && chmod 400 /etc/nginx/default.d/ssl/d
# Default SSL cert
RUN mkdir -p /etc/nginx/conf.d/ssl && ln -s ../../default.d/ssl/default.crt /etc/nginx/conf.d/ssl/mail.crt && ln -s ../../default.d/ssl/default.key /etc/nginx/conf.d/ssl/mail.key
COPY ssl.sh /usr/sbin/
COPY init-docker /sbin/
COPY var/www/maintenance /var/www/maintenance
@ -27,6 +29,6 @@ COPY var/www/maintenance /var/www/maintenance
#VOLUME [ "/etc/nginx/conf.d", "/etc/nginx/default.d", "/etc/nginx/include.d" ]
# Starting
LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
ENTRYPOINT [ "/usr/sbin/nginx","-g","daemon off;" ]
EXPOSE 80 443 25 110 143
LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
ENTRYPOINT [ "/sbin/init-docker" ]

13
init-docker Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
TMPDIR=/tmp
LEGODIR=/etc/nginx/conf.d/ssl/lego
# Create our MD5 of our certifcates in /tmp
for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
OUTPUT=$(basename ${cert})
echo "- Creating MD5 of [${cert}] in [${TMPDIR}/${OUTPUT}]"
cat ${cert} | md5sum > ${TMPDIR}/${OUTPUT}.md5
done
exec /usr/sbin/nginx -g "daemon off;"

24
ssl.sh
View File

@ -1,10 +1,13 @@
#!/bin/bash
TMPDIR=/tmp
if [ "$1" == "certbot" ]; then
certbot renew -q --config-dir /etc/nginx/conf.d/ssl/letsencrypt/ --renew-hook "/usr/sbin/nginx -s reload"
elif [ "$1" == "lego" ]; then
CERTDIR=/etc/nginx/conf.d
LEGODIR=${CERTDIR}/ssl/lego
CERTFILE=${CERTDIR}/lego-cert.ssl
RELOAD="/tmp/nginx.reload"
TLS_PORT=444
@ -47,14 +50,29 @@ elif [ "$1" == "lego" ]; then
fi
if [ "$2" == "renew" ]; then
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch $RELOAD"
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch ${RELOAD}"
elif [ "$2" == "run" ]; then
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch ${RELOAD}"
else
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch $RELOAD"
echo "! ERROR: Not doing anything?" && exit 1
fi
done
# Checkour MD5s and reload if required
for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
OUTPUT=$(basename ${cert})
SRC=$(cat ${TMPDIR}/${OUTPUT}.md5)
TGT=$(cat ${cert} | md5sum)
echo "- Comparing MD5 of SRC [${SRC}] with [${TGT}]"
if [ "${SRC}" != "${TGT}" ]; then
touch ${RELOAD}
echo ${TGT} > ${TMPDIR}/${OUTPUT}.md5
fi
done
if [ -r ${RELOAD} ]; then
echo "Reloading NGINX"
echo "* Reloading NGINX"
/usr/sbin/nginx -s reload
rm -f ${RELOAD}
fi