Update lego, restart NGINX if our certs changed by another instance
This commit is contained in:
parent
ce2aeb3585
commit
74d0628b00
@ -19,7 +19,7 @@ services:
|
||||
|
||||
before_script:
|
||||
- if [ ! -d docker ]; then mkdir docker; fi
|
||||
# sed -ie s'/https/http/' /etc/apk/repositories
|
||||
# sed -i -e s'/https/http/' /etc/apk/repositories
|
||||
# HTTP_PROXY=http://proxy.dege.lan:3128 apk add git curl
|
||||
- docker info
|
||||
- docker version
|
||||
|
10
Dockerfile
10
Dockerfile
@ -4,12 +4,13 @@
|
||||
FROM nginx:alpine
|
||||
|
||||
# Change to http respositories, so they we can cache the install packages
|
||||
RUN if [ -n ${HTTP_PROXY} ] ; then sed -ie s'/https/http/' /etc/apk/repositories; fi
|
||||
RUN if [ -n ${HTTP_PROXY} ] ; then sed -i -e s'/https/http/' /etc/apk/repositories; fi
|
||||
|
||||
RUN apk add --no-cache nginx nginx-mod-mail bash
|
||||
|
||||
# Add acme-lego Certbot
|
||||
RUN curl -sL https://github.com/go-acme/lego/releases/download/v4.6.0/lego_v4.6.0_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
|
||||
ENV LEGOVER=v4.12.3
|
||||
RUN curl -sL https://github.com/go-acme/lego/releases/download/${LEGOVER}/lego_${LEGOVER}_linux_amd64.tar.gz | tar -C /usr/sbin -xzf -
|
||||
|
||||
# Configuration
|
||||
COPY etc/nginx/nginx.conf /etc/nginx
|
||||
@ -20,6 +21,7 @@ RUN chmod 444 /etc/nginx/default.d/ssl/* && chmod 400 /etc/nginx/default.d/ssl/d
|
||||
# Default SSL cert
|
||||
RUN mkdir -p /etc/nginx/conf.d/ssl && ln -s ../../default.d/ssl/default.crt /etc/nginx/conf.d/ssl/mail.crt && ln -s ../../default.d/ssl/default.key /etc/nginx/conf.d/ssl/mail.key
|
||||
COPY ssl.sh /usr/sbin/
|
||||
COPY init-docker /sbin/
|
||||
|
||||
COPY var/www/maintenance /var/www/maintenance
|
||||
|
||||
@ -27,6 +29,6 @@ COPY var/www/maintenance /var/www/maintenance
|
||||
#VOLUME [ "/etc/nginx/conf.d", "/etc/nginx/default.d", "/etc/nginx/include.d" ]
|
||||
|
||||
# Starting
|
||||
LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
|
||||
ENTRYPOINT [ "/usr/sbin/nginx","-g","daemon off;" ]
|
||||
EXPOSE 80 443 25 110 143
|
||||
LABEL cron.container.weekly root#/usr/sbin/ssl.sh lego renew
|
||||
ENTRYPOINT [ "/sbin/init-docker" ]
|
||||
|
13
init-docker
Executable file
13
init-docker
Executable file
@ -0,0 +1,13 @@
|
||||
#!/bin/sh
|
||||
|
||||
TMPDIR=/tmp
|
||||
LEGODIR=/etc/nginx/conf.d/ssl/lego
|
||||
|
||||
# Create our MD5 of our certifcates in /tmp
|
||||
for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
|
||||
OUTPUT=$(basename ${cert})
|
||||
echo "- Creating MD5 of [${cert}] in [${TMPDIR}/${OUTPUT}]"
|
||||
cat ${cert} | md5sum > ${TMPDIR}/${OUTPUT}.md5
|
||||
done
|
||||
|
||||
exec /usr/sbin/nginx -g "daemon off;"
|
24
ssl.sh
24
ssl.sh
@ -1,10 +1,13 @@
|
||||
#!/bin/bash
|
||||
|
||||
TMPDIR=/tmp
|
||||
|
||||
if [ "$1" == "certbot" ]; then
|
||||
certbot renew -q --config-dir /etc/nginx/conf.d/ssl/letsencrypt/ --renew-hook "/usr/sbin/nginx -s reload"
|
||||
|
||||
elif [ "$1" == "lego" ]; then
|
||||
CERTDIR=/etc/nginx/conf.d
|
||||
LEGODIR=${CERTDIR}/ssl/lego
|
||||
CERTFILE=${CERTDIR}/lego-cert.ssl
|
||||
RELOAD="/tmp/nginx.reload"
|
||||
TLS_PORT=444
|
||||
@ -47,14 +50,29 @@ elif [ "$1" == "lego" ]; then
|
||||
fi
|
||||
|
||||
if [ "$2" == "renew" ]; then
|
||||
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch $RELOAD"
|
||||
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego renew --renew-hook="touch ${RELOAD}"
|
||||
elif [ "$2" == "run" ]; then
|
||||
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch ${RELOAD}"
|
||||
else
|
||||
lego ${LEGO_METHOD} --email="${LEGO_ACCOUNT_EMAIL}" ${LEGO_CERT_DOMAIN[@]} --path ${CERTDIR}/ssl/lego run --run-hook="touch $RELOAD"
|
||||
echo "! ERROR: Not doing anything?" && exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
# Checkour MD5s and reload if required
|
||||
for cert in $(lego --path ${LEGODIR} list |grep Certificate\ Path|awk '{print $3}'); do
|
||||
OUTPUT=$(basename ${cert})
|
||||
SRC=$(cat ${TMPDIR}/${OUTPUT}.md5)
|
||||
TGT=$(cat ${cert} | md5sum)
|
||||
|
||||
echo "- Comparing MD5 of SRC [${SRC}] with [${TGT}]"
|
||||
if [ "${SRC}" != "${TGT}" ]; then
|
||||
touch ${RELOAD}
|
||||
echo ${TGT} > ${TMPDIR}/${OUTPUT}.md5
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -r ${RELOAD} ]; then
|
||||
echo "Reloading NGINX"
|
||||
echo "* Reloading NGINX"
|
||||
/usr/sbin/nginx -s reload
|
||||
rm -f ${RELOAD}
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user