diff --git a/Dockerfile b/Dockerfile index 2a1e173..7708fec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,9 +3,11 @@ FROM alpine:latest RUN apk add --no-cache nginx python3 py3-virtualenv RUN python3 -m venv /venv -RUN /venv/bin/pip install -U pip certbot certbot-nginx +RUN /venv/bin/pip install certbot certbot-nginx +ENV PATH="/venv/bin:$PATH" +RUN /venv/bin/pip cache purge && /venv/bin/pip uninstall -y pip RUN apk del py3-virtualenv && rm -rf /var/cache/apk -COPY ./entrypoint.sh / -CMD ["/entrypoint.sh"] +COPY ./run.sh / +CMD ["/run.sh"] diff --git a/compose.yml b/compose.yml new file mode 100644 index 0000000..6c4ecf2 --- /dev/null +++ b/compose.yml @@ -0,0 +1,12 @@ +services: + nginx: + image: git.dc09.ru/darkcat09/certbot-nginx:latest + build: . + restart: unless-stopped + volumes: + - "./example/letsencrypt:/etc/letsencrypt" + - "./example/nginx.conf:/etc/nginx/nginx.conf" + - "./example/http.d:/etc/nginx/http.d" + ports: + - 80:80 + - 443:443 diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100644 index 3cf3352..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/ash - -if [ ! -e /etc/letsencrypt ] -then - echo "[!!] Certbot directory is not initialized" - echo "[!!] Either it's the first run or you forgot to add a volume" - - # check if stdin (fd 0) is assigned to a tty - [ ! -t 0 ] && echo "Not a TTY! Exiting" && exit 1 - - /venv/bin/certbot certonly --nginx - exit $? -fi - -/usr/sbin/nginx -c /etc/nginx/nginx.conf & -ngpid=$! -waitpid="" - -ctrlc () { - kill -QUIT "$ngpid" - [ -n "$waitpid" ] && kill -INT "$waitpid" -} - -trap ctrlc INT -trap ctrlc TERM - -while true -do - /venv/bin/certbot renew --post-hook "kill -HUP $ngpid" - sleep 12h & - waitpid=$! - wait -done diff --git a/example/http.d/test1.conf b/example/http.d/test1.conf new file mode 100644 index 0000000..f0c8386 --- /dev/null +++ b/example/http.d/test1.conf @@ -0,0 +1,20 @@ +server { + server_name test1.dc09.ru; + return 200 "Hello world"; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/test1.dc09.ru/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/test1.dc09.ru/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + if ($host = test1.dc09.ru) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80; + server_name test1.dc09.ru; + return 404; # managed by Certbot +} diff --git a/example/letsencrypt/.gitignore b/example/letsencrypt/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/example/letsencrypt/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/example/nginx.conf b/example/nginx.conf new file mode 100644 index 0000000..2eb4602 --- /dev/null +++ b/example/nginx.conf @@ -0,0 +1,15 @@ +worker_processes 4; + +events { + worker_connections 1024; +} + +http { + access_log off; + error_log off; + + include mime.types; + default_type application/octet-stream; + + include /etc/nginx/http.d/*; +} diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..8ab2773 --- /dev/null +++ b/run.sh @@ -0,0 +1,48 @@ +#!/bin/ash + +/usr/sbin/nginx -c /etc/nginx/nginx.conf & +ngpid=$! +waitpid="" +stopflag=0 + +ctrlc () { + stopflag=1 + kill -QUIT "$ngpid" + [ -n "$waitpid" ] && kill -INT "$waitpid" +} + +trap ctrlc INT +trap ctrlc TERM + + +if [ ! -e /etc/letsencrypt/live ] +then + echo "[!!] Certbot directory is not initialized" + echo "[!!] Either it's the first run or you forgot to add a volume" + echo + echo "1. Login to shell" + echo " > docker compose exec -it nginx ash" + echo "2. Either let certbot retrieve certs and automatically edit nginx config" + echo " # certbot --nginx" + echo " OR just get certs for hosts in your nginx config, edit manually later" + echo " # certbot certonly --nginx" + echo "3. Restart:" + echo " # exit" + echo " > docker compose down && docker compose up -d" + + while [ $stopflag = 0 ] + do + sleep 5m & + waitpid=$! + wait + done +fi + + +while [ $stopflag = 0 ] +do + /venv/bin/certbot renew --post-hook "kill -HUP $ngpid" & + sleep 12h & + waitpid=$! + wait +done