diff options
| -rw-r--r-- | docker/auto-certbot/Dockerfile | 10 | ||||
| -rwxr-xr-x | docker/auto-certbot/daemon.bash | 31 | ||||
| -rw-r--r-- | template/docker-compose.yaml.template | 4 |
3 files changed, 35 insertions, 10 deletions
diff --git a/docker/auto-certbot/Dockerfile b/docker/auto-certbot/Dockerfile index 53ab077..e37057b 100644 --- a/docker/auto-certbot/Dockerfile +++ b/docker/auto-certbot/Dockerfile @@ -1,8 +1,14 @@ FROM certbot/certbot:latest ARG CRUPEST_DOMAIN -ARG CRUPEST_CERTBOT_RENEW_COMMAND="" +ARG CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES="" +ARG CRUPEST_AUTO_CERTBOT_POST_HOOK="" +ARG CRUPEST_AUTO_CERTBOT_RENEW_COMMAND="" # install bash -RUN apk add --no-cache bash +ENV CRUPEST_DOMAIN=${CRUPEST_DOMAIN} +ENV CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES=${CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES} +ENV CRUPEST_AUTO_CERTBOT_POST_HOOK=${CRUPEST_AUTO_CERTBOT_POST_HOOK} +ENV CRUPEST_AUTO_CERTBOT_RENEW_COMMAND=${CRUPEST_AUTO_CERTBOT_RENEW_COMMAND} +RUN apk add --no-cache bash ${CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES} COPY daemon.bash /daemon.bash VOLUME ["/var/www/certbot", "/etc/letsencrypt", "/var/lib/letsencrypt"] ENTRYPOINT [ "/daemon.bash" ] diff --git a/docker/auto-certbot/daemon.bash b/docker/auto-certbot/daemon.bash index de21ba8..10b2a25 100755 --- a/docker/auto-certbot/daemon.bash +++ b/docker/auto-certbot/daemon.bash @@ -1,18 +1,23 @@ #!/usr/bin/env bash +set -e + # Check I'm root. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" 1>&2 exit 1 fi -# Check CRUPEST_CERTBOT_RENEW_COMMAND is defined. -if [ -z "$CRUPEST_CERTBOT_RENEW_COMMAND" ]; then - echo "CRUPEST_CERTBOT_RENEW_COMMAND is not defined or empty" - CRUPEST_CERTBOT_RENEW_COMMAND="certbot renew --webroot -w /var/www/certbot" - printf "Will use:\n%s\n" "$CRUPEST_CERTBOT_RENEW_COMMAND" +# Check certbot version. +certbot --version + +# Check CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined. +if [ -z "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then + echo "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is not defined or empty" + CRUPEST_AUTO_CERTBOT_RENEW_COMMAND="certbot renew --webroot -w /var/www/certbot" + printf "Will use:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" else - printf "CRUPEST_CERTBOT_RENEW_COMMAND is defined as:\n%s\n" "$CRUPEST_CERTBOT_RENEW_COMMAND" + printf "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined as:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" fi # Check CRUPEST_CERT_PATH, default to /etc/letsencrypt/live/$CRUPEST_DOMAIN/fullchain.pem @@ -20,6 +25,12 @@ if [ -z "$CRUPEST_CERT_PATH" ]; then CRUPEST_CERT_PATH="/etc/letsencrypt/live/$CRUPEST_DOMAIN/fullchain.pem" fi +# Check CRUPEST_CERT_PATH exists. +if [ ! -f "$CRUPEST_CERT_PATH" ]; then + echo "Cert file does not exist" + exit 1 +fi + function check_and_renew_cert { expire_info=$(openssl x509 -enddate -noout -in "$CRUPEST_CERT_PATH") @@ -48,8 +59,12 @@ function check_and_renew_cert { else # No, renew now. echo "Renewing now..." - # Run CRUPEST_CERTBOT_RENEW_COMMAND - $CRUPEST_CERTBOT_RENEW_COMMAND + # Run CRUPEST_AUTO_CERTBOT_RENEW_COMMAND + if [ -n "$CRUPEST_AUTO_CERTBOT_POST_HOOK" ]; then + $CRUPEST_AUTO_CERTBOT_RENEW_COMMAND --post-hook "$CRUPEST_AUTO_CERTBOT_POST_HOOK" + else + $CRUPEST_AUTO_CERTBOT_RENEW_COMMAND + fi fi } diff --git a/template/docker-compose.yaml.template b/template/docker-compose.yaml.template index 058a60c..57a9b5c 100644 --- a/template/docker-compose.yaml.template +++ b/template/docker-compose.yaml.template @@ -83,6 +83,8 @@ services: pull: true args: - CRUPEST_DOMAIN=$CRUPEST_DOMAIN + - CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES="docker" + - CRUPEST_AUTO_CERTBOT_POST_HOOK="docker restart nginx" tags: - "crupest/auto-certbot:latest" container_name: auto-certbot @@ -90,6 +92,8 @@ services: - "./data/certbot/certs:/etc/letsencrypt" - "./data/certbot/data:/var/lib/letsencrypt" - "./data/certbot/webroot:/var/www/certbot" + # map docker socket to allow auto-certbot to restart nginx + - "/var/run/docker.sock:/var/run/docker.sock" restart: on-failure:3 networks: - internal |