Use certbot for let's encrypt certificate
diff --git a/.gitignore b/.gitignore
index 6e6928b..7c47734 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
+/certbot/lib/
+/certbot/www/
+/certs/
/environment
/gerrit/environment
/gerrit/cache/
@@ -5,6 +8,7 @@
/gerrit/etc/
/gerrit/git/
/gerrit/index/
+/logs/certbot/
/logs/gerrit/
/logs/nginx/
/logs/simpleid/
diff --git a/TODO.on.site b/TODO.on.site
index 1ac2408..c0b18ac 100644
--- a/TODO.on.site
+++ b/TODO.on.site
@@ -9,3 +9,8 @@
Get containers up:
* `docker-compose up`
+
+When the containers are up run `certbot`:
+* Once `docker-compose -f sa-certbot.yml run new`
+* Every x < 30 days `docker-compose -f sa-certbot.yml run renew`
+* Always reload nginx `docker-compose exec nginx nginx -s reload`
diff --git a/certbot/Dockerfile b/certbot/Dockerfile
new file mode 100644
index 0000000..f64b737
--- /dev/null
+++ b/certbot/Dockerfile
@@ -0,0 +1,6 @@
+FROM certbot/certbot
+
+COPY certbot/Dockerfile.entrypoint /certbot-entrypoint
+RUN chmod 544 /certbot-entrypoint
+
+ENTRYPOINT ["/bin/sh", "/certbot-entrypoint"]
diff --git a/certbot/Dockerfile.entrypoint b/certbot/Dockerfile.entrypoint
new file mode 100644
index 0000000..fe971e2
--- /dev/null
+++ b/certbot/Dockerfile.entrypoint
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+{
+ domain=${SA_PUBLIC_DOMAIN_NAME:-miau.local}
+
+ rm -rf /etc/letsencrypt/live/${domain}
+}
+
+exec certbot "$@"
diff --git a/docker-compose.yml b/docker-compose.yml
index b700a60..c303417 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,8 +17,10 @@
- simpleidnet
- gerritnet
volumes:
+ - ./certbot/www/:/var/www/certbot/:ro
- ./simpleid/identities/:/var/db/simpleid-templates/:ro
- ./simpleid/www/:/var/www/simpleid/:ro
+ - ./certs/:/etc/nginx/certs/:rw
- ./nginx/sa.conf:/etc/nginx/conf.d/sa.conf.template:ro
- ./nginx/empty.conf:/etc/nginx/conf.d/default.conf:ro
- ./logs/nginx:/var/log/nginx/:rw
diff --git a/nginx/Dockerfile.entrypoint b/nginx/Dockerfile.entrypoint
index 0c2ff96..515301c 100644
--- a/nginx/Dockerfile.entrypoint
+++ b/nginx/Dockerfile.entrypoint
@@ -4,8 +4,17 @@
{
domain=${SA_PUBLIC_DOMAIN_NAME:-miau.local}
+ live=/etc/nginx/certs/live
html=/var/www/html
+ if [ ! -f ${live}/${domain}/privkey.pem ]; then
+ mkdir -p ${live}/${domain}
+ cp /etc/ssl/private/sa-selfsigned.key ${live}/${domain}/privkey.pem
+ cp /etc/ssl/certs/sa-selfsigned.crt ${live}/${domain}/fullchain.pem
+ cp /etc/ssl/certs/sa-selfsigned.crt ${live}/${domain}/chain.pem
+ cp /etc/ssl/certs/sa-selfsigned.crt ${live}/${domain}/cert.pem
+ fi
+
rm -rf ${html}
cp -a /var/www/simpleid ${html}
@@ -22,6 +31,6 @@
chown -R nginx:nginx /var/www/html/
-chmod -R a-w /etc/nginx/conf.d/sa.conf /var/www/html/
+chmod -R a-w /etc/nginx/certs/ /etc/nginx/conf.d/sa.conf /var/www/html/
exec /docker-entrypoint.sh "$@"
diff --git a/nginx/sa.conf b/nginx/sa.conf
index 2bef474..6d2105f 100644
--- a/nginx/sa.conf
+++ b/nginx/sa.conf
@@ -2,7 +2,13 @@
listen 80;
listen [::]:80;
- return 301 https://$host$request_uri;
+ location /.well-known/acme-challenge/ {
+ root /var/www/certbot;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
server {
@@ -26,8 +32,8 @@
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
- ssl_certificate /etc/ssl/certs/sa-selfsigned.crt;
- ssl_certificate_key /etc/ssl/private/sa-selfsigned.key;
+ ssl_certificate /etc/nginx/certs/live/miau.local/fullchain.pem;
+ ssl_certificate_key /etc/nginx/certs/live/miau.local/privkey.pem;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/nginx/dhparam.pem;
diff --git a/sa-certbot.yml b/sa-certbot.yml
new file mode 100644
index 0000000..86052a6
--- /dev/null
+++ b/sa-certbot.yml
@@ -0,0 +1,19 @@
+version: "3"
+name: sourcearcade-certbot
+services:
+ new:
+ build:
+ context: .
+ dockerfile: ./certbot/Dockerfile
+ env_file: environment
+ volumes: &cb-volumes
+ - ./certs/:/etc/letsencrypt/:rw
+ - ./certbot/www/:/var/www/certbot/:rw
+ - ./certbot/lib/:/var/lib/letsencrypt/:rw
+ - ./logs/certbot/:/var/log/letsencrypt/:rw
+ command: certonly -n --agree-tos -m nico.h@gmx.de --webroot --webroot-path /var/www/certbot
+ -d "${SA_PUBLIC_DOMAIN_NAME},id.${SA_PUBLIC_DOMAIN_NAME},mail.${SA_PUBLIC_DOMAIN_NAME},review.${SA_PUBLIC_DOMAIN_NAME}"
+ renew:
+ image: certbot/certbot
+ volumes: *cb-volumes
+ command: renew -n --agree-tos