From c93b4bb98bf67676a813e9e8c3ad151f84e0f6a4 Mon Sep 17 00:00:00 2001 From: Lieuwe Leene Date: Sat, 30 Dec 2023 13:31:49 +0100 Subject: [PATCH] working acme dns setup --- config/hugo/Dockerfile | 8 +-- config/nginx/Dockerfile | 8 +++ config/nginx/credentials.ini | 1 + config/nginx/link_certificates.py | 31 ++++++++ docker-compose.yaml | 116 +++++++++++------------------- local.env | 2 - 6 files changed, 84 insertions(+), 82 deletions(-) create mode 100644 config/nginx/Dockerfile create mode 100644 config/nginx/credentials.ini create mode 100644 config/nginx/link_certificates.py diff --git a/config/hugo/Dockerfile b/config/hugo/Dockerfile index 91b1d97..461880e 100644 --- a/config/hugo/Dockerfile +++ b/config/hugo/Dockerfile @@ -21,10 +21,10 @@ RUN apk add --update git asciidoctor libc6-compat libstdc++ \ && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify RUN apk update && \ - apk add --no-cache openssl && \ - rm -rf /var/cache/apk/* + apk add --no-cache openssl && \ + rm -rf /var/cache/apk/* -RUN mkdir -p /etc/letsencrypt/live +WORKDIR /etc/letsencrypt/live RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \ - openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem + openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem diff --git a/config/nginx/Dockerfile b/config/nginx/Dockerfile new file mode 100644 index 0000000..4d798b2 --- /dev/null +++ b/config/nginx/Dockerfile @@ -0,0 +1,8 @@ +FROM python:3.6 + +LABEL description="Certbot + nginxproxy soft-linker." +LABEL maintainer="Lieuwe Leene " + +COPY ./link_certificates.py /usr/bin/link_certificates.py + +RUN python /usr/bin/link_certificates.py /etc/letsencrypt/live diff --git a/config/nginx/credentials.ini b/config/nginx/credentials.ini new file mode 100644 index 0000000..19a556d --- /dev/null +++ b/config/nginx/credentials.ini @@ -0,0 +1 @@ +dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN diff --git a/config/nginx/link_certificates.py b/config/nginx/link_certificates.py new file mode 100644 index 0000000..c006948 --- /dev/null +++ b/config/nginx/link_certificates.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 + +import os +import sys +import shutil + +cert_dir = "/etc/letsencrypt/live" + +def main(): + if not os.access(cert_dir, os.W_OK) or not os.path.isdir(cert_dir): + raise RuntimeError(f"Cannot access certificat directory: {cert_dir}.") + base_domain = sys.argv[1] + key_file = os.path.join(cert_dir, base_domain, "privkey.pem") + cert_file = os.path.join(cert_dir, base_domain, "fullchain.pem") + for domain in sys.argv[2:]: + print(f"linking {domain} in {base_domain}") + symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.key") + if os.path.isfile(symlink): + os.remove(symlink) + shutil.copy(key_file, symlink) + symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.crt") + if os.path.isfile(symlink): + os.remove(symlink) + shutil.copy(cert_file, symlink) + + + +if __name__ == "__main__": + sys.exit(main()) + +# eof diff --git a/docker-compose.yaml b/docker-compose.yaml index 9eb95f8..0c4ae88 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -5,16 +5,46 @@ networks: driver: bridge enable_ipv6: false - -x-mail: &defaults +x-mail: + &defaults restart: always env_file: local.env networks: - internalnet services: + + certbot: + <<: *defaults + image: ghcr.io/aaomidi/certbot-dns-google-domains:latest + container_name: certbot + command: > + sh -c "certbot certonly --authenticator dns-google-domains --dns-google-domains-credentials /var/lib/letsencrypt/dns_google_domains_credentials.ini --server https://acme-v02.api.letsencrypt.org/directory --non-interactive --dns-google-domains-zone ${NGINX_HOST} --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST}" + volumes: + - certbot_state:/var/lib/letsencrypt:z + - nginx_archive:/etc/letsencrypt/archive:z + - nginx_certs:/etc/letsencrypt/live:z + - ./config/nginx/credentials.ini:/var/lib/letsencrypt/dns_google_domains_credentials.ini:ro,z + + + ddnsgd: + <<: *defaults + container_name: "ddnsgd" + image: "ghcr.io/dominickbrasileiro/ddnsgd" + environment: + - HOSTNAME=${NGINX_HOST} + - USERNAME=${GDNS_USERNAME} + - PASSWORD=${GDNS_PASSWORD} + - INTERVAL=9000 + healthcheck: + test: /usr/bin/nslookup ${NGINX_HOST} + interval: 30s + retries: 5 + start_period: 2s + timeout: 10s + hugo-html: - networks: + networks: - internalnet container_name: hugo-html build: @@ -23,7 +53,6 @@ services: HUGO_BASE: lieuwe.${NGINX_HOST} volumes: - hugo_data:/public:z - - nginx_certs:/etc/letsencrypt/live:ro,z hugo-site: <<: *defaults @@ -81,8 +110,6 @@ services: depends_on: pgsqlserver: condition: service_healthy - acme-companion: - condition: service_healthy links: - pgsqlserver expose: @@ -107,6 +134,7 @@ services: - GITEA__server__KEY_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.key volumes: - gitea_data:/data:z + - nginx_archive:/etc/letsencrypt/archive:ro,z - nginx_certs:/etc/letsencrypt/live:ro,z expose: - "3000" @@ -115,8 +143,6 @@ services: depends_on: pgsqlserver: condition: service_healthy - acme-companion: - condition: service_healthy links: - pgsqlserver @@ -135,8 +161,6 @@ services: depends_on: pgsqlserver: condition: service_healthy - acme-companion: - condition: service_healthy links: - pgsqlserver expose: @@ -166,15 +190,13 @@ services: - "587:587" - "993:993" volumes: + - nginx_archive:/etc/letsencrypt/archive:ro,z - nginx_certs:/etc/letsencrypt/live:ro,z - mail_data:/var/mail/:z - mail_state:/var/mail-state/:z - mail_config:/tmp/docker-mailserver/:z cap_add: - NET_ADMIN - depends_on: - acme-companion: - condition: service_healthy reverse-proxy: <<: *defaults @@ -189,7 +211,8 @@ services: - nginx_html:/usr/share/nginx/html:z - nginx_conf:/etc/nginx/conf.d/:z - nginx_dhparam:/etc/nginx/dhparam:z - - nginx_certs:/etc/nginx/certs/:ro,z + - nginx_archive:/etc/nginx/archive/:ro,z + - nginx_certs:/etc/nginx/certs/:z - nginx_vhost:/etc/nginx/vhost.d/:z - mail_html:/var/www/roundcube:z - nextcloud_data:/var/www/nextcloud:z @@ -201,73 +224,14 @@ services: ddnsgd: condition: service_healthy - acme-companion: - <<: *defaults - image: nginxproxy/acme-companion:2.2.3 - container_name: nginx-proxy-acme - environment: - - DEFAULT_EMAIL=admin@${NGINX_HOST} - volumes_from: - - reverse-proxy - volumes: - - acme-state:/etc/acme.sh - - nginx_certs:/etc/nginx/certs:rw,z - - /var/run/docker.sock:/var/run/docker.sock:ro,z - depends_on: - - ddnsgd - healthcheck: - test: test -f /etc/nginx/certs/lieuwe.${NGINX_HOST}.key - interval: 60s - retries: 5 - start_period: 5s - timeout: 10s - depends_on: - ddnsgd: - condition: service_healthy - - ddnsgd: - <<: *defaults - container_name: "ddnsgd" - image: "ghcr.io/dominickbrasileiro/ddnsgd" - environment: - - HOSTNAME=${NGINX_HOST} - - USERNAME=${GDNS_USERNAME} - - PASSWORD=${GDNS_PASSWORD} - - INTERVAL=9000 - healthcheck: - test: /usr/bin/nslookup ${NGINX_HOST} - interval: 30s - retries: 5 - start_period: 2s - timeout: 10s - - autodiscover: - <<: *defaults - image: monogramm/autodiscover-email-settings:latest - container_name: autodiscover - environment: - - VIRTUAL_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST} - - VIRTUAL_PORT=8000 - - LETSENCRYPT_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST} - - DOMAIN=${NGINX_HOST} - - IMAP_HOST=mail.${NGINX_HOST} - - IMAP_PORT=1993 - - IMAP_SOCKET=SSL - - SMTP_HOST=mail.${NGINX_HOST} - - SMTP_PORT=587 - - SMTP_SOCKET=STARTTLS - expose: - - "8000" - depends_on: - acme-companion: - condition: service_healthy volumes: - acme-state: + certbot_state: + nginx_archive: + nginx_certs: gitea_data: hugo_data: nextcloud_data: - nginx_certs: nginx_dhparam: nginx_html: nginx_conf: diff --git a/local.env b/local.env index 90ae5c1..911ca3f 100644 --- a/local.env +++ b/local.env @@ -1,5 +1,3 @@ -DEBUG=1 -# LETSENCRYPT_TEST=true ## Docker Env PERMIT_DOCKER=network