working acme dns setup

This commit is contained in:
Lieuwe Leene 2023-12-30 13:31:49 +01:00
parent e4d42e7f6f
commit c93b4bb98b
6 changed files with 84 additions and 82 deletions

View File

@ -21,10 +21,10 @@ RUN apk add --update git asciidoctor libc6-compat libstdc++ \
&& /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify
RUN apk update && \ RUN apk update && \
apk add --no-cache openssl && \ apk add --no-cache openssl && \
rm -rf /var/cache/apk/* rm -rf /var/cache/apk/*
RUN mkdir -p /etc/letsencrypt/live WORKDIR /etc/letsencrypt/live
RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \ RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem

8
config/nginx/Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM python:3.6
LABEL description="Certbot + nginxproxy soft-linker."
LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
COPY ./link_certificates.py /usr/bin/link_certificates.py
RUN python /usr/bin/link_certificates.py /etc/letsencrypt/live

View File

@ -0,0 +1 @@
dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN

View File

@ -0,0 +1,31 @@
#!/usr/bin/env python3
import os
import sys
import shutil
cert_dir = "/etc/letsencrypt/live"
def main():
if not os.access(cert_dir, os.W_OK) or not os.path.isdir(cert_dir):
raise RuntimeError(f"Cannot access certificat directory: {cert_dir}.")
base_domain = sys.argv[1]
key_file = os.path.join(cert_dir, base_domain, "privkey.pem")
cert_file = os.path.join(cert_dir, base_domain, "fullchain.pem")
for domain in sys.argv[2:]:
print(f"linking {domain} in {base_domain}")
symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.key")
if os.path.isfile(symlink):
os.remove(symlink)
shutil.copy(key_file, symlink)
symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.crt")
if os.path.isfile(symlink):
os.remove(symlink)
shutil.copy(cert_file, symlink)
if __name__ == "__main__":
sys.exit(main())
# eof

View File

@ -5,14 +5,44 @@ networks:
driver: bridge driver: bridge
enable_ipv6: false enable_ipv6: false
x-mail:
x-mail: &defaults &defaults
restart: always restart: always
env_file: local.env env_file: local.env
networks: networks:
- internalnet - internalnet
services: services:
certbot:
<<: *defaults
image: ghcr.io/aaomidi/certbot-dns-google-domains:latest
container_name: certbot
command: >
sh -c "certbot certonly --authenticator dns-google-domains --dns-google-domains-credentials /var/lib/letsencrypt/dns_google_domains_credentials.ini --server https://acme-v02.api.letsencrypt.org/directory --non-interactive --dns-google-domains-zone ${NGINX_HOST} --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST}"
volumes:
- certbot_state:/var/lib/letsencrypt:z
- nginx_archive:/etc/letsencrypt/archive:z
- nginx_certs:/etc/letsencrypt/live:z
- ./config/nginx/credentials.ini:/var/lib/letsencrypt/dns_google_domains_credentials.ini:ro,z
ddnsgd:
<<: *defaults
container_name: "ddnsgd"
image: "ghcr.io/dominickbrasileiro/ddnsgd"
environment:
- HOSTNAME=${NGINX_HOST}
- USERNAME=${GDNS_USERNAME}
- PASSWORD=${GDNS_PASSWORD}
- INTERVAL=9000
healthcheck:
test: /usr/bin/nslookup ${NGINX_HOST}
interval: 30s
retries: 5
start_period: 2s
timeout: 10s
hugo-html: hugo-html:
networks: networks:
- internalnet - internalnet
@ -23,7 +53,6 @@ services:
HUGO_BASE: lieuwe.${NGINX_HOST} HUGO_BASE: lieuwe.${NGINX_HOST}
volumes: volumes:
- hugo_data:/public:z - hugo_data:/public:z
- nginx_certs:/etc/letsencrypt/live:ro,z
hugo-site: hugo-site:
<<: *defaults <<: *defaults
@ -81,8 +110,6 @@ services:
depends_on: depends_on:
pgsqlserver: pgsqlserver:
condition: service_healthy condition: service_healthy
acme-companion:
condition: service_healthy
links: links:
- pgsqlserver - pgsqlserver
expose: expose:
@ -107,6 +134,7 @@ services:
- GITEA__server__KEY_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.key - GITEA__server__KEY_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.key
volumes: volumes:
- gitea_data:/data:z - gitea_data:/data:z
- nginx_archive:/etc/letsencrypt/archive:ro,z
- nginx_certs:/etc/letsencrypt/live:ro,z - nginx_certs:/etc/letsencrypt/live:ro,z
expose: expose:
- "3000" - "3000"
@ -115,8 +143,6 @@ services:
depends_on: depends_on:
pgsqlserver: pgsqlserver:
condition: service_healthy condition: service_healthy
acme-companion:
condition: service_healthy
links: links:
- pgsqlserver - pgsqlserver
@ -135,8 +161,6 @@ services:
depends_on: depends_on:
pgsqlserver: pgsqlserver:
condition: service_healthy condition: service_healthy
acme-companion:
condition: service_healthy
links: links:
- pgsqlserver - pgsqlserver
expose: expose:
@ -166,15 +190,13 @@ services:
- "587:587" - "587:587"
- "993:993" - "993:993"
volumes: volumes:
- nginx_archive:/etc/letsencrypt/archive:ro,z
- nginx_certs:/etc/letsencrypt/live:ro,z - nginx_certs:/etc/letsencrypt/live:ro,z
- mail_data:/var/mail/:z - mail_data:/var/mail/:z
- mail_state:/var/mail-state/:z - mail_state:/var/mail-state/:z
- mail_config:/tmp/docker-mailserver/:z - mail_config:/tmp/docker-mailserver/:z
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
depends_on:
acme-companion:
condition: service_healthy
reverse-proxy: reverse-proxy:
<<: *defaults <<: *defaults
@ -189,7 +211,8 @@ services:
- nginx_html:/usr/share/nginx/html:z - nginx_html:/usr/share/nginx/html:z
- nginx_conf:/etc/nginx/conf.d/:z - nginx_conf:/etc/nginx/conf.d/:z
- nginx_dhparam:/etc/nginx/dhparam:z - nginx_dhparam:/etc/nginx/dhparam:z
- nginx_certs:/etc/nginx/certs/:ro,z - nginx_archive:/etc/nginx/archive/:ro,z
- nginx_certs:/etc/nginx/certs/:z
- nginx_vhost:/etc/nginx/vhost.d/:z - nginx_vhost:/etc/nginx/vhost.d/:z
- mail_html:/var/www/roundcube:z - mail_html:/var/www/roundcube:z
- nextcloud_data:/var/www/nextcloud:z - nextcloud_data:/var/www/nextcloud:z
@ -201,73 +224,14 @@ services:
ddnsgd: ddnsgd:
condition: service_healthy condition: service_healthy
acme-companion:
<<: *defaults
image: nginxproxy/acme-companion:2.2.3
container_name: nginx-proxy-acme
environment:
- DEFAULT_EMAIL=admin@${NGINX_HOST}
volumes_from:
- reverse-proxy
volumes:
- acme-state:/etc/acme.sh
- nginx_certs:/etc/nginx/certs:rw,z
- /var/run/docker.sock:/var/run/docker.sock:ro,z
depends_on:
- ddnsgd
healthcheck:
test: test -f /etc/nginx/certs/lieuwe.${NGINX_HOST}.key
interval: 60s
retries: 5
start_period: 5s
timeout: 10s
depends_on:
ddnsgd:
condition: service_healthy
ddnsgd:
<<: *defaults
container_name: "ddnsgd"
image: "ghcr.io/dominickbrasileiro/ddnsgd"
environment:
- HOSTNAME=${NGINX_HOST}
- USERNAME=${GDNS_USERNAME}
- PASSWORD=${GDNS_PASSWORD}
- INTERVAL=9000
healthcheck:
test: /usr/bin/nslookup ${NGINX_HOST}
interval: 30s
retries: 5
start_period: 2s
timeout: 10s
autodiscover:
<<: *defaults
image: monogramm/autodiscover-email-settings:latest
container_name: autodiscover
environment:
- VIRTUAL_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
- VIRTUAL_PORT=8000
- LETSENCRYPT_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
- DOMAIN=${NGINX_HOST}
- IMAP_HOST=mail.${NGINX_HOST}
- IMAP_PORT=1993
- IMAP_SOCKET=SSL
- SMTP_HOST=mail.${NGINX_HOST}
- SMTP_PORT=587
- SMTP_SOCKET=STARTTLS
expose:
- "8000"
depends_on:
acme-companion:
condition: service_healthy
volumes: volumes:
acme-state: certbot_state:
nginx_archive:
nginx_certs:
gitea_data: gitea_data:
hugo_data: hugo_data:
nextcloud_data: nextcloud_data:
nginx_certs:
nginx_dhparam: nginx_dhparam:
nginx_html: nginx_html:
nginx_conf: nginx_conf:

View File

@ -1,5 +1,3 @@
DEBUG=1
# LETSENCRYPT_TEST=true
## Docker Env ## Docker Env
PERMIT_DOCKER=network PERMIT_DOCKER=network