working acme dns setup

2025-01-22 21:02:22 +01:00 · 2023-12-30 13:31:49 +01:00 · 2023-12-30 13:31:49 +01:00 · c93b4bb98b
commit c93b4bb98b
parent e4d42e7f6f
6 changed files with 84 additions and 82 deletions
--- a/config/hugo/Dockerfile
+++ b/config/hugo/Dockerfile
@ -21,10 +21,10 @@ RUN apk add --update git asciidoctor libc6-compat libstdc++ \
    && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify

 RUN apk update && \
-  apk add --no-cache openssl && \
-  rm -rf /var/cache/apk/*
+    apk add --no-cache openssl && \
+    rm -rf /var/cache/apk/*

-RUN mkdir -p /etc/letsencrypt/live
+WORKDIR /etc/letsencrypt/live

 RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
-    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem
+    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem 
--- a/config/nginx/Dockerfile
+++ b/config/nginx/Dockerfile
@ -0,0 +1,8 @@
+FROM python:3.6
+
+LABEL description="Certbot + nginxproxy soft-linker."
+LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
+
+COPY ./link_certificates.py /usr/bin/link_certificates.py
+
+RUN python /usr/bin/link_certificates.py /etc/letsencrypt/live
--- a/config/nginx/credentials.ini
+++ b/config/nginx/credentials.ini
@ -0,0 +1 @@
+dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN
--- a/config/nginx/link_certificates.py
+++ b/config/nginx/link_certificates.py
@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+import shutil
+
+cert_dir = "/etc/letsencrypt/live"
+
+def main():
+    if not os.access(cert_dir, os.W_OK) or not os.path.isdir(cert_dir):
+        raise RuntimeError(f"Cannot access certificat directory: {cert_dir}.")
+    base_domain = sys.argv[1]
+    key_file = os.path.join(cert_dir, base_domain, "privkey.pem")
+    cert_file = os.path.join(cert_dir, base_domain, "fullchain.pem")
+    for domain in sys.argv[2:]:
+        print(f"linking {domain} in {base_domain}")
+        symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.key")
+        if os.path.isfile(symlink):
+            os.remove(symlink)
+        shutil.copy(key_file, symlink)
+        symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.crt")
+        if os.path.isfile(symlink):
+            os.remove(symlink)
+        shutil.copy(cert_file, symlink)
+
+
+
+if __name__ == "__main__":
+    sys.exit(main())
+
+# eof
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -5,16 +5,46 @@ networks:
    driver: bridge
    enable_ipv6: false

-
-x-mail: &defaults
+x-mail:
+  &defaults
  restart: always
  env_file: local.env
  networks:
    - internalnet

 services:
+
+  certbot:
+    <<: *defaults
+    image: ghcr.io/aaomidi/certbot-dns-google-domains:latest
+    container_name: certbot
+    command: >
+      sh -c "certbot certonly --authenticator dns-google-domains --dns-google-domains-credentials /var/lib/letsencrypt/dns_google_domains_credentials.ini --server https://acme-v02.api.letsencrypt.org/directory --non-interactive --dns-google-domains-zone ${NGINX_HOST} --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST}"
+    volumes:
+      - certbot_state:/var/lib/letsencrypt:z
+      - nginx_archive:/etc/letsencrypt/archive:z
+      - nginx_certs:/etc/letsencrypt/live:z
+      - ./config/nginx/credentials.ini:/var/lib/letsencrypt/dns_google_domains_credentials.ini:ro,z
+
+
+  ddnsgd:
+    <<: *defaults
+    container_name: "ddnsgd"
+    image: "ghcr.io/dominickbrasileiro/ddnsgd"
+    environment:
+      - HOSTNAME=${NGINX_HOST}
+      - USERNAME=${GDNS_USERNAME}
+      - PASSWORD=${GDNS_PASSWORD}
+      - INTERVAL=9000
+    healthcheck:
+      test: /usr/bin/nslookup ${NGINX_HOST}
+      interval: 30s
+      retries: 5
+      start_period: 2s
+      timeout: 10s
+
  hugo-html:
-    networks: 
+    networks:
      - internalnet
    container_name: hugo-html
    build:
@ -23,7 +53,6 @@ services:
        HUGO_BASE: lieuwe.${NGINX_HOST}
    volumes:
      - hugo_data:/public:z
-      - nginx_certs:/etc/letsencrypt/live:ro,z

  hugo-site:
    <<: *defaults
@ -81,8 +110,6 @@ services:
    depends_on:
      pgsqlserver:
        condition: service_healthy
-      acme-companion:
-        condition: service_healthy
    links:
      - pgsqlserver
    expose:
@ -107,6 +134,7 @@ services:
      - GITEA__server__KEY_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.key
    volumes:
      - gitea_data:/data:z
+      - nginx_archive:/etc/letsencrypt/archive:ro,z
      - nginx_certs:/etc/letsencrypt/live:ro,z
    expose:
      - "3000"
@ -115,8 +143,6 @@ services:
    depends_on:
      pgsqlserver:
        condition: service_healthy
-      acme-companion:
-        condition: service_healthy
    links:
      - pgsqlserver

@ -135,8 +161,6 @@ services:
    depends_on:
      pgsqlserver:
        condition: service_healthy
-      acme-companion:
-        condition: service_healthy
    links:
      - pgsqlserver
    expose:
@ -166,15 +190,13 @@ services:
      - "587:587"
      - "993:993"
    volumes:
+      - nginx_archive:/etc/letsencrypt/archive:ro,z
      - nginx_certs:/etc/letsencrypt/live:ro,z
      - mail_data:/var/mail/:z
      - mail_state:/var/mail-state/:z
      - mail_config:/tmp/docker-mailserver/:z
    cap_add:
      - NET_ADMIN
-    depends_on:
-      acme-companion:
-        condition: service_healthy

  reverse-proxy:
    <<: *defaults
@ -189,7 +211,8 @@ services:
      - nginx_html:/usr/share/nginx/html:z
      - nginx_conf:/etc/nginx/conf.d/:z
      - nginx_dhparam:/etc/nginx/dhparam:z
-      - nginx_certs:/etc/nginx/certs/:ro,z
+      - nginx_archive:/etc/nginx/archive/:ro,z
+      - nginx_certs:/etc/nginx/certs/:z
      - nginx_vhost:/etc/nginx/vhost.d/:z
      - mail_html:/var/www/roundcube:z
      - nextcloud_data:/var/www/nextcloud:z
@ -201,73 +224,14 @@ services:
      ddnsgd:
        condition: service_healthy

-  acme-companion:
-    <<: *defaults
-    image: nginxproxy/acme-companion:2.2.3
-    container_name: nginx-proxy-acme
-    environment:
-      - DEFAULT_EMAIL=admin@${NGINX_HOST}
-    volumes_from:
-      - reverse-proxy
-    volumes:
-      - acme-state:/etc/acme.sh
-      - nginx_certs:/etc/nginx/certs:rw,z
-      - /var/run/docker.sock:/var/run/docker.sock:ro,z
-    depends_on:
-      - ddnsgd
-    healthcheck:
-      test: test -f /etc/nginx/certs/lieuwe.${NGINX_HOST}.key
-      interval: 60s
-      retries: 5
-      start_period: 5s
-      timeout: 10s
-    depends_on:
-      ddnsgd:
-        condition: service_healthy
-
-  ddnsgd:
-    <<: *defaults
-    container_name: "ddnsgd"
-    image: "ghcr.io/dominickbrasileiro/ddnsgd"
-    environment:
-      - HOSTNAME=${NGINX_HOST}
-      - USERNAME=${GDNS_USERNAME}
-      - PASSWORD=${GDNS_PASSWORD}
-      - INTERVAL=9000
-    healthcheck:
-      test: /usr/bin/nslookup ${NGINX_HOST}
-      interval: 30s
-      retries: 5
-      start_period: 2s
-      timeout: 10s
-
-  autodiscover:
-    <<: *defaults
-    image: monogramm/autodiscover-email-settings:latest
-    container_name: autodiscover
-    environment:
-      - VIRTUAL_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
-      - VIRTUAL_PORT=8000
-      - LETSENCRYPT_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
-      - DOMAIN=${NGINX_HOST}
-      - IMAP_HOST=mail.${NGINX_HOST}
-      - IMAP_PORT=1993
-      - IMAP_SOCKET=SSL
-      - SMTP_HOST=mail.${NGINX_HOST}
-      - SMTP_PORT=587
-      - SMTP_SOCKET=STARTTLS
-    expose:
-      - "8000"
-    depends_on:
-      acme-companion:
-        condition: service_healthy

 volumes:
-  acme-state:
+  certbot_state:
+  nginx_archive:
+  nginx_certs:
  gitea_data:
  hugo_data:
  nextcloud_data:
-  nginx_certs:
  nginx_dhparam:
  nginx_html:
  nginx_conf:
--- a/local.env
+++ b/local.env
@ -1,5 +1,3 @@
-DEBUG=1
-# LETSENCRYPT_TEST=true

 ## Docker Env
 PERMIT_DOCKER=network
				`@ -0,0 +1 @@`
				`dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN`