Merge pull request #1 from lleene/acme-dns-01

Acme dns 01
2025-01-22 21:02:22 +01:00 · 2024-11-03 17:54:56 +01:00 · 2024-11-03 17:54:56 +01:00 · f22b2adef8
commit f22b2adef8
parent dcf714e224 0532b15b9c
7 changed files with 96 additions and 65 deletions
--- a/config/hugo/Dockerfile
+++ b/config/hugo/Dockerfile
@ -6,25 +6,26 @@ LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
 ARG HUGO_BASE="localhost"
 ARG SSL_ALGO=secp521r1

-RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "/v[0-9.]*/hugo_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \
+RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "v[0-9.]*/hugo_extended_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \
    && mkdir -p /usr/local/sbin \
    && mv /tmp/hugo /usr/local/sbin/hugo \
    && rm -rf /tmp/${HUGO_ID}_linux_amd64 \
    && rm -rf /tmp/LICENSE.md \
    && rm -rf /tmp/README.md

-RUN apk add --update git asciidoctor libc6-compat libstdc++ \
+RUN apk add --update git gcompat asciidoctor libc6-compat libstdc++ \
    && apk upgrade \
    && apk add --no-cache ca-certificates \
+    && ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2 \
    && git clone https://github.com/lleene/hugo-site.git /src \
    && git clone https://github.com/lleene/hermit.git /src/themes/hermit \
    && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify

 RUN apk update && \
-  apk add --no-cache openssl && \
-  rm -rf /var/cache/apk/*
+    apk add --no-cache openssl && \
+    rm -rf /var/cache/apk/*

-RUN mkdir -p /etc/letsencrypt/live
+WORKDIR /etc/letsencrypt/live

 RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
-    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem
+    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem 
--- a/config/mail/postfix-policyd-spf.conf
+++ b/config/mail/postfix-policyd-spf.conf
@ -0,0 +1,2 @@
+Whitelist = 192.168.0.0/31,192.168.1.0/30
+Domain_Whitelist = dockerize_internalnet
--- a/config/nginx/Dockerfile
+++ b/config/nginx/Dockerfile
@ -0,0 +1,8 @@
+FROM python:3.6
+
+LABEL description="Certbot + nginxproxy soft-linker."
+LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
+
+COPY ./link_certificates.py /usr/bin/link_certificates.py
+
+RUN python /usr/bin/link_certificates.py /etc/letsencrypt/live
--- a/config/nginx/credentials.ini
+++ b/config/nginx/credentials.ini
@ -0,0 +1 @@
+dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN
--- a/config/nginx/link_certificates.py
+++ b/config/nginx/link_certificates.py
@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+import shutil
+
+cert_dir = "/etc/letsencrypt/live"
+
+def main():
+    if not os.access(cert_dir, os.W_OK) or not os.path.isdir(cert_dir):
+        raise RuntimeError(f"Cannot access certificat directory: {cert_dir}.")
+    base_domain = sys.argv[1]
+    key_file = os.path.join(cert_dir, base_domain, "privkey.pem")
+    cert_file = os.path.join(cert_dir, base_domain, "fullchain.pem")
+    for domain in sys.argv[2:]:
+        print(f"linking {domain} in {base_domain}")
+        symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.key")
+        if os.path.isfile(symlink):
+            os.remove(symlink)
+        shutil.copy(key_file, symlink)
+        symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.crt")
+        if os.path.isfile(symlink):
+            os.remove(symlink)
+        shutil.copy(cert_file, symlink)
+
+
+
+if __name__ == "__main__":
+    sys.exit(main())
+
+# eof
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -5,16 +5,28 @@ networks:
    driver: bridge
    enable_ipv6: false

-
-x-mail: &defaults
-  restart: always
+x-mail:
+  &defaults
+  restart: unless-stopped
  env_file: local.env
  networks:
    - internalnet

 services:
+
+  certbot:
+    <<: *defaults
+    image: certbot/dns-cloudflare
+    container_name: certbot
+    command: certonly --non-interactive --dns-cloudflare --dns-cloudflare-credentials /config/credentials.ini --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST} --server https://acme-v02.api.letsencrypt.org/directory
+    volumes:
+      - certbot_state:/var/lib/letsencrypt:z
+      - nginx_archive:/etc/letsencrypt/archive:z
+      - nginx_certs:/etc/letsencrypt/live:z
+      - ./config/nginx/credentials.ini:/config/credentials.ini:z
+
  hugo-html:
-    networks: 
+    networks:
      - internalnet
    container_name: hugo-html
    build:
@ -23,7 +35,6 @@ services:
        HUGO_BASE: lieuwe.${NGINX_HOST}
    volumes:
      - hugo_data:/public:z
-      - nginx_certs:/etc/letsencrypt/live:z

  hugo-site:
    <<: *defaults
@ -52,6 +63,11 @@ services:
      - ./config/pg-init-scripts:/docker-entrypoint-initdb.d:ro,z
    ports:
      - "5432:5432"
+    healthcheck:
+      test: "pg_isready"
+      timeout: 45s
+      interval: 10s
+      retries: 10

  nextcloud:
    <<: *defaults
@ -74,7 +90,8 @@ services:
      - SMTP_NAME=admin@${NGINX_HOST}
      - SMTP_PASSWORD=${SQL_PSWD}
    depends_on:
-      - pgsqlserver
+      pgsqlserver:
+        condition: service_healthy
    links:
      - pgsqlserver
    expose:
@ -99,13 +116,15 @@ services:
      - GITEA__server__KEY_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.key
    volumes:
      - gitea_data:/data:z
+      - nginx_archive:/etc/letsencrypt/archive:ro,z
      - nginx_certs:/etc/letsencrypt/live:ro,z
    expose:
      - "3000"
    ports:
      - "222:22"
    depends_on:
-      - pgsqlserver
+      pgsqlserver:
+        condition: service_healthy
    links:
      - pgsqlserver

@ -122,7 +141,8 @@ services:
      - ROUNDCUBEMAIL_SMTP_SERVER=tls://${NGINX_HOST}
      - ROUNDCUBEMAIL_DB_PASSWORD=${SQL_PSWD}
    depends_on:
-      - pgsqlserver
+      pgsqlserver:
+        condition: service_healthy
    links:
      - pgsqlserver
    expose:
@ -152,18 +172,18 @@ services:
      - "587:587"
      - "993:993"
    volumes:
+      - nginx_archive:/etc/letsencrypt/archive:ro,z
      - nginx_certs:/etc/letsencrypt/live:ro,z
      - mail_data:/var/mail/:z
      - mail_state:/var/mail-state/:z
      - mail_config:/tmp/docker-mailserver/:z
+      - ./config/mail/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf:ro,z
    cap_add:
      - NET_ADMIN
-    depends_on:
-      - ddnsgd

  reverse-proxy:
    <<: *defaults
-    image: nginxproxy/nginx-proxy
+    image: nginxproxy/nginx-proxy:1.2.3
    container_name: nginx-proxy
    environment:
      - DEFAULT_EMAIL=admin@${NGINX_HOST}
@ -174,6 +194,7 @@ services:
      - nginx_html:/usr/share/nginx/html:z
      - nginx_conf:/etc/nginx/conf.d/:z
      - nginx_dhparam:/etc/nginx/dhparam:z
+      - nginx_archive:/etc/nginx/archive/:ro,z
      - nginx_certs:/etc/nginx/certs/:z
      - nginx_vhost:/etc/nginx/vhost.d/:z
      - mail_html:/var/www/roundcube:z
@ -182,55 +203,14 @@ services:
      - ./config/nginx/nextcloud_location:/etc/nginx/vhost.d/nextcloud.${NGINX_HOST}_location:ro,z
      - ./config/nginx/header_default:/etc/nginx/vhost.d/default:z
      - /var/run/docker.sock:/tmp/docker.sock:ro,z
-    depends_on:
-      - ddnsgd
-
-  acme-companion:
-    <<: *defaults
-    image: nginxproxy/acme-companion
-    container_name: nginx-proxy-acme
-    volumes_from:
-      - reverse-proxy
-    volumes:
-      - acme-state:/etc/acme.sh
-      - /var/run/docker.sock:/var/run/docker.sock:ro,z
-    depends_on:
-      - ddnsgd
-
-  ddnsgd:
-    <<: *defaults
-    container_name: "ddnsgd"
-    image: "ghcr.io/dominickbrasileiro/ddnsgd"
-    environment:
-      - HOSTNAME=${NGINX_HOST}
-      - USERNAME=${GDNS_USERNAME}
-      - PASSWORD=${GDNS_PASSWORD}
-      - INTERVAL=9000
-
-  autodiscover:
-    <<: *defaults
-    image: monogramm/autodiscover-email-settings:latest
-    container_name: autodiscover
-    environment:
-      - VIRTUAL_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
-      - VIRTUAL_PORT=8000
-      - LETSENCRYPT_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
-      - DOMAIN=${NGINX_HOST}
-      - IMAP_HOST=mail.${NGINX_HOST}
-      - IMAP_PORT=1993
-      - IMAP_SOCKET=SSL
-      - SMTP_HOST=mail.${NGINX_HOST}
-      - SMTP_PORT=587
-      - SMTP_SOCKET=STARTTLS
-    expose:
-      - "8000"

 volumes:
-  acme-state:
+  certbot_state:
+  nginx_archive:
+  nginx_certs:
  gitea_data:
  hugo_data:
  nextcloud_data:
-  nginx_certs:
  nginx_dhparam:
  nginx_html:
  nginx_conf:
--- a/local.env
+++ b/local.env
@ -1,3 +1,4 @@
+
 ## Docker Env
 PERMIT_DOCKER=network

@ -20,6 +21,8 @@ ENABLE_DNSBL=0
 ENABLE_QUOTAS=0
 ENABLE_POP3=0

+
+## Email Relay
 RELAY_HOST=smtp.sendgrid.net
 RELAY_PORT=587
 RELAY_USER=apikey
@ -29,6 +32,7 @@ RELAY_USER=apikey
 POSTGRES_USER="pgadmin"
 POSTGRES_INITDB_ARGS="--auth-host=scram-sha-256 --auth-local=scram-sha-256"

+
 ## Round Cube Env
 ROUNDCUBEMAIL_DB_TYPE=pgsql
 ROUNDCUBEMAIL_DB_NAME=roundcube
@ -36,18 +40,22 @@ ROUNDCUBEMAIL_DB_USER=roundcube
 ROUNDCUBEMAIL_SKIN=elastic
 ROUNDCUBEMAIL_ASPELL_DICTS=en

+
 ## NGINX Reverse Proxy
 NGINX_PROXY_CONTAINER=nginx-proxy
 LETSENCRYPT_RESTART_CONTAINER=true
+ENABLE_IPV6=false
+

 ## GITEA Setup
-
 GITEA__server__HTTP_PORT        = 3000
 GITEA__server__DISABLE_SSH      = false
 GITEA__server__SSH_PORT         = 222
 GITEA__server__SSH_LISTEN_PORT  = 222
+GITEA__server__DISABLE_REGISTRATION = true

 GITEA__mailer__ENABLED                 = true
-GITEA__mailer__PROTOCOL                = smtp
-GITEA__mailer__SMTP_ADDR               = mailserver
-GITEA__mailer__SMTP_PORT               = 25
+GITEA__mailer__PROTOCOL                = sendmail
+GITEA__mailer__FROM                    = admin@leene.dev
+GITEA__mailer__SENDMAIL_ARGS           = -S mailserver --
+
				`@ -0,0 +1 @@`
				`dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN`