From e4d42e7f6f107a0a432b0ebe985943dbb33f1723 Mon Sep 17 00:00:00 2001 From: Lieuwe Leene Date: Mon, 24 Apr 2023 11:44:33 +0200 Subject: [PATCH 1/6] wip change acme html01 to dns01 --- docker-compose.yaml | 55 +++++++++++++++++++++++++++++++++++++-------- local.env | 12 ++++++++-- 2 files changed, 56 insertions(+), 11 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 4eb0ddd..9eb95f8 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -23,7 +23,7 @@ services: HUGO_BASE: lieuwe.${NGINX_HOST} volumes: - hugo_data:/public:z - - nginx_certs:/etc/letsencrypt/live:z + - nginx_certs:/etc/letsencrypt/live:ro,z hugo-site: <<: *defaults @@ -52,6 +52,11 @@ services: - ./config/pg-init-scripts:/docker-entrypoint-initdb.d:ro,z ports: - "5432:5432" + healthcheck: + test: "pg_isready" + timeout: 45s + interval: 10s + retries: 10 nextcloud: <<: *defaults @@ -74,7 +79,10 @@ services: - SMTP_NAME=admin@${NGINX_HOST} - SMTP_PASSWORD=${SQL_PSWD} depends_on: - - pgsqlserver + pgsqlserver: + condition: service_healthy + acme-companion: + condition: service_healthy links: - pgsqlserver expose: @@ -105,7 +113,10 @@ services: ports: - "222:22" depends_on: - - pgsqlserver + pgsqlserver: + condition: service_healthy + acme-companion: + condition: service_healthy links: - pgsqlserver @@ -122,7 +133,10 @@ services: - ROUNDCUBEMAIL_SMTP_SERVER=tls://${NGINX_HOST} - ROUNDCUBEMAIL_DB_PASSWORD=${SQL_PSWD} depends_on: - - pgsqlserver + pgsqlserver: + condition: service_healthy + acme-companion: + condition: service_healthy links: - pgsqlserver expose: @@ -159,11 +173,12 @@ services: cap_add: - NET_ADMIN depends_on: - - ddnsgd + acme-companion: + condition: service_healthy reverse-proxy: <<: *defaults - image: nginxproxy/nginx-proxy + image: nginxproxy/nginx-proxy:1.2.3 container_name: nginx-proxy environment: - DEFAULT_EMAIL=admin@${NGINX_HOST} @@ -174,7 +189,7 @@ services: - nginx_html:/usr/share/nginx/html:z - nginx_conf:/etc/nginx/conf.d/:z - nginx_dhparam:/etc/nginx/dhparam:z - - nginx_certs:/etc/nginx/certs/:z + - nginx_certs:/etc/nginx/certs/:ro,z - nginx_vhost:/etc/nginx/vhost.d/:z - mail_html:/var/www/roundcube:z - nextcloud_data:/var/www/nextcloud:z @@ -183,19 +198,32 @@ services: - ./config/nginx/header_default:/etc/nginx/vhost.d/default:z - /var/run/docker.sock:/tmp/docker.sock:ro,z depends_on: - - ddnsgd + ddnsgd: + condition: service_healthy acme-companion: <<: *defaults - image: nginxproxy/acme-companion + image: nginxproxy/acme-companion:2.2.3 container_name: nginx-proxy-acme + environment: + - DEFAULT_EMAIL=admin@${NGINX_HOST} volumes_from: - reverse-proxy volumes: - acme-state:/etc/acme.sh + - nginx_certs:/etc/nginx/certs:rw,z - /var/run/docker.sock:/var/run/docker.sock:ro,z depends_on: - ddnsgd + healthcheck: + test: test -f /etc/nginx/certs/lieuwe.${NGINX_HOST}.key + interval: 60s + retries: 5 + start_period: 5s + timeout: 10s + depends_on: + ddnsgd: + condition: service_healthy ddnsgd: <<: *defaults @@ -206,6 +234,12 @@ services: - USERNAME=${GDNS_USERNAME} - PASSWORD=${GDNS_PASSWORD} - INTERVAL=9000 + healthcheck: + test: /usr/bin/nslookup ${NGINX_HOST} + interval: 30s + retries: 5 + start_period: 2s + timeout: 10s autodiscover: <<: *defaults @@ -224,6 +258,9 @@ services: - SMTP_SOCKET=STARTTLS expose: - "8000" + depends_on: + acme-companion: + condition: service_healthy volumes: acme-state: diff --git a/local.env b/local.env index 3c9f9d0..90ae5c1 100644 --- a/local.env +++ b/local.env @@ -1,3 +1,6 @@ +DEBUG=1 +# LETSENCRYPT_TEST=true + ## Docker Env PERMIT_DOCKER=network @@ -20,6 +23,8 @@ ENABLE_DNSBL=0 ENABLE_QUOTAS=0 ENABLE_POP3=0 + +## Email Relay RELAY_HOST=smtp.sendgrid.net RELAY_PORT=587 RELAY_USER=apikey @@ -29,6 +34,7 @@ RELAY_USER=apikey POSTGRES_USER="pgadmin" POSTGRES_INITDB_ARGS="--auth-host=scram-sha-256 --auth-local=scram-sha-256" + ## Round Cube Env ROUNDCUBEMAIL_DB_TYPE=pgsql ROUNDCUBEMAIL_DB_NAME=roundcube @@ -36,12 +42,14 @@ ROUNDCUBEMAIL_DB_USER=roundcube ROUNDCUBEMAIL_SKIN=elastic ROUNDCUBEMAIL_ASPELL_DICTS=en + ## NGINX Reverse Proxy NGINX_PROXY_CONTAINER=nginx-proxy LETSENCRYPT_RESTART_CONTAINER=true +ENABLE_IPV6=false + ## GITEA Setup - GITEA__server__HTTP_PORT = 3000 GITEA__server__DISABLE_SSH = false GITEA__server__SSH_PORT = 222 @@ -50,4 +58,4 @@ GITEA__server__SSH_LISTEN_PORT = 222 GITEA__mailer__ENABLED = true GITEA__mailer__PROTOCOL = smtp GITEA__mailer__SMTP_ADDR = mailserver -GITEA__mailer__SMTP_PORT = 25 \ No newline at end of file +GITEA__mailer__SMTP_PORT = 25 From c93b4bb98bf67676a813e9e8c3ad151f84e0f6a4 Mon Sep 17 00:00:00 2001 From: Lieuwe Leene Date: Sat, 30 Dec 2023 13:31:49 +0100 Subject: [PATCH 2/6] working acme dns setup --- config/hugo/Dockerfile | 8 +-- config/nginx/Dockerfile | 8 +++ config/nginx/credentials.ini | 1 + config/nginx/link_certificates.py | 31 ++++++++ docker-compose.yaml | 116 +++++++++++------------------- local.env | 2 - 6 files changed, 84 insertions(+), 82 deletions(-) create mode 100644 config/nginx/Dockerfile create mode 100644 config/nginx/credentials.ini create mode 100644 config/nginx/link_certificates.py diff --git a/config/hugo/Dockerfile b/config/hugo/Dockerfile index 91b1d97..461880e 100644 --- a/config/hugo/Dockerfile +++ b/config/hugo/Dockerfile @@ -21,10 +21,10 @@ RUN apk add --update git asciidoctor libc6-compat libstdc++ \ && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify RUN apk update && \ - apk add --no-cache openssl && \ - rm -rf /var/cache/apk/* + apk add --no-cache openssl && \ + rm -rf /var/cache/apk/* -RUN mkdir -p /etc/letsencrypt/live +WORKDIR /etc/letsencrypt/live RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \ - openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem + openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem diff --git a/config/nginx/Dockerfile b/config/nginx/Dockerfile new file mode 100644 index 0000000..4d798b2 --- /dev/null +++ b/config/nginx/Dockerfile @@ -0,0 +1,8 @@ +FROM python:3.6 + +LABEL description="Certbot + nginxproxy soft-linker." +LABEL maintainer="Lieuwe Leene " + +COPY ./link_certificates.py /usr/bin/link_certificates.py + +RUN python /usr/bin/link_certificates.py /etc/letsencrypt/live diff --git a/config/nginx/credentials.ini b/config/nginx/credentials.ini new file mode 100644 index 0000000..19a556d --- /dev/null +++ b/config/nginx/credentials.ini @@ -0,0 +1 @@ +dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN diff --git a/config/nginx/link_certificates.py b/config/nginx/link_certificates.py new file mode 100644 index 0000000..c006948 --- /dev/null +++ b/config/nginx/link_certificates.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 + +import os +import sys +import shutil + +cert_dir = "/etc/letsencrypt/live" + +def main(): + if not os.access(cert_dir, os.W_OK) or not os.path.isdir(cert_dir): + raise RuntimeError(f"Cannot access certificat directory: {cert_dir}.") + base_domain = sys.argv[1] + key_file = os.path.join(cert_dir, base_domain, "privkey.pem") + cert_file = os.path.join(cert_dir, base_domain, "fullchain.pem") + for domain in sys.argv[2:]: + print(f"linking {domain} in {base_domain}") + symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.key") + if os.path.isfile(symlink): + os.remove(symlink) + shutil.copy(key_file, symlink) + symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.crt") + if os.path.isfile(symlink): + os.remove(symlink) + shutil.copy(cert_file, symlink) + + + +if __name__ == "__main__": + sys.exit(main()) + +# eof diff --git a/docker-compose.yaml b/docker-compose.yaml index 9eb95f8..0c4ae88 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -5,16 +5,46 @@ networks: driver: bridge enable_ipv6: false - -x-mail: &defaults +x-mail: + &defaults restart: always env_file: local.env networks: - internalnet services: + + certbot: + <<: *defaults + image: ghcr.io/aaomidi/certbot-dns-google-domains:latest + container_name: certbot + command: > + sh -c "certbot certonly --authenticator dns-google-domains --dns-google-domains-credentials /var/lib/letsencrypt/dns_google_domains_credentials.ini --server https://acme-v02.api.letsencrypt.org/directory --non-interactive --dns-google-domains-zone ${NGINX_HOST} --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST}" + volumes: + - certbot_state:/var/lib/letsencrypt:z + - nginx_archive:/etc/letsencrypt/archive:z + - nginx_certs:/etc/letsencrypt/live:z + - ./config/nginx/credentials.ini:/var/lib/letsencrypt/dns_google_domains_credentials.ini:ro,z + + + ddnsgd: + <<: *defaults + container_name: "ddnsgd" + image: "ghcr.io/dominickbrasileiro/ddnsgd" + environment: + - HOSTNAME=${NGINX_HOST} + - USERNAME=${GDNS_USERNAME} + - PASSWORD=${GDNS_PASSWORD} + - INTERVAL=9000 + healthcheck: + test: /usr/bin/nslookup ${NGINX_HOST} + interval: 30s + retries: 5 + start_period: 2s + timeout: 10s + hugo-html: - networks: + networks: - internalnet container_name: hugo-html build: @@ -23,7 +53,6 @@ services: HUGO_BASE: lieuwe.${NGINX_HOST} volumes: - hugo_data:/public:z - - nginx_certs:/etc/letsencrypt/live:ro,z hugo-site: <<: *defaults @@ -81,8 +110,6 @@ services: depends_on: pgsqlserver: condition: service_healthy - acme-companion: - condition: service_healthy links: - pgsqlserver expose: @@ -107,6 +134,7 @@ services: - GITEA__server__KEY_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.key volumes: - gitea_data:/data:z + - nginx_archive:/etc/letsencrypt/archive:ro,z - nginx_certs:/etc/letsencrypt/live:ro,z expose: - "3000" @@ -115,8 +143,6 @@ services: depends_on: pgsqlserver: condition: service_healthy - acme-companion: - condition: service_healthy links: - pgsqlserver @@ -135,8 +161,6 @@ services: depends_on: pgsqlserver: condition: service_healthy - acme-companion: - condition: service_healthy links: - pgsqlserver expose: @@ -166,15 +190,13 @@ services: - "587:587" - "993:993" volumes: + - nginx_archive:/etc/letsencrypt/archive:ro,z - nginx_certs:/etc/letsencrypt/live:ro,z - mail_data:/var/mail/:z - mail_state:/var/mail-state/:z - mail_config:/tmp/docker-mailserver/:z cap_add: - NET_ADMIN - depends_on: - acme-companion: - condition: service_healthy reverse-proxy: <<: *defaults @@ -189,7 +211,8 @@ services: - nginx_html:/usr/share/nginx/html:z - nginx_conf:/etc/nginx/conf.d/:z - nginx_dhparam:/etc/nginx/dhparam:z - - nginx_certs:/etc/nginx/certs/:ro,z + - nginx_archive:/etc/nginx/archive/:ro,z + - nginx_certs:/etc/nginx/certs/:z - nginx_vhost:/etc/nginx/vhost.d/:z - mail_html:/var/www/roundcube:z - nextcloud_data:/var/www/nextcloud:z @@ -201,73 +224,14 @@ services: ddnsgd: condition: service_healthy - acme-companion: - <<: *defaults - image: nginxproxy/acme-companion:2.2.3 - container_name: nginx-proxy-acme - environment: - - DEFAULT_EMAIL=admin@${NGINX_HOST} - volumes_from: - - reverse-proxy - volumes: - - acme-state:/etc/acme.sh - - nginx_certs:/etc/nginx/certs:rw,z - - /var/run/docker.sock:/var/run/docker.sock:ro,z - depends_on: - - ddnsgd - healthcheck: - test: test -f /etc/nginx/certs/lieuwe.${NGINX_HOST}.key - interval: 60s - retries: 5 - start_period: 5s - timeout: 10s - depends_on: - ddnsgd: - condition: service_healthy - - ddnsgd: - <<: *defaults - container_name: "ddnsgd" - image: "ghcr.io/dominickbrasileiro/ddnsgd" - environment: - - HOSTNAME=${NGINX_HOST} - - USERNAME=${GDNS_USERNAME} - - PASSWORD=${GDNS_PASSWORD} - - INTERVAL=9000 - healthcheck: - test: /usr/bin/nslookup ${NGINX_HOST} - interval: 30s - retries: 5 - start_period: 2s - timeout: 10s - - autodiscover: - <<: *defaults - image: monogramm/autodiscover-email-settings:latest - container_name: autodiscover - environment: - - VIRTUAL_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST} - - VIRTUAL_PORT=8000 - - LETSENCRYPT_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST} - - DOMAIN=${NGINX_HOST} - - IMAP_HOST=mail.${NGINX_HOST} - - IMAP_PORT=1993 - - IMAP_SOCKET=SSL - - SMTP_HOST=mail.${NGINX_HOST} - - SMTP_PORT=587 - - SMTP_SOCKET=STARTTLS - expose: - - "8000" - depends_on: - acme-companion: - condition: service_healthy volumes: - acme-state: + certbot_state: + nginx_archive: + nginx_certs: gitea_data: hugo_data: nextcloud_data: - nginx_certs: nginx_dhparam: nginx_html: nginx_conf: diff --git a/local.env b/local.env index 90ae5c1..911ca3f 100644 --- a/local.env +++ b/local.env @@ -1,5 +1,3 @@ -DEBUG=1 -# LETSENCRYPT_TEST=true ## Docker Env PERMIT_DOCKER=network From 274912d318cb4dac3170ec3b903d5e84301e2c6e Mon Sep 17 00:00:00 2001 From: Lieuwe Leene Date: Sat, 21 Sep 2024 11:53:52 +0200 Subject: [PATCH 3/6] minor patch before moving to cloudflare --- docker-compose.yaml | 3 ++- local.env | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 0c4ae88..8c70c83 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,7 +7,7 @@ networks: x-mail: &defaults - restart: always + restart: unless-stopped env_file: local.env networks: - internalnet @@ -195,6 +195,7 @@ services: - mail_data:/var/mail/:z - mail_state:/var/mail-state/:z - mail_config:/tmp/docker-mailserver/:z + - ./config/mail/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf:ro,z cap_add: - NET_ADMIN diff --git a/local.env b/local.env index 911ca3f..7ec9ce8 100644 --- a/local.env +++ b/local.env @@ -52,8 +52,10 @@ GITEA__server__HTTP_PORT = 3000 GITEA__server__DISABLE_SSH = false GITEA__server__SSH_PORT = 222 GITEA__server__SSH_LISTEN_PORT = 222 +GITEA__server__DISABLE_REGISTRATION = true GITEA__mailer__ENABLED = true -GITEA__mailer__PROTOCOL = smtp -GITEA__mailer__SMTP_ADDR = mailserver -GITEA__mailer__SMTP_PORT = 25 +GITEA__mailer__PROTOCOL = sendmail +GITEA__mailer__FROM = admin@leene.dev +GITEA__mailer__SENDMAIL_ARGS = -S mailserver -- + From 36b0e12872a5d512ebecbd0c3dcca548a779fc03 Mon Sep 17 00:00:00 2001 From: Lieuwe Leene Date: Sat, 21 Sep 2024 11:54:58 +0200 Subject: [PATCH 4/6] spf conf --- config/mail/postfix-policyd-spf.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 config/mail/postfix-policyd-spf.conf diff --git a/config/mail/postfix-policyd-spf.conf b/config/mail/postfix-policyd-spf.conf new file mode 100644 index 0000000..3710502 --- /dev/null +++ b/config/mail/postfix-policyd-spf.conf @@ -0,0 +1,2 @@ +Whitelist = 192.168.0.0/31,192.168.1.0/30 +Domain_Whitelist = dockerize_internalnet From 727a45f56329c838a8ec61ae3ae26a89a43fd7fa Mon Sep 17 00:00:00 2001 From: Lieuwe Leene Date: Sat, 21 Sep 2024 16:01:38 +0200 Subject: [PATCH 5/6] try outdated api --- docker-compose.yaml | 28 +++------------------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 8c70c83..1c4a773 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -16,32 +16,14 @@ services: certbot: <<: *defaults - image: ghcr.io/aaomidi/certbot-dns-google-domains:latest + image: certbot/dns-cloudflare container_name: certbot - command: > - sh -c "certbot certonly --authenticator dns-google-domains --dns-google-domains-credentials /var/lib/letsencrypt/dns_google_domains_credentials.ini --server https://acme-v02.api.letsencrypt.org/directory --non-interactive --dns-google-domains-zone ${NGINX_HOST} --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST}" + command: certonly --non-interactive --dns-cloudflare --dns-cloudflare-credentials /config/credentials.ini --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} --server https://acme-v02.api.letsencrypt.org/directory volumes: - certbot_state:/var/lib/letsencrypt:z - nginx_archive:/etc/letsencrypt/archive:z - nginx_certs:/etc/letsencrypt/live:z - - ./config/nginx/credentials.ini:/var/lib/letsencrypt/dns_google_domains_credentials.ini:ro,z - - - ddnsgd: - <<: *defaults - container_name: "ddnsgd" - image: "ghcr.io/dominickbrasileiro/ddnsgd" - environment: - - HOSTNAME=${NGINX_HOST} - - USERNAME=${GDNS_USERNAME} - - PASSWORD=${GDNS_PASSWORD} - - INTERVAL=9000 - healthcheck: - test: /usr/bin/nslookup ${NGINX_HOST} - interval: 30s - retries: 5 - start_period: 2s - timeout: 10s + - ./config/nginx/credentials.ini:/config/credentials.ini:ro,z hugo-html: networks: @@ -221,10 +203,6 @@ services: - ./config/nginx/nextcloud_location:/etc/nginx/vhost.d/nextcloud.${NGINX_HOST}_location:ro,z - ./config/nginx/header_default:/etc/nginx/vhost.d/default:z - /var/run/docker.sock:/tmp/docker.sock:ro,z - depends_on: - ddnsgd: - condition: service_healthy - volumes: certbot_state: From 0532b15b9c25ba420e21cce7be6dafb08bfd1539 Mon Sep 17 00:00:00 2001 From: Lieuwe Leene Date: Sun, 3 Nov 2024 17:51:10 +0100 Subject: [PATCH 6/6] update hugo static build for alphine --- config/hugo/Dockerfile | 5 +++-- docker-compose.yaml | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/hugo/Dockerfile b/config/hugo/Dockerfile index 461880e..b59ec35 100644 --- a/config/hugo/Dockerfile +++ b/config/hugo/Dockerfile @@ -6,16 +6,17 @@ LABEL maintainer="Lieuwe Leene " ARG HUGO_BASE="localhost" ARG SSL_ALGO=secp521r1 -RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "/v[0-9.]*/hugo_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \ +RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "v[0-9.]*/hugo_extended_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \ && mkdir -p /usr/local/sbin \ && mv /tmp/hugo /usr/local/sbin/hugo \ && rm -rf /tmp/${HUGO_ID}_linux_amd64 \ && rm -rf /tmp/LICENSE.md \ && rm -rf /tmp/README.md -RUN apk add --update git asciidoctor libc6-compat libstdc++ \ +RUN apk add --update git gcompat asciidoctor libc6-compat libstdc++ \ && apk upgrade \ && apk add --no-cache ca-certificates \ + && ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2 \ && git clone https://github.com/lleene/hugo-site.git /src \ && git clone https://github.com/lleene/hermit.git /src/themes/hermit \ && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify diff --git a/docker-compose.yaml b/docker-compose.yaml index 1c4a773..c3b037f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,12 +18,12 @@ services: <<: *defaults image: certbot/dns-cloudflare container_name: certbot - command: certonly --non-interactive --dns-cloudflare --dns-cloudflare-credentials /config/credentials.ini --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} --server https://acme-v02.api.letsencrypt.org/directory + command: certonly --non-interactive --dns-cloudflare --dns-cloudflare-credentials /config/credentials.ini --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST} --server https://acme-v02.api.letsencrypt.org/directory volumes: - certbot_state:/var/lib/letsencrypt:z - nginx_archive:/etc/letsencrypt/archive:z - nginx_certs:/etc/letsencrypt/live:z - - ./config/nginx/credentials.ini:/config/credentials.ini:ro,z + - ./config/nginx/credentials.ini:/config/credentials.ini:z hugo-html: networks: