Add letsencrypt support in the nginx container
parent
a57096e613
commit
808809b37a
@ -1,8 +1,8 @@
|
||||
FROM alpine:edge
|
||||
|
||||
RUN apk add --no-cache nginx nginx-mod-mail python py-jinja2
|
||||
RUN apk add --no-cache nginx nginx-mod-mail python py-jinja2 certbot openssl
|
||||
|
||||
COPY conf /conf
|
||||
COPY start.py /start.py
|
||||
COPY *.py /
|
||||
|
||||
CMD /start.py
|
||||
|
@ -0,0 +1,27 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import jinja2
|
||||
import os
|
||||
import socket
|
||||
|
||||
convert = lambda src, dst, args: open(dst, "w").write(jinja2.Template(open(src).read()).render(**args))
|
||||
|
||||
args = os.environ.copy()
|
||||
|
||||
if "ADMIN_ADDRESS" not in os.environ:
|
||||
args["ADMIN_ADDRESS"] = socket.gethostbyname("admin")
|
||||
|
||||
args["TLS"] = {
|
||||
"cert": ("/certs/cert.pem", "/certs/key.pem"),
|
||||
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
|
||||
"/certs/letsencrypt/live/mailu/privkey.pem"),
|
||||
"notls": None
|
||||
}[args["TLS_FLAVOR"]]
|
||||
|
||||
if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"]):
|
||||
print("Missing cert or key file, disabling TLS")
|
||||
args["TLS_ERROR"] = "yes"
|
||||
|
||||
|
||||
convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args)
|
||||
os.system("nginx -s reload")
|
@ -0,0 +1,29 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import os
|
||||
import time
|
||||
import subprocess
|
||||
|
||||
|
||||
command = [
|
||||
"certbot",
|
||||
"-n", "--agree-tos", # non-interactive
|
||||
"-d", os.environ["HOSTNAMES"],
|
||||
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
|
||||
"certonly", "--standalone",
|
||||
"--cert-name", "mailu",
|
||||
"--preferred-challenges", "http", "--http-01-port", "8000",
|
||||
"--keep-until-expiring",
|
||||
"--rsa-key-size", "4096",
|
||||
"--config-dir", "/certs/letsencrypt",
|
||||
"--post-hook", "/config.py"
|
||||
]
|
||||
|
||||
# Wait for nginx to start
|
||||
time.sleep(5)
|
||||
|
||||
# Run certbot every hour
|
||||
while True:
|
||||
subprocess.call(command)
|
||||
time.sleep(3600)
|
||||
|
@ -1,13 +1,15 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import jinja2
|
||||
import os
|
||||
import socket
|
||||
import subprocess
|
||||
|
||||
convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
|
||||
|
||||
# Actual startup script
|
||||
if "ADMIN_ADDRESS" not in os.environ:
|
||||
os.environ["ADMIN_ADDRESS"] = socket.gethostbyname("admin")
|
||||
convert("/conf/nginx.conf", "/etc/nginx/nginx.conf")
|
||||
if not os.path.exists("/certs/dhparam.pem") and os.environ["TLS_FLAVOR"] != "notls":
|
||||
os.system("openssl dhparam -out /certs/dhparam.pem 4096")
|
||||
|
||||
if os.environ["TLS_FLAVOR"] == "letsencrypt":
|
||||
subprocess.Popen(["/letsencrypt.py"])
|
||||
|
||||
subprocess.call(["/config.py"])
|
||||
os.execv("/usr/sbin/nginx", ["nginx", "-g", "daemon off;"])
|
||||
|
Loading…
Reference in New Issue