Enable templating! Eliminate unnecessary customization!

This commit is contained in:
Elliot Saba 2020-01-12 23:54:12 -08:00
parent 386d73143b
commit f6d02a7ec9
3 changed files with 63 additions and 19 deletions

View File

@ -1,19 +1,14 @@
# docker-nginx-certbot # docker-nginx-certbot
Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*, built on top of the nginx server. Create and automatically renew website SSL certificates using the free [letsencrypt](https://letsencrypt.org/) certificate authority, and its client [*certbot*](https://certbot.eff.org/), built on top of the [nginx](https://www.nginx.com/) webserver.
# More information This repository was originally forked from `@henridwyer`, many thanks to him for the good idea. It has since been completely rewritten, and bears almost no resemblance to the original. This repository is _much_ more opinionated about the structure of your webservers/containers, however it is easier to use as long as all of your webservers follow the given pattern.
Find out more about letsencrypt: https://letsencrypt.org
Certbot github: https://github.com/certbot/certbot
This repository was originally forked from `@henridwyer`, many thanks to him for the good idea. I've rewritten about 90% of this repository, so it bears almost no resemblance to the original. This repository is _much_ more opinionated about the structure of your webservers/containers, however it is easier to use as long as all of your webservers follow that pattern.
# Usage # Usage
Create a config directory for your custom configs: Create a config directory for your custom configs:
```
mkdir conf.d ```bash
$ mkdir conf.d
``` ```
And a `.conf` in that directory: And a `.conf` in that directory:
@ -36,19 +31,62 @@ version: '3'
services: services:
frontend: frontend:
restart: unless-stopped restart: unless-stopped
build: frontend image: staticfloat/nginx-certbot
ports: ports:
- 80:80/tcp - 80:80/tcp
- 443:443/tcp - 443:443/tcp
environment: environment:
- CERTBOT_EMAIL=owner@company.com CERTBOT_EMAIL: owner@company.com
volumes: volumes:
- ./conf.d:/etc/nginx/user.conf.d :ro - ./conf.d:/etc/nginx/user.conf.d:ro
... - letsencrypt:/etc/letsencrypt
volumes:
letsencrypt:
```
Launch that docker-compose file, and you're good to go; `certbot` will automatically request an SSL certificate for any `nginx` sites that look for SSL certificates in `/etc/letsencrypt/live`, and will automatically renew them over time.
## Templating
You may wish to template your configurations, e.g. passing in a hostname so as to be able to run multiple identical copies of this container; one per website. The docker container will use [`envsubst`](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) to template all mounted user configs with a user-provided list of environment variables. Example:
```nginx
# In conf.d/nginx_template.conf
server {
listen 443 ssl;
server_name ${FQDN};
ssl_certificate /etc/letsencrypt/live/${FQDN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${FQDN}/privkey.pem;
...
}
```
```yml
version: '3'
services:
frontend:
restart: unless-stopped
image: staticfloat/nginx-certbot
ports:
- 80:80/tcp
- 443:443/tcp
environment:
CERTBOT_EMAIL: owner@company.com
ENVSUBST_VARS: FQDN
FQDN: server.company.com
volumes:
- ./conf.d:/etc/nginx/user.conf.d:ro
- letsencrypt:/etc/letsencrypt
volumes:
letsencrypt:
``` ```
# Changelog # Changelog
### 1.0
- Many improvements thanks to contributors from across the globe. Together, we have drastically reduced the amount of customization needed; configs can be mounted directly into a prebuilt image, and the configurations can even be templated.
### 0.8 ### 0.8
- Ditch cron, it never liked me anway. Just use `sleep` and a `while` loop instead. - Ditch cron, it never liked me anway. Just use `sleep` and a `while` loop instead.

View File

@ -8,7 +8,7 @@ trap "kill 0" EXIT
. $(cd $(dirname $0); pwd)/util.sh . $(cd $(dirname $0); pwd)/util.sh
# first include any user configs if they've been mounted # first include any user configs if they've been mounted
link_user_configs template_user_configs
# Immediately run auto_enable_configs so that nginx is in a runnable state # Immediately run auto_enable_configs so that nginx is in a runnable state
auto_enable_configs auto_enable_configs

View File

@ -93,20 +93,26 @@ is_renewal_required() {
[ $is_finshed_week_sec -lt 0 ] [ $is_finshed_week_sec -lt 0 ]
} }
# symlinks any *.conf files in /etc/nginx/user.conf.d # copies any *.conf files in /etc/nginx/user.conf.d
# to /etc/nginx/conf.d so they are included as configs # to /etc/nginx/conf.d so they are included as configs
# this allows a user to easily mount their own configs # this allows a user to easily mount their own configs
link_user_configs() { # We make use of `envsubst` to allow for on-the-fly templating
# of the user configs.
template_user_configs() {
SOURCE_DIR="${1-/etc/nginx/user.conf.d}" SOURCE_DIR="${1-/etc/nginx/user.conf.d}"
TARGET_DIR="${2-/etc/nginx/conf.d}" TARGET_DIR="${2-/etc/nginx/conf.d}"
echo "symlinking scripts from ${SOURCE_DIR} to ${TARGET_DIR}" # envsubst needs dollar signs in front of all variable names
DENV=$(echo ${ENVSUBST_VARS} | sed -E 's/\$*([^ ]+)/\$\1/g')
echo "templating scripts from ${SOURCE_DIR} to ${TARGET_DIR}"
echo "Substituting variables ${DENV}"
if [ ! -d "$SOURCE_DIR" ]; then if [ ! -d "$SOURCE_DIR" ]; then
echo "no ${SOURCE_DIR}, nothing to do." echo "no ${SOURCE_DIR}, nothing to do."
else else
for conf in ${SOURCE_DIR}/*.conf; do for conf in ${SOURCE_DIR}/*.conf; do
ln -sv "${conf}" "${TARGET_DIR}/$(basename ${conf})" envsubst "${DENV}" <"${conf}" > "${TARGET_DIR}/$(basename ${conf})"
done done
fi fi
} }