Merge branch 'antifascista' of ssh://gitea.nulo.in:420/Sutty/containers-certbot into antifascista

2024-09-04 12:09:46 -03:00 · 2024-09-04 12:09:46 -03:00 · 2c098a03a4
commit 2c098a03a4
parent d092ee8ecf ac86ff8b4b
3 changed files with 54 additions and 33 deletions
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@ -1,21 +1,22 @@
-pipeline:
+steps:
  publish:
-    image: "plugins/docker"
+    image: "docker.io/woodpeckerci/plugin-docker-buildx"
    settings:
-      registry: "registry.nulo.in"
+      registry: "https://gitea.nulo.in"
      username: "sutty"
-      repo: "registry.nulo.in/sutty/certbot-simple"
+      repo: "gitea.nulo.in/sutty/certbot-simple"
      tags:
      - "${ALPINE_VERSION}"
      - "latest"
      build_args:
      - "ALPINE_VERSION=${ALPINE_VERSION}"
-      - "BASE_IMAGE=registry.nulo.in/sutty/monit"
+      - "BASE_IMAGE=gitea.nulo.in/sutty/monit"
    secrets:
-    - "docker_password"
+    - "DOCKER_PASSWORD"
    when:
      branch: "antifascista"
      event: "push"
 matrix:
-  ALPINE_VERSION:
-  - "3.17.1"
+  include:
+  - ALPINE_VERSION: "3.20.1"
+  - ALPINE_VERSION: "3.19.2"
--- a/8
+++ b/8
@ -1,10 +1,10 @@
-ARG ALPINE_VERSION=3.13.6
-ARG BASE_IMAGE=sutty/monit
+ARG ALPINE_VERSION=3.18.3
+ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
 FROM ${BASE_IMAGE}:${ALPINE_VERSION}
-MAINTAINER "f <f@sutty.nl>"
+LABEL org.opencontainers.image.authors="f@sutty.nl"

 RUN addgroup -S -g 777 ssl
-RUN apk add --no-cache certbot
+RUN apk add --no-cache certbot certbot-dns-standalone

 COPY ./monit.conf /etc/monit.d/certbot.conf
 COPY ./certbotd.sh /usr/local/bin/certbotd
--- a/certbotd.sh
+++ b/certbotd.sh
@ -1,46 +1,66 @@
 #!/bin/sh

+ok() {
+  echo "ok - $@" >&2
+}
+
+not_ok() {
+  echo "not ok - $@" >&2
+}
+
 lock=/tmp/certbot.lck
 updated=/tmp/certbot.updated

 ensure() {
-  test -n "$1" && echo "$1 received, exiting gracefully..."
+  test -n "$1" && ok "$1 received, exiting gracefully..."

+  if test -f "${updated}" ; then
+    rm -f "${updated}"
+
+    # Fix permissions, users in group ssl have read access
+    find /etc/letsencrypt -type d | xargs -r chmod 2750
+    find /etc/letsencrypt -type f | xargs -r chmod 640
+    chgrp -R ssl /etc/letsencrypt
+  fi
+
+  # Remove the lock after synchronization
  rm -f "${lock}"

-  test -f "${updated}" || exit 0
-
-  rm -f "${updated}"
-
-  # Fix permissions, users in group ssl have read access
-  find /etc/letsencrypt -type d | xargs -r chmod 2750
-  find /etc/letsencrypt -type f | xargs -r chmod 640
-  chgrp -R ssl /etc/letsencrypt
+  # Exit with the error code
+  exit $1
 }

-for SIG in TERM QUIT INT HUP; do
+for SIG in 1 2 3 6 9 14 15; do
  trap "ensure ${SIG}" ${SIG}
 done

-set -e
+set -E

 case $1 in
  # Renew certificates, trust in certbot's algorithms
  renew)
-    /usr/bin/certbot renew --quiet --agree-tos
-    touch "${updated}"
+    if /usr/bin/certbot renew --quiet --agree-tos ; then
+      ok "Renewed certificates"
+      touch "${updated}"
+    else
+      ret=$?
+      not_ok "Certificate renewal failed"
+      exit $ret
+    fi
    ;;
  bootstrap)
    for site in ${SUTTY} ${DOMAINS}; do
      test -d "/etc/letsencrypt/live/${site}" && exit 0

-      # Get the certificate for the domain, the webserver will need
-      # access to this directory
-      /usr/bin/certbot certonly --email "certbot@${SUTTY}" \
-                                --webroot \
-                                --agree-tos \
-                                --webroot-path /var/lib/letsencrypt \
-                                -d "${site}"
+      /usr/bin/certbot \
+        certonly \
+        --non-interactive \
+        --authenticator "dns-standalone" \
+        --email "certbot@${SUTTY}" \
+        --agree-tos \
+        -d "${SUTTY}" \
+        -d "*.${SUTTY}" \
+        && touch "${updated}"

      cd /etc/letsencrypt/live
      ln -s ${SUTTY} default
@ -55,4 +75,4 @@ case $1 in
    ;;
 esac

-ensure
+ensure 0