feat: work with a predefined set of certificates

Dockerfile

@@ -4,8 +4,7 @@ FROM ${BASE_IMAGE}:${ALPINE_VERSION}
 MAINTAINER "f <f@sutty.nl>"
 
 RUN addgroup -S -g 777 ssl
-RUN install -dm 2700 -o root -g root /root/.ssh
-RUN apk add --no-cache certbot jq wget openssh-client rsync
+RUN apk add --no-cache certbot
 
 COPY ./monit.conf /etc/monit.d/certbot.conf
 COPY ./certbotd.sh /usr/local/bin/certbotd

certbotd.sh

@@ -1,10 +1,5 @@
 #!/bin/sh
 
-if test -z "${NODES}" && test -z "${SINGLE_NODE}"; then
-  echo "The env var NODES is empty, if you don't want to synchronize to other servers, set SINGLE_NODE=true" >&2
-  exit 1
-fi
-
 lock=/tmp/certbot.lck
 updated=/tmp/certbot.updated
 
@@ -21,16 +16,6 @@ ensure() {
   find /etc/letsencrypt -type d | xargs -r chmod 2750
   find /etc/letsencrypt -type f | xargs -r chmod 640
   chgrp -R ssl /etc/letsencrypt
-
-  ${SINGLE_NODE:-false} && exit 0
-
-  # Push certificates to nodes, we use SSH as a secure transport
-  # but this means we're synchronizing from container to host which is
-  # awkward.  A restricted rsync treats / as the remote location for the
-  # certificates.
-  for NODE in ${NODES}; do
-    rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}:/live/
-  done
 }
 
 for SIG in TERM QUIT INT HUP; do
@@ -46,7 +31,7 @@ case $1 in
     touch "${updated}"
     ;;
   bootstrap)
-    for site in ${SUTTY} api.${SUTTY}; do
+    for site in ${SUTTY} ${DOMAINS}; do
       test -d "/etc/letsencrypt/live/${site}" && exit 0
 
       # Get the certificate for the domain, the webserver will need
@@ -68,47 +53,6 @@ case $1 in
     comm -13 <(realpath /etc/letsencrypt/live/*/*.pem | sort) <(find /etc/letsencrypt/archive/ -name "*.pem" | sort) | xargs rm -v
     touch "${updated}"
     ;;
-  # Generate certificates
-  *)
-    # Only one instance can run at a time
-    if test -f "${lock}" ; then
-      echo "There's a certbotd instance already running, doing nothing..." >&2
-      echo "If the problem persists, you may need to remove ${lock} manually." >&2
-      exit 1
-    fi
-
-    touch "${lock}"
-
-    # Save headers here
-    headers=/tmp/headers
-    # Gets ETag from previous headers
-    test -f "${headers}" \
-      && etag="$(grep "^  Etag: " "${headers}" | cut -d : -f 2)"
-
-    # Get site list from the API and transform to a list.  Save headers
-    # for next run.  Use ETag to avoid running when nothing changed
-    wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \
-         --header="If-None-Match:${etag}" -qSO - \
-          "https://api.${SUTTY}/v1/sites.json" \
-          2>"${headers}" \
-      | jq --raw-output .[] \
-      | while read domain; do
-          # Skip already existing domains
-          test -d "/etc/letsencrypt/live/${domain}" && continue
-
-          # Ignore non local domains
-          nslookup "${domain}" 8.8.8.8 | grep -q "${SUTTY_ADDRESS}" || continue
-
-          # Get the certificate for the domain, the webserver will need
-          # access to this directory
-          /usr/bin/certbot certonly --email "certbot@${SUTTY}" \
-                                    -n \
-                                    --webroot \
-                                    --agree-tos \
-                                    --webroot-path /var/lib/letsencrypt \
-                                    -d "${domain}"
-          touch "${updated}"
-        done
 esac
 
 ensure

monit.conf

@@ -15,9 +15,3 @@ check program certbot_prune
   with path "/usr/local/bin/syslogize certbotd prune"
   every "13 1 2 * *"
   if status != 0 then alert
-
-# Get missing certificates for every cycle.
-check program certbot
-  with path "/usr/local/bin/syslogize certbotd"
-  every 1 cycle
-  if status != 0 then alert