This commit is contained in:
f 2019-09-10 20:17:04 -03:00
parent a2e27c5316
commit d17f14a589
No known key found for this signature in database
GPG key ID: 2AE5A13E321F953D
3 changed files with 84 additions and 0 deletions

View file

@ -1,2 +1,21 @@
FROM sutty/monit:latest
MAINTAINER "f <f@sutty.nl>"
# Install requisites
RUN apk add --no-cache certbot jq wget
# Run certbot
COPY ./monit.conf /etc/monit.d/certbot.conf
# Get more output
RUN echo "set limits { programoutput: 1 MB }" >> /etc/monit.d/limits.conf
# Install certbot's script
COPY ./certbot.sh /usr/local/bin/certbot
RUN chmod +x /usr/local/bin/certbot
# Check monit's config
RUN monit -t
# Access to certificates and challenges
VOLUME /etc/letsencrypt
VOLUME /var/lib/letsencrypt

48
certbot.sh Normal file
View file

@ -0,0 +1,48 @@
#!/bin/sh
set -e
case $1 in
# Renew certificates, trust in certbot's algorithms
renew) /usr/bin/certbot renew --quit --agree-tos ;;
bootstrap)
test -d "/etc/letsencrypt/live/api.${SUTTY}" && exit 0
# Get the certificate for the domain, the webserver will need
# access to this directory
/usr/bin/certbot certonly --email "certbot@${SUTTY}" \
--webroot \
--agree-tos \
--webroot-path /var/lib/letsencrypt \
-d "api.${SUTTY}" ;;
# Generate certificates
*)
# Save headers here
headers=/tmp/headers
# Gets ETag from previous headers
test -f "${headers}" \
&& etag="$(grep "^ Etag: " "${headers}" | cut -d : -f 2)"
# Get site list from the API and transform to a list. Save headers
# for next run. Use ETag to avoid running when nothing changed
wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \
--header="If-None-Match:${etag}" -qSO - \
"https://api.${SUTTY}/v1/sites.json" \
2>"${headers}" \
| jq --raw-output .[] \
| while read name; do
# If the site name doesn't end with a dot, it's a subdomain
domain="$(echo "${name}" | sed "s/[^\.]$/&${SUTTY}/")"
domain="${domain%.}"
# Skip already existing domains
test -d "/etc/letsencrypt/live/${domain}" && continue
# Get the certificate for the domain, the webserver will need
# access to this directory
/usr/bin/certbot certonly --email "certbot@${SUTTY}" \
--webroot \
--agree-tos \
--webroot-path /var/lib/letsencrypt \
-d "${domain}"
done
esac

17
monit.conf Normal file
View file

@ -0,0 +1,17 @@
# Get first certificate!
check program certbot_bootstrap
with path "/usr/local/bin/certbot bootstrap"
every 1 cycle
if status = 0 then unmonitor
# Renew certificates once a week
check program certbot_renew
with path "/usr/local/bin/certbot renew"
every "13 5 * * *"
if status != 0 then alert
# Get missing certificates for every cycle.
check program certbot
with path "/usr/local/bin/certbot"
every 1 cycle
if status != 0 then alert