.woodpecker.yml

@@ -1,22 +1,21 @@
-steps:
+pipeline:
   publish:
-    image: "docker.io/woodpeckerci/plugin-docker-buildx"
+    image: "plugins/docker"
     settings:
-      registry: "https://gitea.nulo.in"
+      registry: "registry.nulo.in"
       username: "sutty"
-      repo: "gitea.nulo.in/sutty/certbot-simple"
+      repo: "registry.nulo.in/sutty/certbot-simple"
       tags:
       - "${ALPINE_VERSION}"
       - "latest"
       build_args:
       - "ALPINE_VERSION=${ALPINE_VERSION}"
-      - "BASE_IMAGE=gitea.nulo.in/sutty/monit"
+      - "BASE_IMAGE=registry.nulo.in/sutty/monit"
     secrets:
-    - "DOCKER_PASSWORD"
+    - "docker_password"
     when:
       branch: "antifascista"
       event: "push"
 matrix:
-  include:
+  ALPINE_VERSION:
-  - ALPINE_VERSION: "3.20.2"
+  - "3.17.1"
-  - ALPINE_VERSION: "3.19.3"

Dockerfile

@@ -1,10 +1,10 @@
-ARG ALPINE_VERSION=3.18.3
+ARG ALPINE_VERSION=3.13.6
-ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
+ARG BASE_IMAGE=sutty/monit
 FROM ${BASE_IMAGE}:${ALPINE_VERSION}
-LABEL org.opencontainers.image.authors="f@sutty.nl"
+MAINTAINER "f <f@sutty.nl>"
 
 RUN addgroup -S -g 777 ssl
-RUN apk add --no-cache certbot certbot-dns-standalone
+RUN apk add --no-cache certbot
 
 COPY ./monit.conf /etc/monit.d/certbot.conf
 COPY ./certbotd.sh /usr/local/bin/certbotd

certbotd.sh

@@ -1,66 +1,46 @@
 #!/bin/sh
 
-ok() {
-  echo "ok - $@" >&2
-}
-
-not_ok() {
-  echo "not ok - $@" >&2
-}
-
 lock=/tmp/certbot.lck
 updated=/tmp/certbot.updated
 
 ensure() {
-  test -n "$1" && ok "$1 received, exiting gracefully..."
+  test -n "$1" && echo "$1 received, exiting gracefully..."
 
-  if test -f "${updated}" ; then
-    rm -f "${updated}"
-
-    # Fix permissions, users in group ssl have read access
-    find /etc/letsencrypt -type d | xargs -r chmod 2750
-    find /etc/letsencrypt -type f | xargs -r chmod 640
-    chgrp -R ssl /etc/letsencrypt
-  fi
-
-  # Remove the lock after synchronization
   rm -f "${lock}"
 
-  # Exit with the error code
+  test -f "${updated}" || exit 0
-  exit $1
+
+  rm -f "${updated}"
+
+  # Fix permissions, users in group ssl have read access
+  find /etc/letsencrypt -type d | xargs -r chmod 2750
+  find /etc/letsencrypt -type f | xargs -r chmod 640
+  chgrp -R ssl /etc/letsencrypt
 }
 
-for SIG in 1 2 3 6 9 14 15; do
+for SIG in TERM QUIT INT HUP; do
   trap "ensure ${SIG}" ${SIG}
 done
 
-set -E
+set -e
 
 case $1 in
   # Renew certificates, trust in certbot's algorithms
   renew)
-    if /usr/bin/certbot renew --quiet --agree-tos ; then
+    /usr/bin/certbot renew --quiet --agree-tos
-      ok "Renewed certificates"
+    touch "${updated}"
-      touch "${updated}"
-    else
-      ret=$?
-      not_ok "Certificate renewal failed"
-      exit $ret
-    fi
     ;;
   bootstrap)
     for site in ${SUTTY} ${DOMAINS}; do
       test -d "/etc/letsencrypt/live/${site}" && exit 0
 
-      /usr/bin/certbot \
+      # Get the certificate for the domain, the webserver will need
-        certonly \
+      # access to this directory
-        --non-interactive \
+      /usr/bin/certbot certonly --email "certbot@${SUTTY}" \
-        --authenticator "dns-standalone" \
+                                --webroot \
-        --email "certbot@${SUTTY}" \
+                                --agree-tos \
-        --agree-tos \
+                                --webroot-path /var/lib/letsencrypt \
-        -d "${SUTTY}" \
+                                -d "${site}"
-        -d "*.${SUTTY}" \
-        && touch "${updated}"
 
       cd /etc/letsencrypt/live
       ln -s ${SUTTY} default
@@ -75,4 +55,4 @@ case $1 in
     ;;
 esac
 
-ensure 0
+ensure