mirror of
https://github.com/linuxserver/docker-swag.git
synced 2024-10-01 01:35:49 -04:00
Fix indentation
This commit is contained in:
parent
d77a64aab8
commit
b1ae12189f
@ -4,149 +4,149 @@ error_page 502 /502.html;
|
||||
|
||||
# redirect all traffic to https
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# main server block
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
|
||||
root /config/www;
|
||||
index index.html index.htm index.php;
|
||||
root /config/www;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
server_name _;
|
||||
server_name _;
|
||||
|
||||
# enable subfolder method reverse proxy confs
|
||||
include /config/nginx/proxy-confs/*.subfolder.conf;
|
||||
# enable subfolder method reverse proxy confs
|
||||
include /config/nginx/proxy-confs/*.subfolder.conf;
|
||||
|
||||
# all ssl related config moved to ssl.conf
|
||||
include /config/nginx/ssl.conf;
|
||||
# all ssl related config moved to ssl.conf
|
||||
include /config/nginx/ssl.conf;
|
||||
|
||||
# enable for ldap auth
|
||||
#include /config/nginx/ldap.conf;
|
||||
# enable for ldap auth
|
||||
#include /config/nginx/ldap.conf;
|
||||
|
||||
# enable for Authelia
|
||||
#include /config/nginx/authelia-server.conf;
|
||||
# enable for Authelia
|
||||
#include /config/nginx/authelia-server.conf;
|
||||
|
||||
# enable for geo blocking
|
||||
# See /config/nginx/geoip2.conf for more information.
|
||||
#if ($allowed_country = no) {
|
||||
#return 444;
|
||||
#}
|
||||
# enable for geo blocking
|
||||
# See /config/nginx/geoip2.conf for more information.
|
||||
#if ($allowed_country = no) {
|
||||
#return 444;
|
||||
#}
|
||||
|
||||
client_max_body_size 0;
|
||||
client_max_body_size 0;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html /index.php?$args =404;
|
||||
}
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html /index.php?$args =404;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
}
|
||||
|
||||
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
|
||||
# notice this is within the same server block as the base
|
||||
# don't forget to generate the .htpasswd file as described on docker hub
|
||||
# location ^~ /cp {
|
||||
# auth_basic "Restricted";
|
||||
# auth_basic_user_file /config/nginx/.htpasswd;
|
||||
# include /config/nginx/proxy.conf;
|
||||
# proxy_pass http://192.168.1.50:5050/cp;
|
||||
# }
|
||||
# location ^~ /cp {
|
||||
# auth_basic "Restricted";
|
||||
# auth_basic_user_file /config/nginx/.htpasswd;
|
||||
# include /config/nginx/proxy.conf;
|
||||
# proxy_pass http://192.168.1.50:5050/cp;
|
||||
# }
|
||||
|
||||
}
|
||||
|
||||
# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
|
||||
# notice this is a new server block, you need a new server block for each subdomain
|
||||
#server {
|
||||
# listen 443 ssl http2;
|
||||
# listen [::]:443 ssl http2;
|
||||
# listen 443 ssl http2;
|
||||
# listen [::]:443 ssl http2;
|
||||
#
|
||||
# root /config/www;
|
||||
# index index.html index.htm index.php;
|
||||
# root /config/www;
|
||||
# index index.html index.htm index.php;
|
||||
#
|
||||
# server_name cp.*;
|
||||
# server_name cp.*;
|
||||
#
|
||||
# include /config/nginx/ssl.conf;
|
||||
# include /config/nginx/ssl.conf;
|
||||
#
|
||||
# client_max_body_size 0;
|
||||
# client_max_body_size 0;
|
||||
#
|
||||
# location / {
|
||||
# auth_basic "Restricted";
|
||||
# auth_basic_user_file /config/nginx/.htpasswd;
|
||||
# include /config/nginx/proxy.conf;
|
||||
# proxy_pass http://192.168.1.50:5050;
|
||||
# }
|
||||
# location / {
|
||||
# auth_basic "Restricted";
|
||||
# auth_basic_user_file /config/nginx/.htpasswd;
|
||||
# include /config/nginx/proxy.conf;
|
||||
# proxy_pass http://192.168.1.50:5050;
|
||||
# }
|
||||
#}
|
||||
|
||||
# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
|
||||
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
|
||||
# notice this is a new server block, you need a new server block for each subdomain
|
||||
#server {
|
||||
# listen 443 ssl http2;
|
||||
# listen [::]:443 ssl http2;
|
||||
# listen 443 ssl http2;
|
||||
# listen [::]:443 ssl http2;
|
||||
#
|
||||
# root /config/www;
|
||||
# index index.html index.htm index.php;
|
||||
# root /config/www;
|
||||
# index index.html index.htm index.php;
|
||||
#
|
||||
# server_name heimdall.*;
|
||||
# server_name heimdall.*;
|
||||
#
|
||||
# include /config/nginx/ssl.conf;
|
||||
# include /config/nginx/ssl.conf;
|
||||
#
|
||||
# include /config/nginx/ldap.conf;
|
||||
# include /config/nginx/ldap.conf;
|
||||
#
|
||||
# client_max_body_size 0;
|
||||
# client_max_body_size 0;
|
||||
#
|
||||
# location / {
|
||||
# # the next two lines will enable ldap auth along with the included ldap.conf in the server block
|
||||
# auth_request /auth;
|
||||
# error_page 401 =200 /ldaplogin;
|
||||
# location / {
|
||||
# # the next two lines will enable ldap auth along with the included ldap.conf in the server block
|
||||
# auth_request /auth;
|
||||
# error_page 401 =200 /ldaplogin;
|
||||
#
|
||||
# include /config/nginx/proxy.conf;
|
||||
# resolver 127.0.0.11 valid=30s;
|
||||
# set $upstream_app heimdall;
|
||||
# set $upstream_port 443;
|
||||
# set $upstream_proto https;
|
||||
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
|
||||
# }
|
||||
# include /config/nginx/proxy.conf;
|
||||
# resolver 127.0.0.11 valid=30s;
|
||||
# set $upstream_app heimdall;
|
||||
# set $upstream_port 443;
|
||||
# set $upstream_proto https;
|
||||
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
|
||||
# }
|
||||
#}
|
||||
|
||||
# sample reverse proxy config for "heimdall" via subdomain, with Authelia
|
||||
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
|
||||
# notice this is a new server block, you need a new server block for each subdomain
|
||||
#server {
|
||||
# listen 443 ssl http2;
|
||||
# listen [::]:443 ssl http2;
|
||||
# listen 443 ssl http2;
|
||||
# listen [::]:443 ssl http2;
|
||||
#
|
||||
# root /config/www;
|
||||
# index index.html index.htm index.php;
|
||||
# root /config/www;
|
||||
# index index.html index.htm index.php;
|
||||
#
|
||||
# server_name heimdall.*;
|
||||
# server_name heimdall.*;
|
||||
#
|
||||
# include /config/nginx/ssl.conf;
|
||||
# include /config/nginx/ssl.conf;
|
||||
#
|
||||
# include /config/nginx/authelia-server.conf;
|
||||
# include /config/nginx/authelia-server.conf;
|
||||
#
|
||||
# client_max_body_size 0;
|
||||
# client_max_body_size 0;
|
||||
#
|
||||
# location / {
|
||||
# # the next line will enable Authelia along with the included authelia-server.conf in the server block
|
||||
# include /config/nginx/authelia-location.conf;
|
||||
# location / {
|
||||
# # the next line will enable Authelia along with the included authelia-server.conf in the server block
|
||||
# include /config/nginx/authelia-location.conf;
|
||||
#
|
||||
# include /config/nginx/proxy.conf;
|
||||
# resolver 127.0.0.11 valid=30s;
|
||||
# set $upstream_app heimdall;
|
||||
# set $upstream_port 443;
|
||||
# set $upstream_proto https;
|
||||
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
|
||||
# }
|
||||
# include /config/nginx/proxy.conf;
|
||||
# resolver 127.0.0.11 valid=30s;
|
||||
# set $upstream_app heimdall;
|
||||
# set $upstream_port 443;
|
||||
# set $upstream_proto https;
|
||||
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
|
||||
# }
|
||||
#}
|
||||
|
||||
# enable subdomain method reverse proxy confs
|
||||
|
@ -51,22 +51,22 @@ geo $allow_list {
|
||||
# Add the following if statements inside any server context where you want to geo block countries.
|
||||
|
||||
########################################
|
||||
# if ($allow_list = yes) {
|
||||
# set $allowed_country yes;
|
||||
# }
|
||||
# if ($allowed_country = no) {
|
||||
# return 444;
|
||||
# }
|
||||
# if ($allow_list = yes) {
|
||||
# set $allowed_country yes;
|
||||
# }
|
||||
# if ($allowed_country = no) {
|
||||
# return 444;
|
||||
# }
|
||||
#########################################
|
||||
|
||||
# Add the following if statements inside any server context where you want to geo block cities.
|
||||
########################################
|
||||
# if ($allow_list = yes) {
|
||||
# set $allowed_country yes;
|
||||
# }
|
||||
# if ($allowed_city = no) {
|
||||
# return 444;
|
||||
# }
|
||||
# if ($allow_list = yes) {
|
||||
# set $allowed_country yes;
|
||||
# }
|
||||
# if ($allowed_city = no) {
|
||||
# return 444;
|
||||
# }
|
||||
#########################################
|
||||
|
||||
# Example using a config from proxy-confs
|
||||
@ -90,12 +90,12 @@ geo $allow_list {
|
||||
|
||||
# # Allow lan access if default is set to no
|
||||
# if ($allow_list = yes) {
|
||||
# set $allowed_country yes;
|
||||
# set $allowed_country yes;
|
||||
# }
|
||||
# # Country geo block
|
||||
# if ($allowed_country = no) {
|
||||
# # Country geo block
|
||||
# if ($allowed_country = no) {
|
||||
# return 444;
|
||||
# }
|
||||
# }
|
||||
|
||||
|
||||
#
|
||||
|
@ -15,135 +15,135 @@ error_log /config/log/nginx/error.log;
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
events {
|
||||
# The maximum number of simultaneous connections that can be opened by
|
||||
# a worker process.
|
||||
worker_connections 1024;
|
||||
# multi_accept on;
|
||||
# The maximum number of simultaneous connections that can be opened by
|
||||
# a worker process.
|
||||
worker_connections 1024;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
# Includes mapping of file name extensions to MIME types of responses
|
||||
# and defines the default type.
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
# Includes mapping of file name extensions to MIME types of responses
|
||||
# and defines the default type.
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# Name servers used to resolve names of upstream servers into addresses.
|
||||
# It's also needed when using tcpsocket and udpsocket in Lua modules.
|
||||
#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
|
||||
include /config/nginx/resolver.conf
|
||||
# Name servers used to resolve names of upstream servers into addresses.
|
||||
# It's also needed when using tcpsocket and udpsocket in Lua modules.
|
||||
#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
|
||||
include /config/nginx/resolver.conf
|
||||
|
||||
# Don't tell nginx version to the clients. Default is 'on'.
|
||||
server_tokens off;
|
||||
# Don't tell nginx version to the clients. Default is 'on'.
|
||||
server_tokens off;
|
||||
|
||||
# Specifies the maximum accepted body size of a client request, as
|
||||
# indicated by the request header Content-Length. If the stated content
|
||||
# length is greater than this size, then the client receives the HTTP
|
||||
# error code 413. Set to 0 to disable. Default is '1m'.
|
||||
client_max_body_size 0;
|
||||
# Specifies the maximum accepted body size of a client request, as
|
||||
# indicated by the request header Content-Length. If the stated content
|
||||
# length is greater than this size, then the client receives the HTTP
|
||||
# error code 413. Set to 0 to disable. Default is '1m'.
|
||||
client_max_body_size 0;
|
||||
|
||||
# Sendfile copies data between one FD and other from within the kernel,
|
||||
# which is more efficient than read() + write(). Default is off.
|
||||
sendfile on;
|
||||
# Sendfile copies data between one FD and other from within the kernel,
|
||||
# which is more efficient than read() + write(). Default is off.
|
||||
sendfile on;
|
||||
|
||||
# Causes nginx to attempt to send its HTTP response head in one packet,
|
||||
# instead of using partial frames. Default is 'off'.
|
||||
tcp_nopush on;
|
||||
# Causes nginx to attempt to send its HTTP response head in one packet,
|
||||
# instead of using partial frames. Default is 'off'.
|
||||
tcp_nopush on;
|
||||
|
||||
# Helper variable for proxying websockets.
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
# Helper variable for proxying websockets.
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
# Sets the path, format, and configuration for a buffered log write.
|
||||
access_log /config/log/nginx/access.log;
|
||||
# Sets the path, format, and configuration for a buffered log write.
|
||||
access_log /config/log/nginx/access.log;
|
||||
|
||||
# Includes virtual hosts configs.
|
||||
#include /etc/nginx/http.d/*.conf;
|
||||
# Includes virtual hosts configs.
|
||||
#include /etc/nginx/http.d/*.conf;
|
||||
|
||||
# WARNING: Don't use this directory for virtual hosts anymore.
|
||||
# This include will be moved to the root context in Alpine 3.14.
|
||||
#include /etc/nginx/conf.d/*.conf;
|
||||
# WARNING: Don't use this directory for virtual hosts anymore.
|
||||
# This include will be moved to the root context in Alpine 3.14.
|
||||
#include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
client_body_buffer_size 128k;
|
||||
keepalive_timeout 65;
|
||||
large_client_header_buffers 4 16k;
|
||||
send_timeout 5m;
|
||||
tcp_nodelay on;
|
||||
types_hash_max_size 2048;
|
||||
variables_hash_max_size 2048;
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
client_body_buffer_size 128k;
|
||||
keepalive_timeout 65;
|
||||
large_client_header_buffers 4 16k;
|
||||
send_timeout 5m;
|
||||
tcp_nodelay on;
|
||||
types_hash_max_size 2048;
|
||||
variables_hash_max_size 2048;
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# nginx-naxsi config
|
||||
##
|
||||
# Uncomment it if you installed nginx-naxsi
|
||||
##
|
||||
##
|
||||
# nginx-naxsi config
|
||||
##
|
||||
# Uncomment it if you installed nginx-naxsi
|
||||
##
|
||||
|
||||
#include /etc/nginx/naxsi_core.rules;
|
||||
#include /etc/nginx/naxsi_core.rules;
|
||||
|
||||
##
|
||||
# nginx-passenger config
|
||||
##
|
||||
# Uncomment it if you installed nginx-passenger
|
||||
##
|
||||
##
|
||||
# nginx-passenger config
|
||||
##
|
||||
# Uncomment it if you installed nginx-passenger
|
||||
##
|
||||
|
||||
#passenger_root /usr;
|
||||
#passenger_ruby /usr/bin/ruby;
|
||||
#passenger_root /usr;
|
||||
#passenger_ruby /usr/bin/ruby;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /config/nginx/site-confs/*;
|
||||
#Removed lua. Do not remove this comment
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /config/nginx/site-confs/*;
|
||||
#Removed lua. Do not remove this comment
|
||||
|
||||
##
|
||||
# Geoip2 config
|
||||
##
|
||||
# Uncomment to add the Geoip2 configs needed to geo block countries/cities.
|
||||
##
|
||||
##
|
||||
# Geoip2 config
|
||||
##
|
||||
# Uncomment to add the Geoip2 configs needed to geo block countries/cities.
|
||||
##
|
||||
|
||||
#include /config/nginx/geoip2.conf;
|
||||
#include /config/nginx/geoip2.conf;
|
||||
}
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
||||
|
||||
daemon off;
|
||||
|
@ -17,26 +17,26 @@ STAGING=${STAGING}\\n"
|
||||
|
||||
# Echo init finish for test runs
|
||||
if [ -n "${TEST_RUN}" ]; then
|
||||
echo '[services.d] done.'
|
||||
echo '[services.d] done.'
|
||||
fi
|
||||
|
||||
# Sanitize variables
|
||||
SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
|
||||
for i in "${SANED_VARS[@]}"
|
||||
do
|
||||
export echo "$i"="${!i//\"/}"
|
||||
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
|
||||
export echo "$i"="${!i//\"/}"
|
||||
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
|
||||
done
|
||||
|
||||
# check to make sure that the required variables are set
|
||||
[[ -z "$URL" ]] && \
|
||||
echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
|
||||
sleep infinity
|
||||
echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
|
||||
sleep infinity
|
||||
|
||||
# make our folders and links
|
||||
mkdir -p \
|
||||
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
|
||||
/var/run/fail2ban
|
||||
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
|
||||
/var/run/fail2ban
|
||||
rm -rf /etc/letsencrypt
|
||||
ln -s /config/etc/letsencrypt /etc/letsencrypt
|
||||
|
||||
@ -52,12 +52,12 @@ cp -R /defaults/fail2ban/filter.d /config/fail2ban/
|
||||
cp -R /defaults/fail2ban/action.d /config/fail2ban/
|
||||
# if jail.local is missing in /config, copy default
|
||||
[[ ! -f /config/fail2ban/jail.local ]] && \
|
||||
cp /defaults/jail.local /config/fail2ban/jail.local
|
||||
cp /defaults/jail.local /config/fail2ban/jail.local
|
||||
# Replace fail2ban config with user config
|
||||
[[ -d /etc/fail2ban/filter.d ]] && \
|
||||
rm -rf /etc/fail2ban/filter.d
|
||||
rm -rf /etc/fail2ban/filter.d
|
||||
[[ -d /etc/fail2ban/action.d ]] && \
|
||||
rm -rf /etc/fail2ban/action.d
|
||||
rm -rf /etc/fail2ban/action.d
|
||||
cp -R /config/fail2ban/filter.d /etc/fail2ban/
|
||||
cp -R /config/fail2ban/action.d /etc/fail2ban/
|
||||
cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
|
||||
@ -65,21 +65,21 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
|
||||
|
||||
# copy crontab and proxy defaults if needed
|
||||
[[ ! -f /config/crontabs/root ]] && \
|
||||
cp /etc/crontabs/root /config/crontabs/
|
||||
cp /etc/crontabs/root /config/crontabs/
|
||||
[[ ! -f /config/nginx/proxy.conf ]] && \
|
||||
cp /defaults/proxy.conf /config/nginx/proxy.conf
|
||||
cp /defaults/proxy.conf /config/nginx/proxy.conf
|
||||
[[ ! -f /config/nginx/ssl.conf ]] && \
|
||||
cp /defaults/ssl.conf /config/nginx/ssl.conf
|
||||
cp /defaults/ssl.conf /config/nginx/ssl.conf
|
||||
[[ ! -f /config/nginx/ldap.conf ]] && \
|
||||
cp /defaults/ldap.conf /config/nginx/ldap.conf
|
||||
cp /defaults/ldap.conf /config/nginx/ldap.conf
|
||||
[[ ! -f /config/nginx/authelia-server.conf ]] && \
|
||||
cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
|
||||
cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
|
||||
[[ ! -f /config/nginx/authelia-location.conf ]] && \
|
||||
cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
|
||||
cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
|
||||
[[ ! -f /config/nginx/geoip2.conf ]] && \
|
||||
cp /defaults/geoip2.conf /config/nginx/geoip2.conf
|
||||
cp /defaults/geoip2.conf /config/nginx/geoip2.conf
|
||||
[[ ! -f /config/www/502.html ]] &&
|
||||
cp /defaults/502.html /config/www/502.html
|
||||
cp /defaults/502.html /config/www/502.html
|
||||
|
||||
# Set resolver
|
||||
if ! grep -q 'resolver' /config/nginx/resolver.conf; then
|
||||
@ -97,25 +97,25 @@ fi
|
||||
|
||||
# remove lua bits from nginx.conf if not done before
|
||||
if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
|
||||
echo "Removing lua specific info from nginx.conf"
|
||||
sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
|
||||
echo "Removing lua specific info from nginx.conf"
|
||||
sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
|
||||
fi
|
||||
|
||||
# copy pre-generated dhparams or generate if needed
|
||||
[[ ! -f /config/nginx/dhparams.pem ]] && \
|
||||
cp /defaults/dhparams.pem /config/nginx/dhparams.pem
|
||||
cp /defaults/dhparams.pem /config/nginx/dhparams.pem
|
||||
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
|
||||
curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
|
||||
curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
|
||||
fi
|
||||
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
|
||||
echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
|
||||
openssl dhparam -out /config/nginx/dhparams.pem 4096
|
||||
echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
|
||||
openssl dhparam -out /config/nginx/dhparams.pem 4096
|
||||
fi
|
||||
|
||||
# check to make sure DNSPLUGIN is selected if dns validation is used
|
||||
[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \
|
||||
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
|
||||
sleep infinity
|
||||
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
|
||||
sleep infinity
|
||||
|
||||
# import user crontabs
|
||||
rm /etc/crontabs/*
|
||||
@ -123,11 +123,11 @@ cp /config/crontabs/* /etc/crontabs/
|
||||
|
||||
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
|
||||
if [ -f "/config/donoteditthisfile.conf" ]; then
|
||||
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
|
||||
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
|
||||
fi
|
||||
if [ ! -f "/config/.donoteditthisfile.conf" ]; then
|
||||
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
|
||||
echo "Created .donoteditthisfile.conf"
|
||||
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
|
||||
echo "Created .donoteditthisfile.conf"
|
||||
fi
|
||||
|
||||
# load original config settings
|
||||
@ -136,75 +136,75 @@ fi
|
||||
|
||||
# set default validation to http
|
||||
if [ -z "$VALIDATION" ]; then
|
||||
VALIDATION="http"
|
||||
echo "VALIDATION parameter not set; setting it to http"
|
||||
VALIDATION="http"
|
||||
echo "VALIDATION parameter not set; setting it to http"
|
||||
fi
|
||||
|
||||
# if zerossl is selected or staging is set to true, use the relevant server
|
||||
if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
|
||||
echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
|
||||
echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
|
||||
fi
|
||||
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
|
||||
echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
|
||||
ACMESERVER="https://acme.zerossl.com/v2/DV90"
|
||||
echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
|
||||
ACMESERVER="https://acme.zerossl.com/v2/DV90"
|
||||
elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
|
||||
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
|
||||
sleep infinity
|
||||
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
|
||||
sleep infinity
|
||||
elif [ "$STAGING" = "true" ]; then
|
||||
echo "NOTICE: Staging is active"
|
||||
echo "Using Let's Encrypt as the cert provider"
|
||||
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
echo "NOTICE: Staging is active"
|
||||
echo "Using Let's Encrypt as the cert provider"
|
||||
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
else
|
||||
echo "Using Let's Encrypt as the cert provider"
|
||||
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
|
||||
echo "Using Let's Encrypt as the cert provider"
|
||||
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
|
||||
fi
|
||||
|
||||
# figuring out url only vs url & subdomains vs subdomains only
|
||||
if [ -n "$SUBDOMAINS" ]; then
|
||||
echo "SUBDOMAINS entered, processing"
|
||||
if [ "$SUBDOMAINS" = "wildcard" ]; then
|
||||
if [ "$ONLY_SUBDOMAINS" = true ]; then
|
||||
export URL_REAL="-d *.${URL}"
|
||||
echo "Wildcard cert for only the subdomains of $URL will be requested"
|
||||
else
|
||||
export URL_REAL="-d *.${URL} -d ${URL}"
|
||||
echo "Wildcard cert for $URL will be requested"
|
||||
fi
|
||||
else
|
||||
echo "SUBDOMAINS entered, processing"
|
||||
for job in $(echo "$SUBDOMAINS" | tr "," " "); do
|
||||
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
|
||||
done
|
||||
if [ "$ONLY_SUBDOMAINS" = true ]; then
|
||||
URL_REAL="$SUBDOMAINS_REAL"
|
||||
echo "Only subdomains, no URL in cert"
|
||||
if [ "$SUBDOMAINS" = "wildcard" ]; then
|
||||
if [ "$ONLY_SUBDOMAINS" = true ]; then
|
||||
export URL_REAL="-d *.${URL}"
|
||||
echo "Wildcard cert for only the subdomains of $URL will be requested"
|
||||
else
|
||||
export URL_REAL="-d *.${URL} -d ${URL}"
|
||||
echo "Wildcard cert for $URL will be requested"
|
||||
fi
|
||||
else
|
||||
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
|
||||
echo "SUBDOMAINS entered, processing"
|
||||
for job in $(echo "$SUBDOMAINS" | tr "," " "); do
|
||||
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
|
||||
done
|
||||
if [ "$ONLY_SUBDOMAINS" = true ]; then
|
||||
URL_REAL="$SUBDOMAINS_REAL"
|
||||
echo "Only subdomains, no URL in cert"
|
||||
else
|
||||
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
|
||||
fi
|
||||
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
|
||||
fi
|
||||
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
|
||||
fi
|
||||
else
|
||||
echo "No subdomains defined"
|
||||
URL_REAL="-d $URL"
|
||||
echo "No subdomains defined"
|
||||
URL_REAL="-d $URL"
|
||||
fi
|
||||
|
||||
# add extra domains
|
||||
if [ -n "$EXTRA_DOMAINS" ]; then
|
||||
echo "EXTRA_DOMAINS entered, processing"
|
||||
for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
|
||||
export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
|
||||
done
|
||||
echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
|
||||
URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
|
||||
echo "EXTRA_DOMAINS entered, processing"
|
||||
for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
|
||||
export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
|
||||
done
|
||||
echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
|
||||
URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
|
||||
fi
|
||||
|
||||
# figuring out whether to use e-mail and which
|
||||
if [[ $EMAIL == *@* ]]; then
|
||||
echo "E-mail address entered: ${EMAIL}"
|
||||
EMAILPARAM="-m ${EMAIL} --no-eff-email"
|
||||
echo "E-mail address entered: ${EMAIL}"
|
||||
EMAILPARAM="-m ${EMAIL} --no-eff-email"
|
||||
else
|
||||
echo "No e-mail address entered or address invalid"
|
||||
EMAILPARAM="--register-unsafely-without-email"
|
||||
echo "No e-mail address entered or address invalid"
|
||||
EMAILPARAM="--register-unsafely-without-email"
|
||||
fi
|
||||
|
||||
# update plugin names in dns conf inis
|
||||
@ -215,82 +215,82 @@ sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
|
||||
|
||||
# setting the validation method to use
|
||||
if [ "$VALIDATION" = "dns" ]; then
|
||||
if [ "$DNSPLUGIN" = "route53" ]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
|
||||
PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
else
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
fi
|
||||
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
|
||||
if [ "$DNSPLUGIN" = "route53" ]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
|
||||
PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
else
|
||||
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
||||
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
||||
fi
|
||||
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
|
||||
elif [ "$VALIDATION" = "tls-sni" ]; then
|
||||
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
|
||||
echo "*****tls-sni validation has been deprecated, attempting http validation instead"
|
||||
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
|
||||
echo "*****tls-sni validation has been deprecated, attempting http validation instead"
|
||||
elif [ "$VALIDATION" = "duckdns" ]; then
|
||||
PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
|
||||
chmod +x /app/duckdns-txt
|
||||
echo "duckdns validation is selected"
|
||||
if [ "$SUBDOMAINS" = "wildcard" ]; then
|
||||
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
|
||||
export URL_REAL="-d *.${URL}"
|
||||
else
|
||||
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
|
||||
export URL_REAL="-d ${URL}"
|
||||
fi
|
||||
PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
|
||||
chmod +x /app/duckdns-txt
|
||||
echo "duckdns validation is selected"
|
||||
if [ "$SUBDOMAINS" = "wildcard" ]; then
|
||||
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
|
||||
export URL_REAL="-d *.${URL}"
|
||||
else
|
||||
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
|
||||
export URL_REAL="-d ${URL}"
|
||||
fi
|
||||
else
|
||||
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
|
||||
echo "http validation is selected"
|
||||
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
|
||||
echo "http validation is selected"
|
||||
fi
|
||||
|
||||
# setting the symlink for key location
|
||||
rm -rf /config/keys/letsencrypt
|
||||
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
|
||||
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
|
||||
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
|
||||
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
|
||||
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
|
||||
else
|
||||
ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
|
||||
../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
|
||||
fi
|
||||
|
||||
# checking for changes in cert variables, revoking certs if necessary
|
||||
if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
|
||||
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
|
||||
if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
|
||||
ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
|
||||
else
|
||||
ORIGDOMAIN="$ORIGURL"
|
||||
fi
|
||||
if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
|
||||
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
|
||||
REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
|
||||
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
|
||||
if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
|
||||
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
|
||||
sleep infinity
|
||||
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
|
||||
if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
|
||||
ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
|
||||
else
|
||||
ORIGDOMAIN="$ORIGURL"
|
||||
fi
|
||||
REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
|
||||
elif [ "$ORIGSTAGING" = "true" ]; then
|
||||
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
else
|
||||
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
|
||||
fi
|
||||
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
|
||||
rm -rf /config/etc/letsencrypt
|
||||
mkdir -p /config/etc/letsencrypt
|
||||
if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
|
||||
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
|
||||
REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
|
||||
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
|
||||
if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
|
||||
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
|
||||
sleep infinity
|
||||
fi
|
||||
REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
|
||||
elif [ "$ORIGSTAGING" = "true" ]; then
|
||||
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
else
|
||||
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
|
||||
fi
|
||||
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
|
||||
rm -rf /config/etc/letsencrypt
|
||||
mkdir -p /config/etc/letsencrypt
|
||||
fi
|
||||
|
||||
# saving new variables
|
||||
@ -298,74 +298,74 @@ echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$
|
||||
|
||||
# alter extension for error message
|
||||
if [ "$DNSPLUGIN" = "google" ]; then
|
||||
FILENAME="$DNSPLUGIN.json"
|
||||
FILENAME="$DNSPLUGIN.json"
|
||||
else
|
||||
FILENAME="$DNSPLUGIN.ini"
|
||||
FILENAME="$DNSPLUGIN.ini"
|
||||
fi
|
||||
|
||||
# generating certs if necessary
|
||||
if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
|
||||
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
|
||||
echo "Retrieving EAB from ZeroSSL"
|
||||
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
|
||||
ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
|
||||
ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
|
||||
if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
|
||||
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
|
||||
sleep infinity
|
||||
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
|
||||
echo "Retrieving EAB from ZeroSSL"
|
||||
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
|
||||
ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
|
||||
ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
|
||||
if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
|
||||
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
|
||||
sleep infinity
|
||||
fi
|
||||
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
|
||||
fi
|
||||
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
|
||||
fi
|
||||
echo "Generating new certificate"
|
||||
# shellcheck disable=SC2086
|
||||
certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
|
||||
if [ -d /config/keys/letsencrypt ]; then
|
||||
cd /config/keys/letsencrypt || exit
|
||||
else
|
||||
if [ "$VALIDATION" = "dns" ]; then
|
||||
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
|
||||
elif [ "$VALIDATION" = "duckdns" ]; then
|
||||
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
|
||||
echo "Generating new certificate"
|
||||
# shellcheck disable=SC2086
|
||||
certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
|
||||
if [ -d /config/keys/letsencrypt ]; then
|
||||
cd /config/keys/letsencrypt || exit
|
||||
else
|
||||
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
|
||||
if [ "$VALIDATION" = "dns" ]; then
|
||||
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
|
||||
elif [ "$VALIDATION" = "duckdns" ]; then
|
||||
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
|
||||
else
|
||||
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
|
||||
fi
|
||||
sleep infinity
|
||||
fi
|
||||
sleep infinity
|
||||
fi
|
||||
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
|
||||
sleep 1
|
||||
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
|
||||
echo "New certificate generated; starting nginx"
|
||||
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
|
||||
sleep 1
|
||||
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
|
||||
echo "New certificate generated; starting nginx"
|
||||
else
|
||||
echo "Certificate exists; parameters unchanged; starting nginx"
|
||||
echo "Certificate exists; parameters unchanged; starting nginx"
|
||||
fi
|
||||
|
||||
# create GeoIP2 folder symlink
|
||||
[[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \
|
||||
rm -rf /var/lib/libmaxminddb
|
||||
rm -rf /var/lib/libmaxminddb
|
||||
[[ ! -d /var/lib/libmaxminddb ]] && \
|
||||
ln -s /config/geoip2db /var/lib/libmaxminddb
|
||||
ln -s /config/geoip2db /var/lib/libmaxminddb
|
||||
# check GeoIP2 database
|
||||
if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then
|
||||
sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb
|
||||
if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
|
||||
echo "Downloading GeoIP2 City database."
|
||||
/etc/periodic/weekly/libmaxminddb
|
||||
fi
|
||||
sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb
|
||||
if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
|
||||
echo "Downloading GeoIP2 City database."
|
||||
/etc/periodic/weekly/libmaxminddb
|
||||
fi
|
||||
elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
|
||||
echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
|
||||
echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
|
||||
else
|
||||
echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
|
||||
echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
|
||||
fi
|
||||
|
||||
# logfiles needed by fail2ban
|
||||
[[ ! -f /config/log/nginx/error.log ]] && \
|
||||
touch /config/log/nginx/error.log
|
||||
touch /config/log/nginx/error.log
|
||||
[[ ! -f /config/log/nginx/access.log ]] && \
|
||||
touch /config/log/nginx/access.log
|
||||
touch /config/log/nginx/access.log
|
||||
|
||||
# permissions
|
||||
chown -R abc:abc \
|
||||
/config
|
||||
/config
|
||||
chmod -R 0644 /etc/logrotate.d
|
||||
chmod -R +r /config/log
|
||||
chmod +x /app/le-renew.sh
|
||||
|
@ -1,11 +1,11 @@
|
||||
/config/log/letsencrypt/*.log {
|
||||
weekly
|
||||
rotate 52
|
||||
compress
|
||||
delaycompress
|
||||
nodateext
|
||||
missingok
|
||||
notifempty
|
||||
sharedscripts
|
||||
su abc abc
|
||||
weekly
|
||||
rotate 52
|
||||
compress
|
||||
delaycompress
|
||||
nodateext
|
||||
missingok
|
||||
notifempty
|
||||
sharedscripts
|
||||
su abc abc
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
#!/usr/bin/with-contenv bash
|
||||
|
||||
exec \
|
||||
fail2ban-client -x -f start
|
||||
exec \
|
||||
fail2ban-client -x -f start
|
||||
|
Loading…
Reference in New Issue
Block a user