From b1ae12189fa02ce5ad4410968b5997abc9c3449c Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 27 Apr 2021 14:32:41 -0500 Subject: [PATCH] Fix indentation --- root/defaults/default | 176 ++++++++-------- root/defaults/geoip2.conf | 32 +-- root/defaults/nginx.conf | 198 ++++++++--------- root/etc/cont-init.d/50-config | 352 +++++++++++++++---------------- root/etc/logrotate.d/lerotate | 18 +- root/etc/services.d/fail2ban/run | 4 +- 6 files changed, 390 insertions(+), 390 deletions(-) diff --git a/root/defaults/default b/root/defaults/default index a40ca08..9ffee51 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -4,149 +4,149 @@ error_page 502 /502.html; # redirect all traffic to https server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; } # main server block server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; - root /config/www; - index index.html index.htm index.php; + root /config/www; + index index.html index.htm index.php; - server_name _; + server_name _; - # enable subfolder method reverse proxy confs - include /config/nginx/proxy-confs/*.subfolder.conf; + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; - # all ssl related config moved to ssl.conf - include /config/nginx/ssl.conf; + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; - # enable for ldap auth - #include /config/nginx/ldap.conf; + # enable for ldap auth + #include /config/nginx/ldap.conf; - # enable for Authelia - #include /config/nginx/authelia-server.conf; + # enable for Authelia + #include /config/nginx/authelia-server.conf; - # enable for geo blocking - # See /config/nginx/geoip2.conf for more information. - #if ($allowed_country = no) { - #return 444; - #} + # enable for geo blocking + # See /config/nginx/geoip2.conf for more information. + #if ($allowed_country = no) { + #return 444; + #} - client_max_body_size 0; + client_max_body_size 0; - location / { - try_files $uri $uri/ /index.html /index.php?$args =404; - } + location / { + try_files $uri $uri/ /index.html /index.php?$args =404; + } - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - } + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub -# location ^~ /cp { -# auth_basic "Restricted"; -# auth_basic_user_file /config/nginx/.htpasswd; -# include /config/nginx/proxy.conf; -# proxy_pass http://192.168.1.50:5050/cp; -# } +# location ^~ /cp { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050/cp; +# } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name cp.*; +# server_name cp.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# auth_basic "Restricted"; -# auth_basic_user_file /config/nginx/.htpasswd; -# include /config/nginx/proxy.conf; -# proxy_pass http://192.168.1.50:5050; -# } +# location / { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050; +# } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name heimdall.*; +# server_name heimdall.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# include /config/nginx/ldap.conf; +# include /config/nginx/ldap.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# # the next two lines will enable ldap auth along with the included ldap.conf in the server block -# auth_request /auth; -# error_page 401 =200 /ldaplogin; +# location / { +# # the next two lines will enable ldap auth along with the included ldap.conf in the server block +# auth_request /auth; +# error_page 401 =200 /ldaplogin; # -# include /config/nginx/proxy.conf; -# resolver 127.0.0.11 valid=30s; -# set $upstream_app heimdall; -# set $upstream_port 443; -# set $upstream_proto https; -# proxy_pass $upstream_proto://$upstream_app:$upstream_port; -# } +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } #} # sample reverse proxy config for "heimdall" via subdomain, with Authelia # Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name heimdall.*; +# server_name heimdall.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# include /config/nginx/authelia-server.conf; +# include /config/nginx/authelia-server.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# # the next line will enable Authelia along with the included authelia-server.conf in the server block -# include /config/nginx/authelia-location.conf; +# location / { +# # the next line will enable Authelia along with the included authelia-server.conf in the server block +# include /config/nginx/authelia-location.conf; # -# include /config/nginx/proxy.conf; -# resolver 127.0.0.11 valid=30s; -# set $upstream_app heimdall; -# set $upstream_port 443; -# set $upstream_proto https; -# proxy_pass $upstream_proto://$upstream_app:$upstream_port; -# } +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } #} # enable subdomain method reverse proxy confs diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf index 702c4dc..846c5b5 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/geoip2.conf @@ -51,22 +51,22 @@ geo $allow_list { # Add the following if statements inside any server context where you want to geo block countries. ######################################## -# if ($allow_list = yes) { -# set $allowed_country yes; -# } -# if ($allowed_country = no) { -# return 444; -# } +# if ($allow_list = yes) { +# set $allowed_country yes; +# } +# if ($allowed_country = no) { +# return 444; +# } ######################################### # Add the following if statements inside any server context where you want to geo block cities. ######################################## -# if ($allow_list = yes) { -# set $allowed_country yes; -# } -# if ($allowed_city = no) { -# return 444; -# } +# if ($allow_list = yes) { +# set $allowed_country yes; +# } +# if ($allowed_city = no) { +# return 444; +# } ######################################### # Example using a config from proxy-confs @@ -90,12 +90,12 @@ geo $allow_list { # # Allow lan access if default is set to no # if ($allow_list = yes) { -# set $allowed_country yes; +# set $allowed_country yes; # } -# # Country geo block -# if ($allowed_country = no) { +# # Country geo block +# if ($allowed_country = no) { # return 444; -# } +# } # diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index b56a5c7..b5f7f8d 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -15,135 +15,135 @@ error_log /config/log/nginx/error.log; include /etc/nginx/modules/*.conf; events { - # The maximum number of simultaneous connections that can be opened by - # a worker process. - worker_connections 1024; - # multi_accept on; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; + # multi_accept on; } http { - # Includes mapping of file name extensions to MIME types of responses - # and defines the default type. - include /etc/nginx/mime.types; - default_type application/octet-stream; + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Name servers used to resolve names of upstream servers into addresses. - # It's also needed when using tcpsocket and udpsocket in Lua modules. - #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; - include /config/nginx/resolver.conf + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf - # Don't tell nginx version to the clients. Default is 'on'. - server_tokens off; + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; - # Specifies the maximum accepted body size of a client request, as - # indicated by the request header Content-Length. If the stated content - # length is greater than this size, then the client receives the HTTP - # error code 413. Set to 0 to disable. Default is '1m'. - client_max_body_size 0; + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; - # Sendfile copies data between one FD and other from within the kernel, - # which is more efficient than read() + write(). Default is off. - sendfile on; + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; - # Causes nginx to attempt to send its HTTP response head in one packet, - # instead of using partial frames. Default is 'off'. - tcp_nopush on; + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; - # Helper variable for proxying websockets. - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } - # Sets the path, format, and configuration for a buffered log write. - access_log /config/log/nginx/access.log; + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; - # Includes virtual hosts configs. - #include /etc/nginx/http.d/*.conf; + # Includes virtual hosts configs. + #include /etc/nginx/http.d/*.conf; - # WARNING: Don't use this directory for virtual hosts anymore. - # This include will be moved to the root context in Alpine 3.14. - #include /etc/nginx/conf.d/*.conf; + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; - ## - # Basic Settings - ## + ## + # Basic Settings + ## - client_body_buffer_size 128k; - keepalive_timeout 65; - large_client_header_buffers 4 16k; - send_timeout 5m; - tcp_nodelay on; - types_hash_max_size 2048; - variables_hash_max_size 2048; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; + client_body_buffer_size 128k; + keepalive_timeout 65; + large_client_header_buffers 4 16k; + send_timeout 5m; + tcp_nodelay on; + types_hash_max_size 2048; + variables_hash_max_size 2048; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; - ## - # Gzip Settings - ## + ## + # Gzip Settings + ## - gzip on; - gzip_disable "msie6"; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + gzip on; + gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## - #include /etc/nginx/naxsi_core.rules; + #include /etc/nginx/naxsi_core.rules; - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; - ## - # Virtual Host Configs - ## - include /config/nginx/site-confs/*; - #Removed lua. Do not remove this comment + ## + # Virtual Host Configs + ## + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment - ## - # Geoip2 config - ## - # Uncomment to add the Geoip2 configs needed to geo block countries/cities. - ## + ## + # Geoip2 config + ## + # Uncomment to add the Geoip2 configs needed to geo block countries/cities. + ## - #include /config/nginx/geoip2.conf; + #include /config/nginx/geoip2.conf; } #mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; # -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } # -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } #} daemon off; diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index eb842cb..c75a25a 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -17,26 +17,26 @@ STAGING=${STAGING}\\n" # Echo init finish for test runs if [ -n "${TEST_RUN}" ]; then - echo '[services.d] done.' + echo '[services.d] done.' fi # Sanitize variables SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER ) for i in "${SANED_VARS[@]}" do - export echo "$i"="${!i//\"/}" - export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" + export echo "$i"="${!i//\"/}" + export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" done # check to make sure that the required variables are set [[ -z "$URL" ]] && \ - echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ - sleep infinity + echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ + sleep infinity # make our folders and links mkdir -p \ - /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ - /var/run/fail2ban + /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ + /var/run/fail2ban rm -rf /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt @@ -52,12 +52,12 @@ cp -R /defaults/fail2ban/filter.d /config/fail2ban/ cp -R /defaults/fail2ban/action.d /config/fail2ban/ # if jail.local is missing in /config, copy default [[ ! -f /config/fail2ban/jail.local ]] && \ - cp /defaults/jail.local /config/fail2ban/jail.local + cp /defaults/jail.local /config/fail2ban/jail.local # Replace fail2ban config with user config [[ -d /etc/fail2ban/filter.d ]] && \ - rm -rf /etc/fail2ban/filter.d + rm -rf /etc/fail2ban/filter.d [[ -d /etc/fail2ban/action.d ]] && \ - rm -rf /etc/fail2ban/action.d + rm -rf /etc/fail2ban/action.d cp -R /config/fail2ban/filter.d /etc/fail2ban/ cp -R /config/fail2ban/action.d /etc/fail2ban/ cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/ @@ -65,21 +65,21 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local # copy crontab and proxy defaults if needed [[ ! -f /config/crontabs/root ]] && \ - cp /etc/crontabs/root /config/crontabs/ + cp /etc/crontabs/root /config/crontabs/ [[ ! -f /config/nginx/proxy.conf ]] && \ - cp /defaults/proxy.conf /config/nginx/proxy.conf + cp /defaults/proxy.conf /config/nginx/proxy.conf [[ ! -f /config/nginx/ssl.conf ]] && \ - cp /defaults/ssl.conf /config/nginx/ssl.conf + cp /defaults/ssl.conf /config/nginx/ssl.conf [[ ! -f /config/nginx/ldap.conf ]] && \ - cp /defaults/ldap.conf /config/nginx/ldap.conf + cp /defaults/ldap.conf /config/nginx/ldap.conf [[ ! -f /config/nginx/authelia-server.conf ]] && \ - cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf + cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf [[ ! -f /config/nginx/authelia-location.conf ]] && \ - cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf + cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf [[ ! -f /config/nginx/geoip2.conf ]] && \ - cp /defaults/geoip2.conf /config/nginx/geoip2.conf + cp /defaults/geoip2.conf /config/nginx/geoip2.conf [[ ! -f /config/www/502.html ]] && - cp /defaults/502.html /config/www/502.html + cp /defaults/502.html /config/www/502.html # Set resolver if ! grep -q 'resolver' /config/nginx/resolver.conf; then @@ -97,25 +97,25 @@ fi # remove lua bits from nginx.conf if not done before if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then - echo "Removing lua specific info from nginx.conf" - sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf + echo "Removing lua specific info from nginx.conf" + sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf fi # copy pre-generated dhparams or generate if needed [[ ! -f /config/nginx/dhparams.pem ]] && \ - cp /defaults/dhparams.pem /config/nginx/dhparams.pem + cp /defaults/dhparams.pem /config/nginx/dhparams.pem if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" + curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" fi if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." - openssl dhparam -out /config/nginx/dhparams.pem 4096 + echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." + openssl dhparam -out /config/nginx/dhparams.pem 4096 fi # check to make sure DNSPLUGIN is selected if dns validation is used [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \ - echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ - sleep infinity + echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ + sleep infinity # import user crontabs rm /etc/crontabs/* @@ -123,11 +123,11 @@ cp /config/crontabs/* /etc/crontabs/ # create original config file if it doesn't exist, move non-hidden legacy file to hidden if [ -f "/config/donoteditthisfile.conf" ]; then - mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf + mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf fi if [ ! -f "/config/.donoteditthisfile.conf" ]; then - echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf - echo "Created .donoteditthisfile.conf" + echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf + echo "Created .donoteditthisfile.conf" fi # load original config settings @@ -136,75 +136,75 @@ fi # set default validation to http if [ -z "$VALIDATION" ]; then - VALIDATION="http" - echo "VALIDATION parameter not set; setting it to http" + VALIDATION="http" + echo "VALIDATION parameter not set; setting it to http" fi # if zerossl is selected or staging is set to true, use the relevant server if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then - echo "ZeroSSL does not support staging mode, ignoring STAGING variable" + echo "ZeroSSL does not support staging mode, ignoring STAGING variable" fi if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" - ACMESERVER="https://acme.zerossl.com/v2/DV90" + echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" + ACMESERVER="https://acme.zerossl.com/v2/DV90" elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" - sleep infinity + echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" + sleep infinity elif [ "$STAGING" = "true" ]; then - echo "NOTICE: Staging is active" - echo "Using Let's Encrypt as the cert provider" - ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" + echo "NOTICE: Staging is active" + echo "Using Let's Encrypt as the cert provider" + ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" else - echo "Using Let's Encrypt as the cert provider" - ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + echo "Using Let's Encrypt as the cert provider" + ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" fi # figuring out url only vs url & subdomains vs subdomains only if [ -n "$SUBDOMAINS" ]; then - echo "SUBDOMAINS entered, processing" - if [ "$SUBDOMAINS" = "wildcard" ]; then - if [ "$ONLY_SUBDOMAINS" = true ]; then - export URL_REAL="-d *.${URL}" - echo "Wildcard cert for only the subdomains of $URL will be requested" - else - export URL_REAL="-d *.${URL} -d ${URL}" - echo "Wildcard cert for $URL will be requested" - fi - else echo "SUBDOMAINS entered, processing" - for job in $(echo "$SUBDOMAINS" | tr "," " "); do - export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" - done - if [ "$ONLY_SUBDOMAINS" = true ]; then - URL_REAL="$SUBDOMAINS_REAL" - echo "Only subdomains, no URL in cert" + if [ "$SUBDOMAINS" = "wildcard" ]; then + if [ "$ONLY_SUBDOMAINS" = true ]; then + export URL_REAL="-d *.${URL}" + echo "Wildcard cert for only the subdomains of $URL will be requested" + else + export URL_REAL="-d *.${URL} -d ${URL}" + echo "Wildcard cert for $URL will be requested" + fi else - URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" + echo "SUBDOMAINS entered, processing" + for job in $(echo "$SUBDOMAINS" | tr "," " "); do + export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" + done + if [ "$ONLY_SUBDOMAINS" = true ]; then + URL_REAL="$SUBDOMAINS_REAL" + echo "Only subdomains, no URL in cert" + else + URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" + fi + echo "Sub-domains processed are: $SUBDOMAINS_REAL" fi - echo "Sub-domains processed are: $SUBDOMAINS_REAL" - fi else - echo "No subdomains defined" - URL_REAL="-d $URL" + echo "No subdomains defined" + URL_REAL="-d $URL" fi # add extra domains if [ -n "$EXTRA_DOMAINS" ]; then - echo "EXTRA_DOMAINS entered, processing" - for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do - export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" - done - echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" - URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" + echo "EXTRA_DOMAINS entered, processing" + for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do + export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" + done + echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" + URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" fi # figuring out whether to use e-mail and which if [[ $EMAIL == *@* ]]; then - echo "E-mail address entered: ${EMAIL}" - EMAILPARAM="-m ${EMAIL} --no-eff-email" + echo "E-mail address entered: ${EMAIL}" + EMAILPARAM="-m ${EMAIL} --no-eff-email" else - echo "No e-mail address entered or address invalid" - EMAILPARAM="--register-unsafely-without-email" + echo "No e-mail address entered or address invalid" + EMAILPARAM="--register-unsafely-without-email" fi # update plugin names in dns conf inis @@ -215,82 +215,82 @@ sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini # setting the validation method to use if [ "$VALIDATION" = "dns" ]; then - if [ "$DNSPLUGIN" = "route53" ]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then - if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi - PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" - elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - else - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - fi - echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" + if [ "$DNSPLUGIN" = "route53" ]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then + if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi + PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" + elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + else + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + fi + echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" elif [ "$VALIDATION" = "tls-sni" ]; then - PREFCHAL="--non-interactive --standalone --preferred-challenges http" - echo "*****tls-sni validation has been deprecated, attempting http validation instead" + PREFCHAL="--non-interactive --standalone --preferred-challenges http" + echo "*****tls-sni validation has been deprecated, attempting http validation instead" elif [ "$VALIDATION" = "duckdns" ]; then - PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" - chmod +x /app/duckdns-txt - echo "duckdns validation is selected" - if [ "$SUBDOMAINS" = "wildcard" ]; then - echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" - export URL_REAL="-d *.${URL}" - else - echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" - export URL_REAL="-d ${URL}" - fi + PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" + chmod +x /app/duckdns-txt + echo "duckdns validation is selected" + if [ "$SUBDOMAINS" = "wildcard" ]; then + echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" + export URL_REAL="-d *.${URL}" + else + echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" + export URL_REAL="-d ${URL}" + fi else - PREFCHAL="--non-interactive --standalone --preferred-challenges http" - echo "http validation is selected" + PREFCHAL="--non-interactive --standalone --preferred-challenges http" + echo "http validation is selected" fi # setting the symlink for key location rm -rf /config/keys/letsencrypt if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then - DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" - ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt + DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" + ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt else - ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt + ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt fi # checking for changes in cert variables, revoking certs if necessary if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then - echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" - if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then - ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" - else - ORIGDOMAIN="$ORIGURL" - fi - if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then - REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") - REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" + if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then + ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" + else + ORIGDOMAIN="$ORIGURL" fi - REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" - elif [ "$ORIGSTAGING" = "true" ]; then - REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" - else - REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" - fi - [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER - rm -rf /config/etc/letsencrypt - mkdir -p /config/etc/letsencrypt + if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then + REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") + REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity + fi + REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" + elif [ "$ORIGSTAGING" = "true" ]; then + REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" + else + REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + fi + [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER + rm -rf /config/etc/letsencrypt + mkdir -p /config/etc/letsencrypt fi # saving new variables @@ -298,74 +298,74 @@ echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ # alter extension for error message if [ "$DNSPLUGIN" = "google" ]; then - FILENAME="$DNSPLUGIN.json" + FILENAME="$DNSPLUGIN.json" else - FILENAME="$DNSPLUGIN.ini" + FILENAME="$DNSPLUGIN.ini" fi # generating certs if necessary if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then - if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "Retrieving EAB from ZeroSSL" - EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") - ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then + echo "Retrieving EAB from ZeroSSL" + EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") + ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity + fi + ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" fi - ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" - fi - echo "Generating new certificate" - # shellcheck disable=SC2086 - certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL - if [ -d /config/keys/letsencrypt ]; then - cd /config/keys/letsencrypt || exit - else - if [ "$VALIDATION" = "dns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." - elif [ "$VALIDATION" = "duckdns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." + echo "Generating new certificate" + # shellcheck disable=SC2086 + certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL + if [ -d /config/keys/letsencrypt ]; then + cd /config/keys/letsencrypt || exit else - echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" + if [ "$VALIDATION" = "dns" ]; then + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." + elif [ "$VALIDATION" = "duckdns" ]; then + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." + else + echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" + fi + sleep infinity fi - sleep infinity - fi - openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: - sleep 1 - cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem - echo "New certificate generated; starting nginx" + openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: + sleep 1 + cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem + echo "New certificate generated; starting nginx" else - echo "Certificate exists; parameters unchanged; starting nginx" + echo "Certificate exists; parameters unchanged; starting nginx" fi # create GeoIP2 folder symlink [[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \ - rm -rf /var/lib/libmaxminddb + rm -rf /var/lib/libmaxminddb [[ ! -d /var/lib/libmaxminddb ]] && \ - ln -s /config/geoip2db /var/lib/libmaxminddb + ln -s /config/geoip2db /var/lib/libmaxminddb # check GeoIP2 database if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then - sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb - if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then - echo "Downloading GeoIP2 City database." - /etc/periodic/weekly/libmaxminddb - fi + sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb + if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then + echo "Downloading GeoIP2 City database." + /etc/periodic/weekly/libmaxminddb + fi elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then - echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." + echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." else - echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." + echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." fi # logfiles needed by fail2ban [[ ! -f /config/log/nginx/error.log ]] && \ - touch /config/log/nginx/error.log + touch /config/log/nginx/error.log [[ ! -f /config/log/nginx/access.log ]] && \ - touch /config/log/nginx/access.log + touch /config/log/nginx/access.log # permissions chown -R abc:abc \ - /config + /config chmod -R 0644 /etc/logrotate.d chmod -R +r /config/log chmod +x /app/le-renew.sh diff --git a/root/etc/logrotate.d/lerotate b/root/etc/logrotate.d/lerotate index 28a38a7..ab87d1e 100644 --- a/root/etc/logrotate.d/lerotate +++ b/root/etc/logrotate.d/lerotate @@ -1,11 +1,11 @@ /config/log/letsencrypt/*.log { - weekly - rotate 52 - compress - delaycompress - nodateext - missingok - notifempty - sharedscripts - su abc abc + weekly + rotate 52 + compress + delaycompress + nodateext + missingok + notifempty + sharedscripts + su abc abc } diff --git a/root/etc/services.d/fail2ban/run b/root/etc/services.d/fail2ban/run index c023109..6f7f3af 100644 --- a/root/etc/services.d/fail2ban/run +++ b/root/etc/services.d/fail2ban/run @@ -1,4 +1,4 @@ #!/usr/bin/with-contenv bash - exec \ - fail2ban-client -x -f start +exec \ + fail2ban-client -x -f start