Infra-Mirrors/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2024-07-01 00:51:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix indentation

Browse Source
This commit is contained in:
Eric Nemchik 2021-04-27 14:32:41 -05:00
parent d77a64aab8
commit b1ae12189f
6 changed files with 390 additions and 390 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
root/defaults/default
View File

@ -4,149 +4,149 @@ error_page 502 /502.html;
# redirect all traffic to https # redirect all traffic to https
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
server_name _; server_name _;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
# main server block # main server block
server { server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
root /config/www; root /config/www;
index index.html index.htm index.php; index index.html index.htm index.php;
server_name _; server_name _;
# enable subfolder method reverse proxy confs # enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf; include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf # all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf; include /config/nginx/ssl.conf;
# enable for ldap auth # enable for ldap auth
#include /config/nginx/ldap.conf; #include /config/nginx/ldap.conf;
# enable for Authelia # enable for Authelia
#include /config/nginx/authelia-server.conf; #include /config/nginx/authelia-server.conf;
# enable for geo blocking # enable for geo blocking
# See /config/nginx/geoip2.conf for more information. # See /config/nginx/geoip2.conf for more information.
#if ($allowed_country = no) { #if ($allowed_country = no) {
#return 444; #return 444;
#} #}
client_max_body_size 0; client_max_body_size 0;
location / { location / {
try_files $uri $uri/ /index.html /index.php?$args =404; try_files $uri $uri/ /index.html /index.php?$args =404;
} }
location ~ \.php$ { location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000; fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php; fastcgi_index index.php;
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
} }
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base # notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub # don't forget to generate the .htpasswd file as described on docker hub
# location ^~ /cp { # location ^~ /cp {
# auth_basic "Restricted"; # auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd; # auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050/cp; # proxy_pass http://192.168.1.50:5050/cp;
# } # }
} }
# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain # notice this is a new server block, you need a new server block for each subdomain
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# #
# root /config/www; # root /config/www;
# index index.html index.htm index.php; # index index.html index.htm index.php;
# #
# server_name cp.*; # server_name cp.*;
# #
# include /config/nginx/ssl.conf; # include /config/nginx/ssl.conf;
# #
# client_max_body_size 0; # client_max_body_size 0;
# #
# location / { # location / {
# auth_basic "Restricted"; # auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd; # auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050; # proxy_pass http://192.168.1.50:5050;
# } # }
#} #}
# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain # notice this is a new server block, you need a new server block for each subdomain
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# #
# root /config/www; # root /config/www;
# index index.html index.htm index.php; # index index.html index.htm index.php;
# #
# server_name heimdall.*; # server_name heimdall.*;
# #
# include /config/nginx/ssl.conf; # include /config/nginx/ssl.conf;
# #
# include /config/nginx/ldap.conf; # include /config/nginx/ldap.conf;
# #
# client_max_body_size 0; # client_max_body_size 0;
# #
# location / { # location / {
# # the next two lines will enable ldap auth along with the included ldap.conf in the server block # # the next two lines will enable ldap auth along with the included ldap.conf in the server block
# auth_request /auth; # auth_request /auth;
# error_page 401 =200 /ldaplogin; # error_page 401 =200 /ldaplogin;
# #
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s; # resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall; # set $upstream_app heimdall;
# set $upstream_port 443; # set $upstream_port 443;
# set $upstream_proto https; # set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port; # proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# } # }
#} #}
# sample reverse proxy config for "heimdall" via subdomain, with Authelia # sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml # Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain # notice this is a new server block, you need a new server block for each subdomain
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# #
# root /config/www; # root /config/www;
# index index.html index.htm index.php; # index index.html index.htm index.php;
# #
# server_name heimdall.*; # server_name heimdall.*;
# #
# include /config/nginx/ssl.conf; # include /config/nginx/ssl.conf;
# #
# include /config/nginx/authelia-server.conf; # include /config/nginx/authelia-server.conf;
# #
# client_max_body_size 0; # client_max_body_size 0;
# #
# location / { # location / {
# # the next line will enable Authelia along with the included authelia-server.conf in the server block # # the next line will enable Authelia along with the included authelia-server.conf in the server block
# include /config/nginx/authelia-location.conf; # include /config/nginx/authelia-location.conf;
# #
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s; # resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall; # set $upstream_app heimdall;
# set $upstream_port 443; # set $upstream_port 443;
# set $upstream_proto https; # set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port; # proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# } # }
#} #}
# enable subdomain method reverse proxy confs # enable subdomain method reverse proxy confs

32
root/defaults/geoip2.conf
View File

@ -51,22 +51,22 @@ geo $allow_list {
# Add the following if statements inside any server context where you want to geo block countries. # Add the following if statements inside any server context where you want to geo block countries.
######################################## ########################################
# if ($allow_list = yes) { # if ($allow_list = yes) {
# set $allowed_country yes; # set $allowed_country yes;
# } # }
# if ($allowed_country = no) { # if ($allowed_country = no) {
# return 444; # return 444;
# } # }
######################################### #########################################
# Add the following if statements inside any server context where you want to geo block cities. # Add the following if statements inside any server context where you want to geo block cities.
######################################## ########################################
# if ($allow_list = yes) { # if ($allow_list = yes) {
# set $allowed_country yes; # set $allowed_country yes;
# } # }
# if ($allowed_city = no) { # if ($allowed_city = no) {
# return 444; # return 444;
# } # }
######################################### #########################################
# Example using a config from proxy-confs # Example using a config from proxy-confs
@ -90,12 +90,12 @@ geo $allow_list {
# # Allow lan access if default is set to no # # Allow lan access if default is set to no
# if ($allow_list = yes) { # if ($allow_list = yes) {
# set $allowed_country yes; # set $allowed_country yes;
# } # }
# # Country geo block # # Country geo block
# if ($allowed_country = no) { # if ($allowed_country = no) {
# return 444; # return 444;
# } # }
# #

198
root/defaults/nginx.conf
View File

@ -15,135 +15,135 @@ error_log /config/log/nginx/error.log;
include /etc/nginx/modules/*.conf; include /etc/nginx/modules/*.conf;
events { events {
# The maximum number of simultaneous connections that can be opened by # The maximum number of simultaneous connections that can be opened by
# a worker process. # a worker process.
worker_connections 1024; worker_connections 1024;
# multi_accept on; # multi_accept on;
} }
http { http {
# Includes mapping of file name extensions to MIME types of responses # Includes mapping of file name extensions to MIME types of responses
# and defines the default type. # and defines the default type.
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
# Name servers used to resolve names of upstream servers into addresses. # Name servers used to resolve names of upstream servers into addresses.
# It's also needed when using tcpsocket and udpsocket in Lua modules. # It's also needed when using tcpsocket and udpsocket in Lua modules.
#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
include /config/nginx/resolver.conf include /config/nginx/resolver.conf
# Don't tell nginx version to the clients. Default is 'on'. # Don't tell nginx version to the clients. Default is 'on'.
server_tokens off; server_tokens off;
# Specifies the maximum accepted body size of a client request, as # Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content # indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP # length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'. # error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 0; client_max_body_size 0;
# Sendfile copies data between one FD and other from within the kernel, # Sendfile copies data between one FD and other from within the kernel,
# which is more efficient than read() + write(). Default is off. # which is more efficient than read() + write(). Default is off.
sendfile on; sendfile on;
# Causes nginx to attempt to send its HTTP response head in one packet, # Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames. Default is 'off'. # instead of using partial frames. Default is 'off'.
tcp_nopush on; tcp_nopush on;
# Helper variable for proxying websockets. # Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
} }
# Sets the path, format, and configuration for a buffered log write. # Sets the path, format, and configuration for a buffered log write.
access_log /config/log/nginx/access.log; access_log /config/log/nginx/access.log;
# Includes virtual hosts configs. # Includes virtual hosts configs.
#include /etc/nginx/http.d/*.conf; #include /etc/nginx/http.d/*.conf;
# WARNING: Don't use this directory for virtual hosts anymore. # WARNING: Don't use this directory for virtual hosts anymore.
# This include will be moved to the root context in Alpine 3.14. # This include will be moved to the root context in Alpine 3.14.
#include /etc/nginx/conf.d/*.conf; #include /etc/nginx/conf.d/*.conf;
## ##
# Basic Settings # Basic Settings
## ##
client_body_buffer_size 128k; client_body_buffer_size 128k;
keepalive_timeout 65; keepalive_timeout 65;
large_client_header_buffers 4 16k; large_client_header_buffers 4 16k;
send_timeout 5m; send_timeout 5m;
tcp_nodelay on; tcp_nodelay on;
types_hash_max_size 2048; types_hash_max_size 2048;
variables_hash_max_size 2048; variables_hash_max_size 2048;
# server_names_hash_bucket_size 64; # server_names_hash_bucket_size 64;
# server_name_in_redirect off; # server_name_in_redirect off;
## ##
# Gzip Settings # Gzip Settings
## ##
gzip on; gzip on;
gzip_disable "msie6"; gzip_disable "msie6";
# gzip_vary on; # gzip_vary on;
# gzip_proxied any; # gzip_proxied any;
# gzip_comp_level 6; # gzip_comp_level 6;
# gzip_buffers 16 8k; # gzip_buffers 16 8k;
# gzip_http_version 1.1; # gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
## ##
# nginx-naxsi config # nginx-naxsi config
## ##
# Uncomment it if you installed nginx-naxsi # Uncomment it if you installed nginx-naxsi
## ##
#include /etc/nginx/naxsi_core.rules; #include /etc/nginx/naxsi_core.rules;
## ##
# nginx-passenger config # nginx-passenger config
## ##
# Uncomment it if you installed nginx-passenger # Uncomment it if you installed nginx-passenger
## ##
#passenger_root /usr; #passenger_root /usr;
#passenger_ruby /usr/bin/ruby; #passenger_ruby /usr/bin/ruby;
## ##
# Virtual Host Configs # Virtual Host Configs
## ##
include /config/nginx/site-confs/*; include /config/nginx/site-confs/*;
#Removed lua. Do not remove this comment #Removed lua. Do not remove this comment
## ##
# Geoip2 config # Geoip2 config
## ##
# Uncomment to add the Geoip2 configs needed to geo block countries/cities. # Uncomment to add the Geoip2 configs needed to geo block countries/cities.
## ##
#include /config/nginx/geoip2.conf; #include /config/nginx/geoip2.conf;
} }
#mail { #mail {
# # See sample authentication script at: # # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# #
# # auth_http localhost/auth.php; # # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER"; # # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # imap_capabilities "IMAP4rev1" "UIDPLUS";
# #
# server { # server {
# listen localhost:110; # listen localhost:110;
# protocol pop3; # protocol pop3;
# proxy on; # proxy on;
# } # }
# #
# server { # server {
# listen localhost:143; # listen localhost:143;
# protocol imap; # protocol imap;
# proxy on; # proxy on;
# } # }
#} #}
daemon off; daemon off;

352
root/etc/cont-init.d/50-config
View File

@ -17,26 +17,26 @@ STAGING=${STAGING}\\n"
# Echo init finish for test runs # Echo init finish for test runs
if [ -n "${TEST_RUN}" ]; then if [ -n "${TEST_RUN}" ]; then
echo '[services.d] done.' echo '[services.d] done.'
fi fi
# Sanitize variables # Sanitize variables
SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER ) SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
for i in "${SANED_VARS[@]}" for i in "${SANED_VARS[@]}"
do do
export echo "$i"="${!i//\"/}" export echo "$i"="${!i//\"/}"
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
done done
# check to make sure that the required variables are set # check to make sure that the required variables are set
[[ -z "$URL" ]] && \ [[ -z "$URL" ]] && \
echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
sleep infinity sleep infinity
# make our folders and links # make our folders and links
mkdir -p \ mkdir -p \
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
/var/run/fail2ban /var/run/fail2ban
rm -rf /etc/letsencrypt rm -rf /etc/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt
@ -52,12 +52,12 @@ cp -R /defaults/fail2ban/filter.d /config/fail2ban/
cp -R /defaults/fail2ban/action.d /config/fail2ban/ cp -R /defaults/fail2ban/action.d /config/fail2ban/
# if jail.local is missing in /config, copy default # if jail.local is missing in /config, copy default
[[ ! -f /config/fail2ban/jail.local ]] && \ [[ ! -f /config/fail2ban/jail.local ]] && \
cp /defaults/jail.local /config/fail2ban/jail.local cp /defaults/jail.local /config/fail2ban/jail.local
# Replace fail2ban config with user config # Replace fail2ban config with user config
[[ -d /etc/fail2ban/filter.d ]] && \ [[ -d /etc/fail2ban/filter.d ]] && \
rm -rf /etc/fail2ban/filter.d rm -rf /etc/fail2ban/filter.d
[[ -d /etc/fail2ban/action.d ]] && \ [[ -d /etc/fail2ban/action.d ]] && \
rm -rf /etc/fail2ban/action.d rm -rf /etc/fail2ban/action.d
cp -R /config/fail2ban/filter.d /etc/fail2ban/ cp -R /config/fail2ban/filter.d /etc/fail2ban/
cp -R /config/fail2ban/action.d /etc/fail2ban/ cp -R /config/fail2ban/action.d /etc/fail2ban/
cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/ cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
@ -65,21 +65,21 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
# copy crontab and proxy defaults if needed # copy crontab and proxy defaults if needed
[[ ! -f /config/crontabs/root ]] && \ [[ ! -f /config/crontabs/root ]] && \
cp /etc/crontabs/root /config/crontabs/ cp /etc/crontabs/root /config/crontabs/
[[ ! -f /config/nginx/proxy.conf ]] && \ [[ ! -f /config/nginx/proxy.conf ]] && \
cp /defaults/proxy.conf /config/nginx/proxy.conf cp /defaults/proxy.conf /config/nginx/proxy.conf
[[ ! -f /config/nginx/ssl.conf ]] && \ [[ ! -f /config/nginx/ssl.conf ]] && \
cp /defaults/ssl.conf /config/nginx/ssl.conf cp /defaults/ssl.conf /config/nginx/ssl.conf
[[ ! -f /config/nginx/ldap.conf ]] && \ [[ ! -f /config/nginx/ldap.conf ]] && \
cp /defaults/ldap.conf /config/nginx/ldap.conf cp /defaults/ldap.conf /config/nginx/ldap.conf
[[ ! -f /config/nginx/authelia-server.conf ]] && \ [[ ! -f /config/nginx/authelia-server.conf ]] && \
cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
[[ ! -f /config/nginx/authelia-location.conf ]] && \ [[ ! -f /config/nginx/authelia-location.conf ]] && \
cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
[[ ! -f /config/nginx/geoip2.conf ]] && \ [[ ! -f /config/nginx/geoip2.conf ]] && \
cp /defaults/geoip2.conf /config/nginx/geoip2.conf cp /defaults/geoip2.conf /config/nginx/geoip2.conf
[[ ! -f /config/www/502.html ]] && [[ ! -f /config/www/502.html ]] &&
cp /defaults/502.html /config/www/502.html cp /defaults/502.html /config/www/502.html
# Set resolver # Set resolver
if ! grep -q 'resolver' /config/nginx/resolver.conf; then if ! grep -q 'resolver' /config/nginx/resolver.conf; then
@ -97,25 +97,25 @@ fi
# remove lua bits from nginx.conf if not done before # remove lua bits from nginx.conf if not done before
if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
echo "Removing lua specific info from nginx.conf" echo "Removing lua specific info from nginx.conf"
sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
fi fi
# copy pre-generated dhparams or generate if needed # copy pre-generated dhparams or generate if needed
[[ ! -f /config/nginx/dhparams.pem ]] && \ [[ ! -f /config/nginx/dhparams.pem ]] && \
cp /defaults/dhparams.pem /config/nginx/dhparams.pem cp /defaults/dhparams.pem /config/nginx/dhparams.pem
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
fi fi
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
openssl dhparam -out /config/nginx/dhparams.pem 4096 openssl dhparam -out /config/nginx/dhparams.pem 4096
fi fi
# check to make sure DNSPLUGIN is selected if dns validation is used # check to make sure DNSPLUGIN is selected if dns validation is used
[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \ [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
sleep infinity sleep infinity
# import user crontabs # import user crontabs
rm /etc/crontabs/* rm /etc/crontabs/*
@ -123,11 +123,11 @@ cp /config/crontabs/* /etc/crontabs/
# create original config file if it doesn't exist, move non-hidden legacy file to hidden # create original config file if it doesn't exist, move non-hidden legacy file to hidden
if [ -f "/config/donoteditthisfile.conf" ]; then if [ -f "/config/donoteditthisfile.conf" ]; then
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
fi fi
if [ ! -f "/config/.donoteditthisfile.conf" ]; then if [ ! -f "/config/.donoteditthisfile.conf" ]; then
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
echo "Created .donoteditthisfile.conf" echo "Created .donoteditthisfile.conf"
fi fi
# load original config settings # load original config settings
@ -136,75 +136,75 @@ fi
# set default validation to http # set default validation to http
if [ -z "$VALIDATION" ]; then if [ -z "$VALIDATION" ]; then
VALIDATION="http" VALIDATION="http"
echo "VALIDATION parameter not set; setting it to http" echo "VALIDATION parameter not set; setting it to http"
fi fi
# if zerossl is selected or staging is set to true, use the relevant server # if zerossl is selected or staging is set to true, use the relevant server
if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
echo "ZeroSSL does not support staging mode, ignoring STAGING variable" echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
fi fi
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
ACMESERVER="https://acme.zerossl.com/v2/DV90" ACMESERVER="https://acme.zerossl.com/v2/DV90"
elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
sleep infinity sleep infinity
elif [ "$STAGING" = "true" ]; then elif [ "$STAGING" = "true" ]; then
echo "NOTICE: Staging is active" echo "NOTICE: Staging is active"
echo "Using Let's Encrypt as the cert provider" echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
else else
echo "Using Let's Encrypt as the cert provider" echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi fi
# figuring out url only vs url & subdomains vs subdomains only # figuring out url only vs url & subdomains vs subdomains only
if [ -n "$SUBDOMAINS" ]; then if [ -n "$SUBDOMAINS" ]; then
echo "SUBDOMAINS entered, processing"
if [ "$SUBDOMAINS" = "wildcard" ]; then
if [ "$ONLY_SUBDOMAINS" = true ]; then
export URL_REAL="-d *.${URL}"
echo "Wildcard cert for only the subdomains of $URL will be requested"
else
export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for $URL will be requested"
fi
else
echo "SUBDOMAINS entered, processing" echo "SUBDOMAINS entered, processing"
for job in $(echo "$SUBDOMAINS" | tr "," " "); do if [ "$SUBDOMAINS" = "wildcard" ]; then
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" if [ "$ONLY_SUBDOMAINS" = true ]; then
done export URL_REAL="-d *.${URL}"
if [ "$ONLY_SUBDOMAINS" = true ]; then echo "Wildcard cert for only the subdomains of $URL will be requested"
URL_REAL="$SUBDOMAINS_REAL" else
echo "Only subdomains, no URL in cert" export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for $URL will be requested"
fi
else else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" echo "SUBDOMAINS entered, processing"
for job in $(echo "$SUBDOMAINS" | tr "," " "); do
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
done
if [ "$ONLY_SUBDOMAINS" = true ]; then
URL_REAL="$SUBDOMAINS_REAL"
echo "Only subdomains, no URL in cert"
else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
fi
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
fi fi
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
fi
else else
echo "No subdomains defined" echo "No subdomains defined"
URL_REAL="-d $URL" URL_REAL="-d $URL"
fi fi
# add extra domains # add extra domains
if [ -n "$EXTRA_DOMAINS" ]; then if [ -n "$EXTRA_DOMAINS" ]; then
echo "EXTRA_DOMAINS entered, processing" echo "EXTRA_DOMAINS entered, processing"
for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
done done
echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
fi fi
# figuring out whether to use e-mail and which # figuring out whether to use e-mail and which
if [[ $EMAIL == *@* ]]; then if [[ $EMAIL == *@* ]]; then
echo "E-mail address entered: ${EMAIL}" echo "E-mail address entered: ${EMAIL}"
EMAILPARAM="-m ${EMAIL} --no-eff-email" EMAILPARAM="-m ${EMAIL} --no-eff-email"
else else
echo "No e-mail address entered or address invalid" echo "No e-mail address entered or address invalid"
EMAILPARAM="--register-unsafely-without-email" EMAILPARAM="--register-unsafely-without-email"
fi fi
# update plugin names in dns conf inis # update plugin names in dns conf inis
@ -215,82 +215,82 @@ sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
# setting the validation method to use # setting the validation method to use
if [ "$VALIDATION" = "dns" ]; then if [ "$VALIDATION" = "dns" ]; then
if [ "$DNSPLUGIN" = "route53" ]; then if [ "$DNSPLUGIN" = "route53" ]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
else else
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
fi fi
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
elif [ "$VALIDATION" = "tls-sni" ]; then elif [ "$VALIDATION" = "tls-sni" ]; then
PREFCHAL="--non-interactive --standalone --preferred-challenges http" PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "*****tls-sni validation has been deprecated, attempting http validation instead" echo "*****tls-sni validation has been deprecated, attempting http validation instead"
elif [ "$VALIDATION" = "duckdns" ]; then elif [ "$VALIDATION" = "duckdns" ]; then
PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
chmod +x /app/duckdns-txt chmod +x /app/duckdns-txt
echo "duckdns validation is selected" echo "duckdns validation is selected"
if [ "$SUBDOMAINS" = "wildcard" ]; then if [ "$SUBDOMAINS" = "wildcard" ]; then
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
export URL_REAL="-d *.${URL}" export URL_REAL="-d *.${URL}"
else else
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
export URL_REAL="-d ${URL}" export URL_REAL="-d ${URL}"
fi fi
else else
PREFCHAL="--non-interactive --standalone --preferred-challenges http" PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "http validation is selected" echo "http validation is selected"
fi fi
# setting the symlink for key location # setting the symlink for key location
rm -rf /config/keys/letsencrypt rm -rf /config/keys/letsencrypt
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
else else
ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
fi fi
# checking for changes in cert variables, revoking certs if necessary # checking for changes in cert variables, revoking certs if necessary
if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
else else
ORIGDOMAIN="$ORIGURL" ORIGDOMAIN="$ORIGURL"
fi
if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity
fi fi
REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
elif [ "$ORIGSTAGING" = "true" ]; then REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
else REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
fi echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER sleep infinity
rm -rf /config/etc/letsencrypt fi
mkdir -p /config/etc/letsencrypt REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
elif [ "$ORIGSTAGING" = "true" ]; then
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
else
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
rm -rf /config/etc/letsencrypt
mkdir -p /config/etc/letsencrypt
fi fi
# saving new variables # saving new variables
@ -298,74 +298,74 @@ echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$
# alter extension for error message # alter extension for error message
if [ "$DNSPLUGIN" = "google" ]; then if [ "$DNSPLUGIN" = "google" ]; then
FILENAME="$DNSPLUGIN.json" FILENAME="$DNSPLUGIN.json"
else else
FILENAME="$DNSPLUGIN.ini" FILENAME="$DNSPLUGIN.ini"
fi fi
# generating certs if necessary # generating certs if necessary
if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
echo "Retrieving EAB from ZeroSSL" echo "Retrieving EAB from ZeroSSL"
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity sleep infinity
fi
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
fi fi
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" echo "Generating new certificate"
fi # shellcheck disable=SC2086
echo "Generating new certificate" certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
# shellcheck disable=SC2086 if [ -d /config/keys/letsencrypt ]; then
certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL cd /config/keys/letsencrypt || exit
if [ -d /config/keys/letsencrypt ]; then
cd /config/keys/letsencrypt || exit
else
if [ "$VALIDATION" = "dns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
elif [ "$VALIDATION" = "duckdns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
else else
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" if [ "$VALIDATION" = "dns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
elif [ "$VALIDATION" = "duckdns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
else
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
fi
sleep infinity
fi fi
sleep infinity openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
fi sleep 1
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
sleep 1 echo "New certificate generated; starting nginx"
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
echo "New certificate generated; starting nginx"
else else
echo "Certificate exists; parameters unchanged; starting nginx" echo "Certificate exists; parameters unchanged; starting nginx"
fi fi
# create GeoIP2 folder symlink # create GeoIP2 folder symlink
[[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \ [[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \
rm -rf /var/lib/libmaxminddb rm -rf /var/lib/libmaxminddb
[[ ! -d /var/lib/libmaxminddb ]] && \ [[ ! -d /var/lib/libmaxminddb ]] && \
ln -s /config/geoip2db /var/lib/libmaxminddb ln -s /config/geoip2db /var/lib/libmaxminddb
# check GeoIP2 database # check GeoIP2 database
if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then
sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb
if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
echo "Downloading GeoIP2 City database." echo "Downloading GeoIP2 City database."
/etc/periodic/weekly/libmaxminddb /etc/periodic/weekly/libmaxminddb
fi fi
elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
else else
echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
fi fi
# logfiles needed by fail2ban # logfiles needed by fail2ban
[[ ! -f /config/log/nginx/error.log ]] && \ [[ ! -f /config/log/nginx/error.log ]] && \
touch /config/log/nginx/error.log touch /config/log/nginx/error.log
[[ ! -f /config/log/nginx/access.log ]] && \ [[ ! -f /config/log/nginx/access.log ]] && \
touch /config/log/nginx/access.log touch /config/log/nginx/access.log
# permissions # permissions
chown -R abc:abc \ chown -R abc:abc \
/config /config
chmod -R 0644 /etc/logrotate.d chmod -R 0644 /etc/logrotate.d
chmod -R +r /config/log chmod -R +r /config/log
chmod +x /app/le-renew.sh chmod +x /app/le-renew.sh

18
root/etc/logrotate.d/lerotate
View File

@ -1,11 +1,11 @@
/config/log/letsencrypt/*.log { /config/log/letsencrypt/*.log {
weekly weekly
rotate 52 rotate 52
compress compress
delaycompress delaycompress
nodateext nodateext
missingok missingok
notifempty notifempty
sharedscripts sharedscripts
su abc abc su abc abc
} }

4
root/etc/services.d/fail2ban/run
View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
exec \ exec \
fail2ban-client -x -f start fail2ban-client -x -f start