-
Notifications
You must be signed in to change notification settings - Fork 63
/
Copy pathentrypoint.sh
executable file
·156 lines (124 loc) · 3.93 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash
set -euo pipefail
# Validate environment variables
MISSING=""
[ -z "${DOMAIN}" ] && MISSING="${MISSING} DOMAIN"
[ -z "${UPSTREAM}" ] && MISSING="${MISSING} UPSTREAM"
[ -z "${EMAIL}" ] && MISSING="${MISSING} EMAIL"
if [ "${MISSING}" != "" ]; then
echo "Missing required environment variables:" >&2
echo " ${MISSING}" >&2
exit 1
fi
#Processing DOMAIN into an array
DOMAINSARRAY=($(echo "${DOMAIN}" | awk -F ";" '{for(i=1;i<=NF;i++) print $i;}'))
echo "Provided domains"
printf "%s\n" "${DOMAINSARRAY[@]}"
#Processing UPSTREAM into an array
UPSTREAMARRAY=($(echo "${UPSTREAM}" | awk -F ";" '{for(i=1;i<=NF;i++) print $i;}'))
echo "Services to reverse-proxy"
printf "%s\n" "${UPSTREAMARRAY[@]}"
#The two arrays should have the same lenght
if [ "${#DOMAINSARRAY[@]}" != "${#UPSTREAMARRAY[@]}" ]; then
echo "The number of domains must match the number of upstream services"
fi
# Default other parameters
STAGING=${STAGING:-0}
if [ "$STAGING" = "1" ] ; then
echo "Using STAGING server"
SERVER="--staging"
else
SERVER=""
fi
# Generate strong DH parameters for nginx, if they don't already exist.
if [ ! -f /etc/ssl/dhparams.pem ]; then
if [ -f /cache/dhparams.pem ]; then
cp /cache/dhparams.pem /etc/ssl/dhparams.pem
else
openssl dhparam -out /etc/ssl/dhparams.pem 2048
# Cache to a volume for next time?
if [ -d /cache ]; then
cp /etc/ssl/dhparams.pem /cache/dhparams.pem
fi
fi
fi
#create temp file storage
mkdir -p /var/cache/nginx
chown nginx:nginx /var/cache/nginx
mkdir -p /var/tmp/nginx
chown nginx:nginx /var/tmp/nginx
#create vhost directory
mkdir -p /etc/nginx/vhosts/
# Process the nginx.conf with raw values of $DOMAIN and $UPSTREAM to ensure backward-compatibility
dest="/etc/nginx/nginx.conf"
echo "Rendering template of nginx.conf"
sed -e "s/\${DOMAIN}/${DOMAIN}/g" \
-e "s/\${UPSTREAM}/${UPSTREAM}/" \
/templates/nginx.conf > "$dest"
# Process templates
upstreamId=0
letscmd=""
for t in "${DOMAINSARRAY[@]}"
do
dest="/etc/nginx/vhosts/$(basename "${t}").conf"
src="/templates/vhost.sample.conf"
if [ -r /configs/"${t}".conf ]; then
echo "Manual configuration found for $t"
src="/configs/${t}.conf"
fi
echo "Rendering template of $t in $dest"
sed -e "s/\${DOMAIN}/${t}/g" \
-e "s/\${UPSTREAM}/${UPSTREAMARRAY[upstreamId]}/" \
-e "s/\${PATH}/${DOMAINSARRAY[0]}/" \
"$src" > "$dest"
upstreamId=$((upstreamId+1))
#prepare the letsencrypt command arguments
letscmd="$letscmd -d $t "
done
# Check if the SAN list has changed
if [ ! -f /etc/letsencrypt/san_list ]; then
cat <<EOF >/etc/letsencrypt/san_list
"${DOMAIN}"
EOF
fresh=true
else
old_san=$(cat /etc/letsencrypt/san_list)
if [ "${DOMAIN}" != "${old_san}" ]; then
fresh=true
else
fresh=false
fi
fi
# Initial certificate request, but skip if cached
if [ $fresh = true ]; then
echo "The SAN list has changed, removing the old certificate and ask for a new one."
rm -rf /etc/letsencrypt/{live,archive,keys,renewal}
echo "certbot certonly "${letscmd}" \
--standalone --preferred-challenges http --text \
"${SERVER}" \
--email "${EMAIL}" --agree-tos \
--expand " > /etc/nginx/lets
echo "Running initial certificate request... "
/bin/bash /etc/nginx/lets
fi
#update the stored SAN list
echo "${DOMAIN}" > /etc/letsencrypt/san_list
#Create the renewal directory (containing well-known challenges)
mkdir -p /etc/letsencrypt/webrootauth/
# Template a cronjob to renew certificate with the webroot authenticator
RENEW=/renew
cat <<EOF >${RENEW}
#!/bin/sh
# First renew certificate, then reload nginx config
certbot renew --webroot --webroot-path /etc/letsencrypt/webrootauth/ --post-hook "/usr/sbin/nginx -s reload"
EOF
chmod +x ${RENEW}
# Install crontab
echo "0 0 * * * ${RENEW}" | crontab
echo "Created crontab to renew certificates:"
crontab -l
# Make sure cron service is running
/etc/init.d/cron start
echo Ready
# Launch nginx in the foreground
/usr/sbin/nginx -g "daemon off;"