From 41a85f92039305c20c1d54c356ec663e8d300915 Mon Sep 17 00:00:00 2001 From: Feilner Date: Tue, 16 Feb 2021 07:33:17 +0100 Subject: [PATCH] seperate config directory for renewal hooks /config/renewal-hooks/ --- readme-vars.yml | 6 +++--- root/etc/cont-init.d/50-config | 16 ++++++++++------ 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/readme-vars.yml b/readme-vars.yml index 5f4733b..6451ca6 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -99,7 +99,7 @@ app_setup_block: | * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation. * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`). * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. - * It's possible to extend default the renewal-hooks `/etc/letsencrypt/renewal-hooks/*` they are executed in sorted order. + * It's possible to extend default the renewal-hooks `/config/renewal-hooks/*` they are executed in sorted order. ### Security and password protection * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time @@ -118,7 +118,7 @@ app_setup_block: | * To use these certs in other containers, do either of the following: 1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/` 2. *(More secure)* Mount the SWAG folder `etc` that resides under `/config` in other containers (ie. `-v /path-to-le-config/etc:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live//` (This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs) - 3. *(Alternative)* Use custom custom deploy hook e.g. `/etc/letsencrypt/renewal-hooks/deploy/20-my` to deploy the certificates. + 3. *(Alternative)* Use custom custom deploy hook e.g. `/config/renewal-hooks/deploy/20-my` to deploy the certificates. * These certs include: 1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps 2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password) @@ -153,7 +153,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: - - { date: "15.02.21:", desc: "Use certbot file hooks instead of command line hooks" } + - { date: "16.02.21:", desc: "Use certbot file hooks instead of command line hooks" } - { date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds." } - { date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users." } - { date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)." } diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index e76f0ac..f2f0373 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -35,11 +35,19 @@ done # make our folders and links mkdir -p \ - /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt/renewal-hooks,fail2ban,crontabs,dns-conf,geoip2db} \ + /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db,renewal-hooks} \ /var/run/fail2ban rm -rf /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt +rm -rf /config/etc/letsencrypt/renewal-hooks +ln -s ../../renewal-hooks /config/etc/letsencrypt/renewal-hooks + +# copy default renewal hooks +chmod -R +x /defaults/renewal-hooks +cp -nR /defaults/renewal-hooks/* /config/renewal-hooks/ +chown -R abc:abc /config/renewal-hooks + # copy dns default configs cp -n /defaults/dns-conf/* /config/dns-conf/ chown -R abc:abc /config/dns-conf @@ -81,11 +89,6 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local [[ ! -f /config/www/502.html ]] && cp /defaults/502.html /config/www/502.html -# copy default renewal hooks -chmod -R +x /defaults/renewal-hooks -cp -nR /defaults/renewal-hooks/* /etc/letsencrypt/renewal-hooks/ -chown -R abc:abc /config/renewal-hooks - # remove lua bits from nginx.conf if not done before if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then echo "Removing lua specific info from nginx.conf" @@ -279,6 +282,7 @@ if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! " [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER rm -rf /config/etc/letsencrypt mkdir -p /config/etc/letsencrypt + ln -s ../../renewal-hooks /config/etc/letsencrypt/renewal-hooks fi # saving new variables