seperate config directory for renewal hooks /config/renewal-hooks/

2021-02-16 07:33:17 +01:00 · 2021-02-16 07:33:17 +01:00 · 41a85f9203
commit 41a85f9203
parent 72479211f1
2 changed files with 13 additions and 9 deletions
--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -99,7 +99,7 @@ app_setup_block: |
  * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
  * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`).
  * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
-  * It's possible to extend default the renewal-hooks `/etc/letsencrypt/renewal-hooks/*` they are executed in sorted order.
+  * It's possible to extend default the renewal-hooks `/config/renewal-hooks/*` they are executed in sorted order.
  ### Security and password protection
  * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
  * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
@ -118,7 +118,7 @@ app_setup_block: |
    * To use these certs in other containers, do either of the following:
    1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/`
    2. *(More secure)* Mount the SWAG folder `etc` that resides under `/config` in other containers (ie. `-v /path-to-le-config/etc:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live/<your.domain.url>/` (This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs)
-    3. *(Alternative)* Use custom custom deploy hook e.g. `/etc/letsencrypt/renewal-hooks/deploy/20-my` to deploy the certificates.
+    3. *(Alternative)* Use custom custom deploy hook e.g. `/config/renewal-hooks/deploy/20-my` to deploy the certificates.
    * These certs include:
    1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
    2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
@ -153,7 +153,7 @@ app_setup_nginx_reverse_proxy_block: ""

 # changelog
 changelogs:
-  - { date: "15.02.21:", desc: "Use certbot file hooks instead of command line hooks" }
+  - { date: "16.02.21:", desc: "Use certbot file hooks instead of command line hooks" }
  - { date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds." }
  - { date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users." }
  - { date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)." }
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@ -35,11 +35,19 @@ done

 # make our folders and links
 mkdir -p \
-	/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt/renewal-hooks,fail2ban,crontabs,dns-conf,geoip2db} \
+	/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db,renewal-hooks} \
 	/var/run/fail2ban
 rm -rf /etc/letsencrypt
 ln -s /config/etc/letsencrypt /etc/letsencrypt

+rm -rf /config/etc/letsencrypt/renewal-hooks
+ln -s ../../renewal-hooks /config/etc/letsencrypt/renewal-hooks
+
+# copy default renewal hooks
+chmod -R +x /defaults/renewal-hooks
+cp -nR /defaults/renewal-hooks/* /config/renewal-hooks/
+chown -R abc:abc /config/renewal-hooks
+
 # copy dns default configs
 cp -n /defaults/dns-conf/* /config/dns-conf/
 chown -R abc:abc /config/dns-conf
@ -81,11 +89,6 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 [[ ! -f /config/www/502.html ]] &&
 	cp /defaults/502.html /config/www/502.html

-# copy default renewal hooks
-chmod -R +x /defaults/renewal-hooks
-cp -nR /defaults/renewal-hooks/* /etc/letsencrypt/renewal-hooks/
-chown -R abc:abc /config/renewal-hooks
-
 # remove lua bits from nginx.conf if not done before
 if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then 
  echo "Removing lua specific info from nginx.conf"
@ -279,6 +282,7 @@ if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "
  [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
  rm -rf /config/etc/letsencrypt
  mkdir -p /config/etc/letsencrypt
+  ln -s ../../renewal-hooks /config/etc/letsencrypt/renewal-hooks
 fi

 # saving new variables