simplify/clarify nfs mounting

Dockerfile

@@ -21,6 +21,7 @@ RUN apt-get update \
         gcc \
         libssl-dev \
         libffi-dev \
+        nano \
         openssl \
         python3 \
         python3-pip \
@@ -60,8 +61,8 @@ RUN mkdir -p \
     /defaults \
     /letsencrypt
     
-VOLUME /config
-VOLUME /letsencrypt
+# VOLUME /config
+# VOLUME /letsencrypt
 
 # # create initial user
 # RUN groupmod -g 1000 users && \

README.md

@@ -79,12 +79,12 @@ Will set the environment variable `PASSWORD` based on the contents of the `/run/
 
 ## Volumes
 The recommended configurations create local folders `/config` and `/letsencrypt`.  
-`config/`  
-    ├ `credentials/`  - contains `cloudflare.ini`.  Edit with your own credentials.
-    ├ `crontabs`  - contains root crontab  
-    └ `deploy/`  - contains deploy scripts for actions following successful Let's Encrypt renewal.  If you add scripts, they will be run automatically following successful renewal.
+`/config/`  
+    ├ `../credentials/`  - contains `cloudflare.ini`.  Edit with your own credentials.
+    ├ `../crontabs/`  - contains root crontab  
+    └ `../deploy/`  - contains deploy scripts for actions following successful Let's Encrypt renewal.  If you add scripts, they will be run automatically following successful renewal.
 
-`letsencrypt/certs` is populated with Let's Encrypt certificates if the generation/renewal is successful.
+`/letsencrypt/` is populated with Let's Encrypt certificates if the generation/renewal is successful.
 
  
 ## Application Setup
@@ -103,7 +103,7 @@ The recommended configurations create local folders `/config` and `/letsencrypt`
 ### Using certs in other containers
 * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc, and tls.crt and tls.key certs that are needed by apps like Keycloak.
   * To use these certs in other containers:
-  1. Mount the cert folder `/letsencrypt/certs` (ie. `-v /path/to/letsencrypt/certs:/container/cert/dir`) 
+  1. Mount the cert folder `/letsencrypt` (ie. `-v /path/to/letsencrypt:/container/cert/dir`) 
   * These certs include:
   1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
   2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)

root/defaults/deploy/01_deploy-certs.sh

@@ -20,14 +20,16 @@ else
 fi
 
 RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE}
-KEYPATH="/letsencrypt/certs"
+KEYPATH="/letsencrypt"
 mkdir -p $KEYPATH
 echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}"
 
 # Clean current KEYPATH contents
 echo "Clearing expired certs ..."
 # echo "Ignore warnings for directories"
-rm -f ${KEYPATH}/* 2> /dev/null  # this will hide errors (like not deleting directories)
+rm -f ${KEYPATH}/*.pem
+rm -f ${KEYPATH}/*.pfx
+rm -f ${KEYPATH}/tls.*
 
 # Copy certs to keypath dest
 echo "Copying current certs ..."

root/etc/cont-init.d/50_lets-encrypt.sh

@@ -54,7 +54,7 @@ ln -s /config/crontabs /etc/crontabs
 # Copy deploy hook defaults if needed
 # [[ -z "$(ls -A /letsencrypt/renewal-hooks/deploy)" ]] && \
 [[ ! -f /config/deploy/01_deploy-certs.sh ]] && \
-  echo "Copying deploy hooks..." && \
+  echo "Copying default deploy hooks..." && \
 	cp -n /defaults/deploy/01_deploy-certs.sh /config/deploy/
   chmod +x /config/deploy/*
 # Link /config/deploy
@@ -162,14 +162,16 @@ if [ "${ORIGSTAGING}" = "true" ]; then
   # [[ -f /etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER}
   [[ -f "${LINEAGE}"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path "${LINEAGE}"/fullchain.pem --server ${REV_ACMESERVER}
   rm -rf /etc/letsencrypt
-  mkdir -p /etc/letsencrypt
+  # mkdir -p /etc/letsencrypt  # redundant
+  mkdir -p /etc/letsencrypt/renewal-hooks
+  ln -s /config/deploy /etc/letsencrypt/renewal-hooks
 fi
 
 # Save new variables
 echo -e "ORIGTLD=\"${TLD}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGEMAIL=\"${EMAIL}\"" > /config/.donoteditthisfile.conf
 
 # generating certs if necessary
-if [ ! -f "/letsencrypt/certs/fullchain.pem" ]; then
+if [ ! -f "/letsencrypt/fullchain.pem" ]; then
   echo "Generating new certificate"
   # shellcheck disable=SC2086
   certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL}
@@ -177,13 +179,13 @@ if [ ! -f "/letsencrypt/certs/fullchain.pem" ]; then
   # export RENEWED_LINEAGE
   # echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}"
 
-  # force deploy script on initial generation
+  # explicitly run deploy script on initial generation
   if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then
     /usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh
   fi
 
-  if [ -f "/letsencrypt/certs/fullchain.pem" ]; then
-    cd /letsencrypt/certs || exit
+  if [ -f "/letsencrypt/fullchain.pem" ]; then
+    cd /letsencrypt || exit
   else
     echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/credentials/cloudflare.ini file."
     sleep infinity

root/etc/cont-init.d/60_renewal-init.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/with-contenv bash
 
 # Check if the cert is expired or expires within a day, if so, renew
-if openssl x509 -in /letsencrypt/certs/fullchain.pem -noout -checkend 86400 >/dev/null; then 
+if openssl x509 -in /letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then 
     echo "The cert does not expire within the next day."
     # if [ ! "${STAGING}" = "true" ]; then
     #     echo "Testing renewal..."