From 7cfded2a708dbbac0145acec8c9e76a142ff9d24 Mon Sep 17 00:00:00 2001 From: ahgraber Date: Thu, 18 Feb 2021 20:54:54 -0500 Subject: [PATCH] v1 --- Dockerfile | 16 --------- README.md | 91 ++++++++++++----------------------------------- scripts/buildx.sh | 6 ++-- 3 files changed, 27 insertions(+), 86 deletions(-) diff --git a/Dockerfile b/Dockerfile index 86cfde7..c2da7d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,8 +7,6 @@ ARG BUILD_DATE LABEL build_version="${TARGETPLATFORM} - ${BUILD_DATE}" -# ENV TLD -# ENV SUBDOMAINS ENV ONLY_SUBDOMAINS=false ENV PROPAGATION=60 ENV STAGING=false @@ -37,11 +35,6 @@ RUN chmod +x /tmp/install-s6.sh \ && /tmp/install-s6.sh ${TARGETPLATFORM} \ && rm -rf /tmp/* -# ENV S6_ARCH=$(echo ${TARGETPLATFORM} | sed "s|linux\/||g") -# ADD https://github.com/just-containers/s6-overlay/releases/latest/download/s6-overlay-${S6_ARCH}-installer /tmp -# RUN /tmp/s6-overlay-${S6_ARCH}-installer / \ -# && rm -rf /tmp - EXPOSE 80 443 # install certbot @@ -60,21 +53,12 @@ RUN pip3 install \ /tmp/* \ /root/.cache -# RUN mkdir -p \ -# /etc/letsencrypt/accounts \ -# /etc/letsencrypt/live \ -# /etc/letsencrypt/renewal \ -# /etc/letsencrypt/renewal-hooks/deploy \ -# /etc/letsencrypt/renewal-hooks/post \ -# /etc/letsencrypt/renewal-hooks/pre - RUN mkdir -p \ /app \ /config \ /defaults \ /letsencrypt - VOLUME /config VOLUME /letsencrypt diff --git a/README.md b/README.md index 560e940..066c5c7 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,12 @@ # Certbot_Only Certbot_Only is a docker image based off of [linuxserver's SWAG](https://linuxserver.io) with the goal to simplify the image to *only generate DNS certificates and maintain them* while leaving them accessible for other resources to utilize. -Because Certbot_Only *only runs certbot*, DNS validation is required. +Because Certbot_Only *only runs certbot and a monitoring cron task*, DNS validation is required. Further, in order to simplify the image, only Cloudflare DNS is currently implemented. + ## Supported Architectures -The project is built with Docker Buildx to support multiple architectures such as `amd64`, `arm64` and `arm32/v7`. +The project is built with Docker Buildx to support multiple architectures such as `amd64` and `arm64`. Simply pulling `ahgraber/certbot_only` should retrieve the correct image for your arch, but you can also pull specific arch images via tags. @@ -15,7 +16,6 @@ The architectures supported by this image are: | :----: | --- | | x86-64 | amd64-latest | | arm64 | arm64v8-latest | -| armhf | arm32v7-latest | ## Usage @@ -28,20 +28,18 @@ Compatible with docker-compose v3 schemas. ```yaml --- -version: "3.3" +version: "3.7" services: swag: - image: ahgraber/certbot_only + image: ahgraber/certbot_only:latest container_name: certbot environment: - - PUID=1000 - - PGID=1000 - TZ=Europe/London - URL=yourdomain.url - SUBDOMAINS=www, + - ONLY_SUBDOMAINS=false #optional - PROPAGATION= #optional - EMAIL= #optional - - ONLY_SUBDOMAINS=false #optional - STAGING=false #optional volumes: - /path/to/appdata/config:/config @@ -52,52 +50,24 @@ services: restart: unless-stopped ``` -### docker cli - -``` -docker run -d \ - --name=certbot \ - -e PUID=1000 \ - -e PGID=1000 \ - -e TZ=Europe/London \ - -e URL=yourdomain.url \ - -e SUBDOMAINS=www, \ - -e PROPAGATION= `#optional` \ - -e EMAIL= `#optional` \ - -e ONLY_SUBDOMAINS=false `#optional` \ - -e STAGING=false `#optional` \ - -p 443:443 \ - -p 80:80 `#optional` \ - -v /path/to/appdata/config:/config \ - -v /path/to/appdata/letsencrypt:/letsencrypt - --restart unless-stopped \ - ahgraber/certbot_only -``` - - ## Parameters -Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `:` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container. +Container images are configured using parameters passed at runtime (such as those above). | Parameter | Function | | :----: | --- | -| `-p 443` | Https port | -| `-p 80` | Http port (required for http validation and http -> https redirect) | -| `-e PUID=1000` | for UserID - see below for explanation | -| `-e PGID=1000` | for GroupID - see below for explanation | -| `-e TZ=Europe/London` | Specify a timezone to use - e.g., Europe/London. | -| `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). | -| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) | -| `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. | -| `-e EMAIL=` | Optional e-mail address used for cert expiration notifications. | -| `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` | -| `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. | -| `-v /config` | All the config files reside here. | -| `-v /letsencrypt` | All the cert files reside here. | +| `TZ=Europe/London` | Specify a timezone to use - e.g., Europe/London. | +| `TLD: yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). | +| `SUBDOMAINS: 'www'` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) | +| `ONLY_SUBDOMAINS: 'false'` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` | +| `PROPAGATION: 60` | Optionally override (in seconds) the default propagation time for the dns plugins. | +| `EMAIL: you@email.com` | Optional e-mail address used for cert expiration notifications. | +| `STAGING: 'false'` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. | + ## Environment variables from files (Docker secrets) -You can set any environment variable from a file by using a special prepend `__FILE` (double-underscore FILE). +You can set any environment variable from a file by using a special ending `__FILE` (double-underscore FILE). As an example: @@ -110,32 +80,17 @@ Will set the environment variable `PASSWORD` based on the contents of the `/run/ ## Volumes The recommended configurations create local folders `/config` and `/letsencrypt`. `config/` - ├ `credentials/` - contains `cloudflare.ini` + ├ `credentials/` - contains `cloudflare.ini`. Edit with your own credentials. ├ `crontabs` - contains root crontab - └ `deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal + └ `deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal. If you add scripts, they will be run automatically following successful renewal. `letsencrypt/` is populated with Let's Encrypt certificates if the generation/renewal is successful. -## User / Group Identifiers - -When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`. - -Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic. - -In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below: - -``` - $ id username - uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup) -``` - -   ## Application Setup ### Validation and initial setup -* Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.). -* For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf` +* For `dns` validation, make sure to enter your credentials into the corresponding .ini file under `/config/credentials/cloudflare.ini`. You may have to start the container once to locate the file in the local volume mount. * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy" * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. @@ -143,7 +98,7 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc, and tls.crt and tls.key certs that are needed by apps like Keycloak. * To use these certs in other containers, do either of the following: 1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/` - 2. *(More secure)* Mount the SWAG folder `etc` that resides under `/config` in other containers (ie. `-v /path-to-le-config/etc:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live//` (This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs) + 2. *(More secure)* Mount the cert folder `/letsencrypt` (ie. `-v /path/to/letsencrypt:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live//` (This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs) * These certs include: 1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps 2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password) @@ -152,7 +107,7 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel ## Support Info -* Shell access whilst the container is running: `docker exec -it certbot_only /bin/bash` +* Shell access whilst the container is running: `docker exec -it certbot_only /bin/with-contenv bash` * To monitor the logs of the container in realtime: `docker logs -f certbot_only` * container version number * `docker inspect -f '{{ index .Config.Labels "build_version" }}' certbot_only` @@ -191,8 +146,8 @@ docker-compose build With [Docker buildx](https://docs.docker.com/buildx/working-with-buildx/) for multiarch support: ``` git clone https://github.com/ahgraber/docker-certbot-only.git -cd docker-certbot_only/scripts -bash buildx.sh {tag} +cd docker-certbot_only +bash ./scripts/buildx.sh --tag {REPOSITORY}/certbot_only:{TAG} ``` ## Versions diff --git a/scripts/buildx.sh b/scripts/buildx.sh index 2084627..ba1ca9e 100755 --- a/scripts/buildx.sh +++ b/scripts/buildx.sh @@ -1,7 +1,9 @@ #!/bin/bash +# To tag images, run with `sudo bash ./scripts/buildx.sh --tag {REGISTRY}/{IMAGE}:{TAG}` + REGISTRY="ahgraber" -TAG=${1:-"test"} +# TAG=${1:-"test"} # define build context # assumes run from project folder root @@ -15,8 +17,8 @@ docker buildx build \ --no-cache \ --platform linux/amd64,linux/arm64 \ --file Dockerfile \ - --tag ${REGISTRY}/certbot_only:${TAG} \ --push \ + $@ \ . # cleanup