Update docker to obtain cert at runtime, not buildtime

since the latter doesn't work
2020-12-07 16:02:58 +01:00 · 2020-12-07 16:02:58 +01:00 · d35e60a32d
parent 7ba6a2d429
commit d35e60a32d
4 changed files with 56 additions and 74 deletions
--- a/35
+++ b/35
@ -1,38 +1,33 @@
 FROM alpine:latest

-ARG DOMAIN
+RUN apk add --update --no-cache \
+	bash python3 py3-pip nginx uwsgi uwsgi-python3 certbot certbot-nginx
+

-RUN apk add --update --no-cache python3 py3-pip nginx uwsgi uwsgi-python3 certbot lsof

 WORKDIR /root/ftracker

 COPY ftracker/ ./ftracker/
-COPY web/ /var/www/html/ftracker/
-COPY res/ ./res/
-
 COPY setup.py .
 COPY README.md .
 COPY LICENSE.md .
+COPY res/config.deploy.ini /etc/ftracker/config.ini
+
+RUN pip3 install wheel
+RUN pip3 install .
+
+
+
+COPY web/ /var/www/html/ftracker/
+COPY res/ ./res/
+
+COPY res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf
+RUN rm /etc/nginx/conf.d/default.conf

 RUN mkdir -p /etc/ftracker /var/ftracker \
 	&& chown -R nginx:nginx /etc/ftracker /var/ftracker

-COPY res/config.deploy.ini /etc/ftracker/config.ini

-RUN pip3 install .
-
-RUN rm /etc/nginx/conf.d/default.conf
-RUN if [ -n "$DOMAIN" ] ;\
-	then \
-		cp ./res/ftracker.docker.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\
-		certbot certonly --non-interactive --manual-public-ip-logging-ok -d ${DOMAIN} ;\
-		sed -i "s|CERT|/usr/local/etc/letsencrypt/live/${DOMAIN}/fullchain.pem|g" /etc/nginx/conf.d/ftracker.conf ;\
-		sed -i "s|KEY|/usr/local/etc/letsencrypt/live/${DOMAIN}/privkey.pem|g" /etc/nginx/conf.d/ftracker.conf ;\
-		echo Installed certificate. ;\
-	else \
-		cp ./res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\
-		echo Skipped SSL installation. ;\
-	fi

 RUN chmod +x ./res/docker-entrypoint.sh
 ENTRYPOINT [ "./res/docker-entrypoint.sh" ]
--- a/README.md
+++ b/README.md
@ -32,26 +32,30 @@ There are 2 methods: Docker and Manual.

 ### Method A: Docker

-If you want to manage SSL in your own webserver, you can simply run
+Build the container with
+
+```bash
+sudo docker build . -t ftracker
+```
+
+Then, if you want the container to also handle SSL so it can run standalone you
+need to pass it a domain and Email so it can obtain a certificate from `Let's
+encrypt`:

 ```bash
 sudo docker run \
 	-d \
 	--name ftracker \
+	-e DOMAIN=example.com \
+	-e LE_EMAIL=admin@example.com \
 	-p 80:80 \
+	-p 443:443 \
 	-v /your/full/path/to/config.ini:/etc/ftracker/config.ini \
-	fasttube/ftracker
+	ftracker
 ```

-If you want the container to also handle SSL so it can run standalone you need
-to build it like this:
-
-```bash
-# clone, cd into repo
-sudo docker build . -t ftracker --build-arg DOMAIN=ftracker.example.com
-```
-
-And then run it:
+Otherwise you can run it without SSL (maybe behind your own web+ssl server)
+using just

 ```bash
 sudo docker run \
@ -62,11 +66,12 @@ sudo docker run \
 	ftracker
 ```

-To stop/start the container afterwards, run:
+To stop/start/uninstall the container afterwards, run:

 ```bash
-docker stop ftracker # might take up to 10 seconds
-docker start ftracker
+docker stop ftracker  # might take up to 10 seconds
+docker start ftracker # continue runniing
+docker rm -f ftracker # uninstall
 ```

 ### Method B: Manual
--- a/res/docker-entrypoint.sh
+++ b/res/docker-entrypoint.sh
@ -1,11 +1,30 @@
-#!/bin/sh
+#!/bin/bash

-echo " >>> starting nginx <<< "
+echo " >>> Starting nginx <<< "

 mkdir /run/nginx # needed because of bug in package
 /usr/sbin/nginx -t
 /usr/sbin/nginx

-echo " >>> starting uwsgi <<< "
+echo " >>> Checking / Installing SSL certificate <<< "
+
+if [[ ${DOMAIN} ]]
+then
+	echo "Obtaining cert for '${DOMAIN}' ..."
+	echo "Registering with email '${LE_EMAIL}' ..."
+
+	certbot -n \
+		--nginx \
+		--keep-until-expiring \
+		--redirect \
+		--agree-tos \
+		--cert-name ${DOMAIN} \
+		-d ${DOMAIN} \
+		-m ${LE_EMAIL}
+
+	echo "Checked/Installed SSL certificate."
+fi
+
+echo " >>> Starting uwsgi <<< "

 /usr/sbin/uwsgi --ini /root/ftracker/res/ftracker.alpine.uwsgi.ini
--- a/res/ftracker.docker.nginx.conf
+++ b/res/ftracker.docker.nginx.conf
@ -1,37 +0,0 @@
-server {
-
-	listen 443 ssl default_server;
-
-	root /var/www/html/ftracker;
-
-	index index.html index.htm;
-
-	location / {
-		# First attempt to serve request as file
-		# If no such file, pass to backend
-		try_files $uri $uri/ $uri.html @api;
-	}
-
-	location @api {
-		include uwsgi_params;
-		# Pass it to the uwsgi server
-		uwsgi_pass unix:///tmp/ftracker.sock;
-	}
-
-	# RIP
-	add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
-
-	ssl_certificate CERT;
-	ssl_certificate_key KEY;
-
-}
-
-server {
-
-	listen 80 default_server;
-
-	# 308 instead of 301 to prohibit method change on redirect
-	# (some clients change POST to GET on 301, 308 does not allow that)
-	return 308 https://$host$request_uri;
-
-}