From d35e60a32d80747de26f57fe3809f69486e71afe Mon Sep 17 00:00:00 2001 From: Oskar Date: Mon, 7 Dec 2020 16:02:58 +0100 Subject: [PATCH] Update docker to obtain cert at runtime, not buildtime since the latter doesn't work --- Dockerfile | 35 ++++++++++++++------------------ README.md | 33 +++++++++++++++++------------- res/docker-entrypoint.sh | 25 ++++++++++++++++++++--- res/ftracker.docker.nginx.conf | 37 ---------------------------------- 4 files changed, 56 insertions(+), 74 deletions(-) delete mode 100644 res/ftracker.docker.nginx.conf diff --git a/Dockerfile b/Dockerfile index 88376ca..7e270c1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,38 +1,33 @@ FROM alpine:latest -ARG DOMAIN +RUN apk add --update --no-cache \ + bash python3 py3-pip nginx uwsgi uwsgi-python3 certbot certbot-nginx + -RUN apk add --update --no-cache python3 py3-pip nginx uwsgi uwsgi-python3 certbot lsof WORKDIR /root/ftracker COPY ftracker/ ./ftracker/ -COPY web/ /var/www/html/ftracker/ -COPY res/ ./res/ - COPY setup.py . COPY README.md . COPY LICENSE.md . +COPY res/config.deploy.ini /etc/ftracker/config.ini + +RUN pip3 install wheel +RUN pip3 install . + + + +COPY web/ /var/www/html/ftracker/ +COPY res/ ./res/ + +COPY res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf +RUN rm /etc/nginx/conf.d/default.conf RUN mkdir -p /etc/ftracker /var/ftracker \ && chown -R nginx:nginx /etc/ftracker /var/ftracker -COPY res/config.deploy.ini /etc/ftracker/config.ini -RUN pip3 install . - -RUN rm /etc/nginx/conf.d/default.conf -RUN if [ -n "$DOMAIN" ] ;\ - then \ - cp ./res/ftracker.docker.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\ - certbot certonly --non-interactive --manual-public-ip-logging-ok -d ${DOMAIN} ;\ - sed -i "s|CERT|/usr/local/etc/letsencrypt/live/${DOMAIN}/fullchain.pem|g" /etc/nginx/conf.d/ftracker.conf ;\ - sed -i "s|KEY|/usr/local/etc/letsencrypt/live/${DOMAIN}/privkey.pem|g" /etc/nginx/conf.d/ftracker.conf ;\ - echo Installed certificate. ;\ - else \ - cp ./res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\ - echo Skipped SSL installation. ;\ - fi RUN chmod +x ./res/docker-entrypoint.sh ENTRYPOINT [ "./res/docker-entrypoint.sh" ] diff --git a/README.md b/README.md index 3a2f4d6..6ac32a1 100644 --- a/README.md +++ b/README.md @@ -32,26 +32,30 @@ There are 2 methods: Docker and Manual. ### Method A: Docker -If you want to manage SSL in your own webserver, you can simply run +Build the container with + +```bash +sudo docker build . -t ftracker +``` + +Then, if you want the container to also handle SSL so it can run standalone you +need to pass it a domain and Email so it can obtain a certificate from `Let's +encrypt`: ```bash sudo docker run \ -d \ --name ftracker \ + -e DOMAIN=example.com \ + -e LE_EMAIL=admin@example.com \ -p 80:80 \ + -p 443:443 \ -v /your/full/path/to/config.ini:/etc/ftracker/config.ini \ - fasttube/ftracker + ftracker ``` -If you want the container to also handle SSL so it can run standalone you need -to build it like this: - -```bash -# clone, cd into repo -sudo docker build . -t ftracker --build-arg DOMAIN=ftracker.example.com -``` - -And then run it: +Otherwise you can run it without SSL (maybe behind your own web+ssl server) +using just ```bash sudo docker run \ @@ -62,11 +66,12 @@ sudo docker run \ ftracker ``` -To stop/start the container afterwards, run: +To stop/start/uninstall the container afterwards, run: ```bash -docker stop ftracker # might take up to 10 seconds -docker start ftracker +docker stop ftracker # might take up to 10 seconds +docker start ftracker # continue runniing +docker rm -f ftracker # uninstall ``` ### Method B: Manual diff --git a/res/docker-entrypoint.sh b/res/docker-entrypoint.sh index 010a3da..c626114 100644 --- a/res/docker-entrypoint.sh +++ b/res/docker-entrypoint.sh @@ -1,11 +1,30 @@ -#!/bin/sh +#!/bin/bash -echo " >>> starting nginx <<< " +echo " >>> Starting nginx <<< " mkdir /run/nginx # needed because of bug in package /usr/sbin/nginx -t /usr/sbin/nginx -echo " >>> starting uwsgi <<< " +echo " >>> Checking / Installing SSL certificate <<< " + +if [[ ${DOMAIN} ]] +then + echo "Obtaining cert for '${DOMAIN}' ..." + echo "Registering with email '${LE_EMAIL}' ..." + + certbot -n \ + --nginx \ + --keep-until-expiring \ + --redirect \ + --agree-tos \ + --cert-name ${DOMAIN} \ + -d ${DOMAIN} \ + -m ${LE_EMAIL} + + echo "Checked/Installed SSL certificate." +fi + +echo " >>> Starting uwsgi <<< " /usr/sbin/uwsgi --ini /root/ftracker/res/ftracker.alpine.uwsgi.ini diff --git a/res/ftracker.docker.nginx.conf b/res/ftracker.docker.nginx.conf deleted file mode 100644 index 3b35c1e..0000000 --- a/res/ftracker.docker.nginx.conf +++ /dev/null @@ -1,37 +0,0 @@ -server { - - listen 443 ssl default_server; - - root /var/www/html/ftracker; - - index index.html index.htm; - - location / { - # First attempt to serve request as file - # If no such file, pass to backend - try_files $uri $uri/ $uri.html @api; - } - - location @api { - include uwsgi_params; - # Pass it to the uwsgi server - uwsgi_pass unix:///tmp/ftracker.sock; - } - - # RIP - add_header X-Clacks-Overhead "GNU Terry Pratchett" always; - - ssl_certificate CERT; - ssl_certificate_key KEY; - -} - -server { - - listen 80 default_server; - - # 308 instead of 301 to prohibit method change on redirect - # (some clients change POST to GET on 301, 308 does not allow that) - return 308 https://$host$request_uri; - -}