FaSTTUBe/ftracker
51
1
Fork 0
Code Issues 2 Pull Requests Releases 1 Wiki Activity

Update docker to obtain cert at runtime, not buildtime

Browse Source 
since the latter doesn't work
This commit is contained in:
Oskar Winkels
2020-12-07 16:02:58 +01:00
parent 7ba6a2d429
commit d35e60a32d
4 changed files with 56 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
Dockerfile
View File

@ -1,38 +1,33 @@
FROM alpine:latest FROM alpine:latest
ARG DOMAIN RUN apk add --update --no-cache \
bash python3 py3-pip nginx uwsgi uwsgi-python3 certbot certbot-nginx
RUN apk add --update --no-cache python3 py3-pip nginx uwsgi uwsgi-python3 certbot lsof
WORKDIR /root/ftracker WORKDIR /root/ftracker
COPY ftracker/ ./ftracker/ COPY ftracker/ ./ftracker/
COPY web/ /var/www/html/ftracker/
COPY res/ ./res/
COPY setup.py . COPY setup.py .
COPY README.md . COPY README.md .
COPY LICENSE.md . COPY LICENSE.md .
COPY res/config.deploy.ini /etc/ftracker/config.ini
RUN pip3 install wheel
RUN pip3 install .
COPY web/ /var/www/html/ftracker/
COPY res/ ./res/
COPY res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf
RUN rm /etc/nginx/conf.d/default.conf
RUN mkdir -p /etc/ftracker /var/ftracker \ RUN mkdir -p /etc/ftracker /var/ftracker \
&& chown -R nginx:nginx /etc/ftracker /var/ftracker && chown -R nginx:nginx /etc/ftracker /var/ftracker
COPY res/config.deploy.ini /etc/ftracker/config.ini
RUN pip3 install .
RUN rm /etc/nginx/conf.d/default.conf
RUN if [ -n "$DOMAIN" ] ;\
then \
cp ./res/ftracker.docker.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\
certbot certonly --non-interactive --manual-public-ip-logging-ok -d ${DOMAIN} ;\
sed -i "s|CERT|/usr/local/etc/letsencrypt/live/${DOMAIN}/fullchain.pem|g" /etc/nginx/conf.d/ftracker.conf ;\
sed -i "s|KEY|/usr/local/etc/letsencrypt/live/${DOMAIN}/privkey.pem|g" /etc/nginx/conf.d/ftracker.conf ;\
echo Installed certificate. ;\
else \
cp ./res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\
echo Skipped SSL installation. ;\
fi
RUN chmod +x ./res/docker-entrypoint.sh RUN chmod +x ./res/docker-entrypoint.sh
ENTRYPOINT [ "./res/docker-entrypoint.sh" ] ENTRYPOINT [ "./res/docker-entrypoint.sh" ]

33
README.md
View File

@ -32,26 +32,30 @@ There are 2 methods: Docker and Manual.
### Method A: Docker ### Method A: Docker
If you want to manage SSL in your own webserver, you can simply run Build the container with
```bash
sudo docker build . -t ftracker
```
Then, if you want the container to also handle SSL so it can run standalone you
need to pass it a domain and Email so it can obtain a certificate from `Let's
encrypt`:
```bash ```bash
sudo docker run \ sudo docker run \
-d \ -d \
--name ftracker \ --name ftracker \
-e DOMAIN=example.com \
-e LE_EMAIL=admin@example.com \
-p 80:80 \ -p 80:80 \
-p 443:443 \
-v /your/full/path/to/config.ini:/etc/ftracker/config.ini \ -v /your/full/path/to/config.ini:/etc/ftracker/config.ini \
fasttube/ftracker ftracker
``` ```
If you want the container to also handle SSL so it can run standalone you need Otherwise you can run it without SSL (maybe behind your own web+ssl server)
to build it like this: using just
```bash
# clone, cd into repo
sudo docker build . -t ftracker --build-arg DOMAIN=ftracker.example.com
```
And then run it:
```bash ```bash
sudo docker run \ sudo docker run \
@ -62,11 +66,12 @@ sudo docker run \
ftracker ftracker
``` ```
To stop/start the container afterwards, run: To stop/start/uninstall the container afterwards, run:
```bash ```bash
docker stop ftracker # might take up to 10 seconds docker stop ftracker # might take up to 10 seconds
docker start ftracker docker start ftracker # continue runniing
docker rm -f ftracker # uninstall
``` ```
### Method B: Manual ### Method B: Manual

25
res/docker-entrypoint.sh
View File

@ -1,11 +1,30 @@
#!/bin/sh #!/bin/bash
echo " >>> starting nginx <<< " echo " >>> Starting nginx <<< "
mkdir /run/nginx # needed because of bug in package mkdir /run/nginx # needed because of bug in package
/usr/sbin/nginx -t /usr/sbin/nginx -t
/usr/sbin/nginx /usr/sbin/nginx
echo " >>> starting uwsgi <<< " echo " >>> Checking / Installing SSL certificate <<< "
if [[ ${DOMAIN} ]]
then
echo "Obtaining cert for '${DOMAIN}' ..."
echo "Registering with email '${LE_EMAIL}' ..."
certbot -n \
--nginx \
--keep-until-expiring \
--redirect \
--agree-tos \
--cert-name ${DOMAIN} \
-d ${DOMAIN} \
-m ${LE_EMAIL}
echo "Checked/Installed SSL certificate."
fi
echo " >>> Starting uwsgi <<< "
/usr/sbin/uwsgi --ini /root/ftracker/res/ftracker.alpine.uwsgi.ini /usr/sbin/uwsgi --ini /root/ftracker/res/ftracker.alpine.uwsgi.ini

37
res/ftracker.docker.nginx.conf
View File

@ -1,37 +0,0 @@
server {
listen 443 ssl default_server;
root /var/www/html/ftracker;
index index.html index.htm;
location / {
# First attempt to serve request as file
# If no such file, pass to backend
try_files $uri $uri/ $uri.html @api;
}
location @api {
include uwsgi_params;
# Pass it to the uwsgi server
uwsgi_pass unix:///tmp/ftracker.sock;
}
# RIP
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
ssl_certificate CERT;
ssl_certificate_key KEY;
}
server {
listen 80 default_server;
# 308 instead of 301 to prohibit method change on redirect
# (some clients change POST to GET on 301, 308 does not allow that)
return 308 https://$host$request_uri;
}