Update docker to obtain cert at runtime, not buildtime
since the latter doesn't work
This commit is contained in:
35
Dockerfile
35
Dockerfile
@ -1,38 +1,33 @@
|
||||
FROM alpine:latest
|
||||
|
||||
ARG DOMAIN
|
||||
RUN apk add --update --no-cache \
|
||||
bash python3 py3-pip nginx uwsgi uwsgi-python3 certbot certbot-nginx
|
||||
|
||||
|
||||
RUN apk add --update --no-cache python3 py3-pip nginx uwsgi uwsgi-python3 certbot lsof
|
||||
|
||||
WORKDIR /root/ftracker
|
||||
|
||||
COPY ftracker/ ./ftracker/
|
||||
COPY web/ /var/www/html/ftracker/
|
||||
COPY res/ ./res/
|
||||
|
||||
COPY setup.py .
|
||||
COPY README.md .
|
||||
COPY LICENSE.md .
|
||||
COPY res/config.deploy.ini /etc/ftracker/config.ini
|
||||
|
||||
RUN pip3 install wheel
|
||||
RUN pip3 install .
|
||||
|
||||
|
||||
|
||||
COPY web/ /var/www/html/ftracker/
|
||||
COPY res/ ./res/
|
||||
|
||||
COPY res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf
|
||||
RUN rm /etc/nginx/conf.d/default.conf
|
||||
|
||||
RUN mkdir -p /etc/ftracker /var/ftracker \
|
||||
&& chown -R nginx:nginx /etc/ftracker /var/ftracker
|
||||
|
||||
COPY res/config.deploy.ini /etc/ftracker/config.ini
|
||||
|
||||
RUN pip3 install .
|
||||
|
||||
RUN rm /etc/nginx/conf.d/default.conf
|
||||
RUN if [ -n "$DOMAIN" ] ;\
|
||||
then \
|
||||
cp ./res/ftracker.docker.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\
|
||||
certbot certonly --non-interactive --manual-public-ip-logging-ok -d ${DOMAIN} ;\
|
||||
sed -i "s|CERT|/usr/local/etc/letsencrypt/live/${DOMAIN}/fullchain.pem|g" /etc/nginx/conf.d/ftracker.conf ;\
|
||||
sed -i "s|KEY|/usr/local/etc/letsencrypt/live/${DOMAIN}/privkey.pem|g" /etc/nginx/conf.d/ftracker.conf ;\
|
||||
echo Installed certificate. ;\
|
||||
else \
|
||||
cp ./res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf ;\
|
||||
echo Skipped SSL installation. ;\
|
||||
fi
|
||||
|
||||
RUN chmod +x ./res/docker-entrypoint.sh
|
||||
ENTRYPOINT [ "./res/docker-entrypoint.sh" ]
|
||||
|
||||
31
README.md
31
README.md
@ -32,26 +32,30 @@ There are 2 methods: Docker and Manual.
|
||||
|
||||
### Method A: Docker
|
||||
|
||||
If you want to manage SSL in your own webserver, you can simply run
|
||||
Build the container with
|
||||
|
||||
```bash
|
||||
sudo docker build . -t ftracker
|
||||
```
|
||||
|
||||
Then, if you want the container to also handle SSL so it can run standalone you
|
||||
need to pass it a domain and Email so it can obtain a certificate from `Let's
|
||||
encrypt`:
|
||||
|
||||
```bash
|
||||
sudo docker run \
|
||||
-d \
|
||||
--name ftracker \
|
||||
-e DOMAIN=example.com \
|
||||
-e LE_EMAIL=admin@example.com \
|
||||
-p 80:80 \
|
||||
-p 443:443 \
|
||||
-v /your/full/path/to/config.ini:/etc/ftracker/config.ini \
|
||||
fasttube/ftracker
|
||||
ftracker
|
||||
```
|
||||
|
||||
If you want the container to also handle SSL so it can run standalone you need
|
||||
to build it like this:
|
||||
|
||||
```bash
|
||||
# clone, cd into repo
|
||||
sudo docker build . -t ftracker --build-arg DOMAIN=ftracker.example.com
|
||||
```
|
||||
|
||||
And then run it:
|
||||
Otherwise you can run it without SSL (maybe behind your own web+ssl server)
|
||||
using just
|
||||
|
||||
```bash
|
||||
sudo docker run \
|
||||
@ -62,11 +66,12 @@ sudo docker run \
|
||||
ftracker
|
||||
```
|
||||
|
||||
To stop/start the container afterwards, run:
|
||||
To stop/start/uninstall the container afterwards, run:
|
||||
|
||||
```bash
|
||||
docker stop ftracker # might take up to 10 seconds
|
||||
docker start ftracker
|
||||
docker start ftracker # continue runniing
|
||||
docker rm -f ftracker # uninstall
|
||||
```
|
||||
|
||||
### Method B: Manual
|
||||
|
||||
@ -1,11 +1,30 @@
|
||||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
echo " >>> starting nginx <<< "
|
||||
echo " >>> Starting nginx <<< "
|
||||
|
||||
mkdir /run/nginx # needed because of bug in package
|
||||
/usr/sbin/nginx -t
|
||||
/usr/sbin/nginx
|
||||
|
||||
echo " >>> starting uwsgi <<< "
|
||||
echo " >>> Checking / Installing SSL certificate <<< "
|
||||
|
||||
if [[ ${DOMAIN} ]]
|
||||
then
|
||||
echo "Obtaining cert for '${DOMAIN}' ..."
|
||||
echo "Registering with email '${LE_EMAIL}' ..."
|
||||
|
||||
certbot -n \
|
||||
--nginx \
|
||||
--keep-until-expiring \
|
||||
--redirect \
|
||||
--agree-tos \
|
||||
--cert-name ${DOMAIN} \
|
||||
-d ${DOMAIN} \
|
||||
-m ${LE_EMAIL}
|
||||
|
||||
echo "Checked/Installed SSL certificate."
|
||||
fi
|
||||
|
||||
echo " >>> Starting uwsgi <<< "
|
||||
|
||||
/usr/sbin/uwsgi --ini /root/ftracker/res/ftracker.alpine.uwsgi.ini
|
||||
|
||||
@ -1,37 +0,0 @@
|
||||
server {
|
||||
|
||||
listen 443 ssl default_server;
|
||||
|
||||
root /var/www/html/ftracker;
|
||||
|
||||
index index.html index.htm;
|
||||
|
||||
location / {
|
||||
# First attempt to serve request as file
|
||||
# If no such file, pass to backend
|
||||
try_files $uri $uri/ $uri.html @api;
|
||||
}
|
||||
|
||||
location @api {
|
||||
include uwsgi_params;
|
||||
# Pass it to the uwsgi server
|
||||
uwsgi_pass unix:///tmp/ftracker.sock;
|
||||
}
|
||||
|
||||
# RIP
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
||||
|
||||
ssl_certificate CERT;
|
||||
ssl_certificate_key KEY;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
|
||||
listen 80 default_server;
|
||||
|
||||
# 308 instead of 301 to prohibit method change on redirect
|
||||
# (some clients change POST to GET on 301, 308 does not allow that)
|
||||
return 308 https://$host$request_uri;
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user