-
Notifications
You must be signed in to change notification settings - Fork 1
/
entrypoint.sh
executable file
·91 lines (63 loc) · 1.94 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/sh
addr=$(ip -o a | grep inet6 | grep -vE ' lo |fe80' | awk '{ print $4 }')
expanded_addr=$(sipcalc $addr | awk '/^Expanded/ { print $4}')
dnsname=$(echo $expanded_addr | sed 's/:/-/g').has-a.name
echo Getting certificate for $dnsname
wwwroot=/var/www/https
mkdir -p "${wwwroot}"
cat > "/etc/nginx/conf.d/${dnsname}.conf" <<EOF
# required, otherwise nginx complains with > 1 vhost
server_names_hash_bucket_size 128;
server {
listen 80;
listen [::]:80;
server_name ${dnsname};
location /.well-known/acme-challenge/ {
root ${wwwroot};
}
# Everything else -> ssl
location / {
return 301 https://$host$request_uri;
}
}
EOF
mkdir -p /run/nginx
nginx
certbot certonly --agree-tos \
--register-unsafely-without-email \
--non-interactive \
--webroot --webroot-path "${wwwroot}" \
-d "${dnsname}"
cat > "/etc/nginx/conf.d/${dnsname}_ssl.conf" <<EOF
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/${dnsname}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${dnsname}/privkey.pem;
server_name ${dnsname};
root ${wwwroot};
include /etc/nginx/https.conf;
}
EOF
# create empty file - can be overriden by others
touch /etc/nginx/https.conf
# Do not overwrite if external volume is used!
if [ ! -e ${wwwroot}/index.html ]; then
cat > "${wwwroot}/index.html" <<EOF
Welcome to ${dnsname} running with IPv6+LetsEncrypt.
Find more about fully automated docker containers with letsencrypt certificates on
https://ungleich.ch/u/blog/fully-automated-ssl-certificates-for-docker/
EOF
fi
# restart and run now with cert
pkill nginx
# wait until old process is gone
sleep 2
nginx
if [ -x /entrypoint-post-https.sh ]; then
/entrypoint-post-https.sh
fi
# == sleep infinity, however infinity is not supported in this image!
# cat -- works if stdin does not close
# wait forever by tailing /dev/null - also nice
tail -f /dev/null