Transition to split containers, remove certbot in favour of externally-supplied certs
This commit is contained in:
parent
c7be994710
commit
4d3a1cd274
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
|
||||
CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem"
|
||||
|
||||
if test -f "$CERT_PATH"; then
|
||||
prosodyctl --root cert import /snikket/letsencrypt/live
|
||||
exit 0;
|
||||
fi
|
||||
|
||||
while sleep 10; do
|
||||
if test -f "$CERT_PATH"; then
|
||||
prosodyctl --root cert import /snikket/letsencrypt/live
|
||||
exit 0;
|
||||
fi
|
||||
done
|
|
@ -1,13 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
su letsencrypt -- -c "certbot certonly -n --webroot --webroot-path /var/www \
|
||||
--cert-path /etc/ssl/certbot \
|
||||
--keep $SNIKKET_CERTBOT_OPTIONS \
|
||||
--agree-tos --email \"$SNIKKET_ADMIN_EMAIL\" --expand \
|
||||
--allow-subset-of-names \
|
||||
--config-dir /snikket/letsencrypt \
|
||||
--domain \"$SNIKKET_DOMAIN\" --domain \"share.$SNIKKET_DOMAIN\" \
|
||||
--domain \"groups.$SNIKKET_DOMAIN\"
|
||||
"
|
||||
|
||||
prosodyctl --root cert import /snikket/letsencrypt/live
|
|
@ -1,5 +1,23 @@
|
|||
local DOMAIN = assert(ENV_SNIKKET_DOMAIN, "Please set the SNIKKET_DOMAIN environment variable")
|
||||
|
||||
if prosody.process_type == "prosody" and not prosody.config_loaded then
|
||||
-- Wait at startup for certificates
|
||||
local lfs, socket = require "lfs", require "socket";
|
||||
local cert_path = "/etc/prosody/certs/"..DOMAIN..".crt";
|
||||
local counter = 0;
|
||||
while not lfs.attributes(cert_path, "mode") do
|
||||
counter = counter + 1;
|
||||
if counter == 1 or counter%6 == 0 then
|
||||
print("Waiting for certificates...");
|
||||
elseif counter > 60 then
|
||||
print("No certificates found... exiting");
|
||||
os.exit(1);
|
||||
end
|
||||
socket.sleep(5);
|
||||
end
|
||||
_G.ltn12 = require "ltn12";
|
||||
end
|
||||
|
||||
daemonize = false
|
||||
network_backend = "epoll"
|
||||
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
prosodyctl --root cert import /snikket/letsencrypt/live
|
|
@ -33,3 +33,11 @@ stdout_logfile=/dev/stdout
|
|||
stdout_logfile_maxbytes=0
|
||||
redirect_stderr=true
|
||||
umask=002
|
||||
|
||||
[program:cert-monitor]
|
||||
command=cert-monitor.sh
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
redirect_stderr=true
|
||||
umask=002
|
||||
|
||||
|
|
|
@ -1,33 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Install certbot
|
||||
apt:
|
||||
name: certbot
|
||||
state: present
|
||||
install_recommends: no
|
||||
- name: Create directory for certs
|
||||
file:
|
||||
state: directory
|
||||
path: /etc/ssl/certbot
|
||||
- name: Install certbot cron script
|
||||
copy:
|
||||
src: ../files/certbot.cron
|
||||
dest: /etc/cron.daily/certbot
|
||||
src: ../files/refresh-certs.cron
|
||||
dest: /etc/cron.daily/refresh-certs
|
||||
mode: 0555
|
||||
- name: Create letsencrypt group
|
||||
group:
|
||||
name: letsencrypt
|
||||
system: yes
|
||||
- name: Create letsencrypt user
|
||||
user:
|
||||
name: letsencrypt
|
||||
group: letsencrypt
|
||||
system: yes
|
||||
home: /snikket/letsencrypt
|
||||
- name: Create directory for challenges
|
||||
file:
|
||||
state: directory
|
||||
path: /var/www/.well-known
|
||||
owner: letsencrypt
|
||||
group: letsencrypt
|
||||
mode: 0755
|
||||
|
|
Loading…
Reference in New Issue