diff --git a/CHANGELOG.md b/CHANGELOG.md index 72c7afea..93ec5911 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ - Fix static config (SERVER_NAME not empty) support when using autoconf/swarm/k8s - Fix config files overwrite when using Docker autoconf - Add log_default() plugin hook -- Add certbot-dns-ovh example +- Add various certbot-dns examples - Force NGINX version dependencies in Linux packages DEB/RPM - Add Discord to supported plugins diff --git a/examples/certbot-dns-cloudflare/README.md b/examples/certbot-dns-cloudflare/README.md new file mode 100644 index 00000000..470e58cd --- /dev/null +++ b/examples/certbot-dns-cloudflare/README.md @@ -0,0 +1,7 @@ +Please have a look at the [certbot-dns-cloudflare documentation](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) first. + +Procedure : +- Edit domains in the compose file +- Edit CloudFlare credentials in cloudflare.ini file (generate using https://dash.cloudflare.com/?to=/:account/profile/api-tokens) +- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot` +- When certificates are generated, run your services : `docker-compose up -d` diff --git a/examples/certbot-dns-cloudflare/cloudflare.ini b/examples/certbot-dns-cloudflare/cloudflare.ini new file mode 100644 index 00000000..0fc4b1da --- /dev/null +++ b/examples/certbot-dns-cloudflare/cloudflare.ini @@ -0,0 +1,5 @@ +# Cloudflare API token used by Certbot (recommended) +dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef012345671 +# Cloudflare API credentials used by Certbot (not recommended) +#dns_cloudflare_email = cloudflare@example.com +#dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef012341 diff --git a/examples/certbot-dns-cloudflare/docker-compose.yml b/examples/certbot-dns-cloudflare/docker-compose.yml new file mode 100644 index 00000000..bb20aedd --- /dev/null +++ b/examples/certbot-dns-cloudflare/docker-compose.yml @@ -0,0 +1,74 @@ +version: '3' + +services: + + mybunker: + image: bunkerity/bunkerweb:1.4.1 + ports: + - 80:8080 + - 443:8443 + # ⚠️ read this if you use local folders for volumes ⚠️ + # bunkerweb runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly + # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder + # or for an existing one : chown -R root:101 folder && chmod -R 770 folder + # more info at https://docs.bunkerweb.io + volumes: + - bw_data:/data + - certs:/certs + environment: + - MULTISITE=yes + - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + - USE_CUSTOM_HTTPS=yes + - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem + - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem + - app1.example.com_REVERSE_PROXY_URL=/ + - app1.example.com_REVERSE_PROXY_HOST=http://app1 + - app2.example.com_REVERSE_PROXY_URL=/ + - app2.example.com_REVERSE_PROXY_HOST=http://app2 + - app3.example.com_REVERSE_PROXY_URL=/ + - app3.example.com_REVERSE_PROXY_HOST=http://app3 + networks: + - net_app1 + - net_app2 + - net_app3 + + mycertbot: + image: certbot/dns-cloudflare + environment: + - DOMAINS=*.example.com,example.com + - EMAIL=contact@example.com + volumes: + - certs:/etc/letsencrypt + - ./cloudflare.ini:/opt/cloudflare.ini + - ./entrypoint.sh:/opt/entrypoint.sh + entrypoint: /bin/sh /opt/entrypoint.sh + + app1: + image: tutum/hello-world + networks: + - net_app1 + + app2: + image: tutum/hello-world + networks: + - net_app2 + + app3: + image: tutum/hello-world + networks: + - net_app3 + +volumes: + bw_data: + certs: + +networks: + net_app1: + net_app2: + net_app3: diff --git a/examples/certbot-dns-cloudflare/entrypoint.sh b/examples/certbot-dns-cloudflare/entrypoint.sh new file mode 100644 index 00000000..7b57e760 --- /dev/null +++ b/examples/certbot-dns-cloudflare/entrypoint.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +echo "Certbot started, domains = $DOMAINS" + +first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')" +if [ "$EMAIL" = "" ] ; then + EMAIL="contact@${first_domain}" +fi + +if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then + echo "Renewing certificates ..." + certbot renew +else + echo "Asking for certificates ..." + certbot certonly -n --dns-cloudflare --dns-cloudflare-credentials /opt/cloudflare.ini --email "$EMAIL" --agree-tos -d "$DOMAINS" +fi + +echo "Fixing permissions ..." +chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt + +echo "Certbot ended, sleeping for 24 hours" + +sleep 86400 diff --git a/examples/certbot-dns-digitalocean/README.md b/examples/certbot-dns-digitalocean/README.md new file mode 100644 index 00000000..cb6723b2 --- /dev/null +++ b/examples/certbot-dns-digitalocean/README.md @@ -0,0 +1,7 @@ +Please have a look at the [certbot-dns-digitalocean documentation](https://certbot-dns-digitalocean.readthedocs.io/en/stable/) first. + +Procedure : +- Edit domains in the compose file +- Edit DigitalOcean credentials in digitalocean.ini file (generate using https://cloud.digitalocean.com/settings/api/tokens) +- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot` +- When certificates are generated, run your services : `docker-compose up -d` diff --git a/examples/certbot-dns-digitalocean/digitalocean.ini b/examples/certbot-dns-digitalocean/digitalocean.ini new file mode 100644 index 00000000..fb8e0277 --- /dev/null +++ b/examples/certbot-dns-digitalocean/digitalocean.ini @@ -0,0 +1,2 @@ +# DigitalOcean API credentials used by Certbot +dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff diff --git a/examples/certbot-dns-digitalocean/docker-compose.yml b/examples/certbot-dns-digitalocean/docker-compose.yml new file mode 100644 index 00000000..a1791f00 --- /dev/null +++ b/examples/certbot-dns-digitalocean/docker-compose.yml @@ -0,0 +1,74 @@ +version: '3' + +services: + + mybunker: + image: bunkerity/bunkerweb:1.4.1 + ports: + - 80:8080 + - 443:8443 + # ⚠️ read this if you use local folders for volumes ⚠️ + # bunkerweb runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly + # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder + # or for an existing one : chown -R root:101 folder && chmod -R 770 folder + # more info at https://docs.bunkerweb.io + volumes: + - bw_data:/data + - certs:/certs + environment: + - MULTISITE=yes + - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + - USE_CUSTOM_HTTPS=yes + - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem + - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem + - app1.example.com_REVERSE_PROXY_URL=/ + - app1.example.com_REVERSE_PROXY_HOST=http://app1 + - app2.example.com_REVERSE_PROXY_URL=/ + - app2.example.com_REVERSE_PROXY_HOST=http://app2 + - app3.example.com_REVERSE_PROXY_URL=/ + - app3.example.com_REVERSE_PROXY_HOST=http://app3 + networks: + - net_app1 + - net_app2 + - net_app3 + + mycertbot: + image: certbot/dns-digitalocean + environment: + - DOMAINS=*.example.com,example.com + - EMAIL=contact@example.com + volumes: + - certs:/etc/letsencrypt + - ./digitalocean.ini:/opt/digitalocean.ini + - ./entrypoint.sh:/opt/entrypoint.sh + entrypoint: /bin/sh /opt/entrypoint.sh + + app1: + image: tutum/hello-world + networks: + - net_app1 + + app2: + image: tutum/hello-world + networks: + - net_app2 + + app3: + image: tutum/hello-world + networks: + - net_app3 + +volumes: + bw_data: + certs: + +networks: + net_app1: + net_app2: + net_app3: diff --git a/examples/certbot-dns-digitalocean/entrypoint.sh b/examples/certbot-dns-digitalocean/entrypoint.sh new file mode 100644 index 00000000..52f7abdd --- /dev/null +++ b/examples/certbot-dns-digitalocean/entrypoint.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +echo "Certbot started, domains = $DOMAINS" + +first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')" +if [ "$EMAIL" = "" ] ; then + EMAIL="contact@${first_domain}" +fi + +if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then + echo "Renewing certificates ..." + certbot renew +else + echo "Asking for certificates ..." + certbot certonly -n --dns-digitalocean --dns-digitalocean-credentials /opt/digitalocean.ini --email "$EMAIL" --agree-tos -d "$DOMAINS" +fi + +echo "Fixing permissions ..." +chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt + +echo "Certbot ended, sleeping for 24 hours" + +sleep 86400 diff --git a/examples/certbot-dns-google/README.md b/examples/certbot-dns-google/README.md new file mode 100644 index 00000000..7a5ef11d --- /dev/null +++ b/examples/certbot-dns-google/README.md @@ -0,0 +1,7 @@ +Please have a look at the [certbot-dns-google documentation](https://certbot-dns-google.readthedocs.io/en/stable/) first. + +Procedure : +- Edit domains in the compose file +- Edit Google credentials in google.json file (generate using https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) +- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot` +- When certificates are generated, run your services : `docker-compose up -d` diff --git a/examples/certbot-dns-google/docker-compose.yml b/examples/certbot-dns-google/docker-compose.yml new file mode 100644 index 00000000..9f1ff970 --- /dev/null +++ b/examples/certbot-dns-google/docker-compose.yml @@ -0,0 +1,74 @@ +version: '3' + +services: + + mybunker: + image: bunkerity/bunkerweb:1.4.1 + ports: + - 80:8080 + - 443:8443 + # ⚠️ read this if you use local folders for volumes ⚠️ + # bunkerweb runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly + # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder + # or for an existing one : chown -R root:101 folder && chmod -R 770 folder + # more info at https://docs.bunkerweb.io + volumes: + - bw_data:/data + - certs:/certs + environment: + - MULTISITE=yes + - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + - USE_CUSTOM_HTTPS=yes + - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem + - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem + - app1.example.com_REVERSE_PROXY_URL=/ + - app1.example.com_REVERSE_PROXY_HOST=http://app1 + - app2.example.com_REVERSE_PROXY_URL=/ + - app2.example.com_REVERSE_PROXY_HOST=http://app2 + - app3.example.com_REVERSE_PROXY_URL=/ + - app3.example.com_REVERSE_PROXY_HOST=http://app3 + networks: + - net_app1 + - net_app2 + - net_app3 + + mycertbot: + image: certbot/dns-google + environment: + - DOMAINS=*.example.com,example.com + - EMAIL=contact@example.com + volumes: + - certs:/etc/letsencrypt + - ./google.json:/opt/google.json + - ./entrypoint.sh:/opt/entrypoint.sh + entrypoint: /bin/sh /opt/entrypoint.sh + + app1: + image: tutum/hello-world + networks: + - net_app1 + + app2: + image: tutum/hello-world + networks: + - net_app2 + + app3: + image: tutum/hello-world + networks: + - net_app3 + +volumes: + bw_data: + certs: + +networks: + net_app1: + net_app2: + net_app3: diff --git a/examples/certbot-dns-google/entrypoint.sh b/examples/certbot-dns-google/entrypoint.sh new file mode 100644 index 00000000..5efac7dd --- /dev/null +++ b/examples/certbot-dns-google/entrypoint.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +echo "Certbot started, domains = $DOMAINS" + +first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')" +if [ "$EMAIL" = "" ] ; then + EMAIL="contact@${first_domain}" +fi + +if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then + echo "Renewing certificates ..." + certbot renew +else + echo "Asking for certificates ..." + certbot certonly -n --dns-google --dns-google-credentials /opt/google.json --email "$EMAIL" --agree-tos -d "$DOMAINS" +fi + +echo "Fixing permissions ..." +chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt + +echo "Certbot ended, sleeping for 24 hours" + +sleep 86400 diff --git a/examples/certbot-dns-google/google.json b/examples/certbot-dns-google/google.json new file mode 100644 index 00000000..1cf0be47 --- /dev/null +++ b/examples/certbot-dns-google/google.json @@ -0,0 +1,12 @@ +{ + "type": "service_account", + "project_id": "...", + "private_key_id": "...", + "private_key": "...", + "client_email": "...", + "client_id": "...", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "..." +} diff --git a/examples/certbot-dns-ovh/README.md b/examples/certbot-dns-ovh/README.md index 931b494e..8b685152 100644 --- a/examples/certbot-dns-ovh/README.md +++ b/examples/certbot-dns-ovh/README.md @@ -2,6 +2,6 @@ Please have a look at the [certbot-dns-ovh documentation](https://certbot-dns-ov Procedure : - Edit domains in the compose file -- Edit OVH infos (use https://eu.api.ovh.com/createToken/) +- Edit OVH credentials in ovh.ini file (generate using https://eu.api.ovh.com/createToken/) - Run certbot only and wait for certificate to be generated : `docker-compose up -d mycertbot` - When certificates are generated, run your services : `docker-compose up -d` diff --git a/examples/certbot-dns-ovh/entrypoint.sh b/examples/certbot-dns-ovh/entrypoint.sh index ec13dc11..0283814c 100644 --- a/examples/certbot-dns-ovh/entrypoint.sh +++ b/examples/certbot-dns-ovh/entrypoint.sh @@ -12,7 +12,7 @@ if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then certbot renew else echo "Asking for certificates ..." - certbot certonly --dns-ovh --dns-ovh-credentials /opt/ovh.ini --email "$EMAIL" --agree-tos -d "$DOMAINS" + certbot certonly -n --dns-ovh --dns-ovh-credentials /opt/ovh.ini --email "$EMAIL" --agree-tos -d "$DOMAINS" fi echo "Fixing permissions ..." diff --git a/examples/certbot-dns-route53/README.md b/examples/certbot-dns-route53/README.md new file mode 100644 index 00000000..48e46611 --- /dev/null +++ b/examples/certbot-dns-route53/README.md @@ -0,0 +1,7 @@ +Please have a look at the [certbot-dns-route53 documentation](https://certbot-dns-route53.readthedocs.io/en/stable/) first. + +Procedure : +- Edit domains in the compose file +- Edit AWS credentials in aws.ini file (generate using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html) +- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot` +- When certificates are generated, run your services : `docker-compose up -d` diff --git a/examples/certbot-dns-route53/aws.ini b/examples/certbot-dns-route53/aws.ini new file mode 100644 index 00000000..b3987ba3 --- /dev/null +++ b/examples/certbot-dns-route53/aws.ini @@ -0,0 +1,3 @@ +[default] +aws_access_key_id=AKIAIOSFODNN7EXAMPLE +aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY diff --git a/examples/certbot-dns-route53/docker-compose.yml b/examples/certbot-dns-route53/docker-compose.yml new file mode 100644 index 00000000..2a9d48cb --- /dev/null +++ b/examples/certbot-dns-route53/docker-compose.yml @@ -0,0 +1,74 @@ +version: '3' + +services: + + mybunker: + image: bunkerity/bunkerweb:1.4.1 + ports: + - 80:8080 + - 443:8443 + # ⚠️ read this if you use local folders for volumes ⚠️ + # bunkerweb runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly + # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder + # or for an existing one : chown -R root:101 folder && chmod -R 770 folder + # more info at https://docs.bunkerweb.io + volumes: + - bw_data:/data + - certs:/certs + environment: + - MULTISITE=yes + - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + - USE_CUSTOM_HTTPS=yes + - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem + - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem + - app1.example.com_REVERSE_PROXY_URL=/ + - app1.example.com_REVERSE_PROXY_HOST=http://app1 + - app2.example.com_REVERSE_PROXY_URL=/ + - app2.example.com_REVERSE_PROXY_HOST=http://app2 + - app3.example.com_REVERSE_PROXY_URL=/ + - app3.example.com_REVERSE_PROXY_HOST=http://app3 + networks: + - net_app1 + - net_app2 + - net_app3 + + mycertbot: + image: certbot/dns-google + environment: + - DOMAINS=*.example.com,example.com + - EMAIL=contact@example.com + volumes: + - certs:/etc/letsencrypt + - ./aws.ini:/opt/aws.ini + - ./entrypoint.sh:/opt/entrypoint.sh + entrypoint: /bin/sh /opt/entrypoint.sh + + app1: + image: tutum/hello-world + networks: + - net_app1 + + app2: + image: tutum/hello-world + networks: + - net_app2 + + app3: + image: tutum/hello-world + networks: + - net_app3 + +volumes: + bw_data: + certs: + +networks: + net_app1: + net_app2: + net_app3: diff --git a/examples/certbot-dns-route53/entrypoint.sh b/examples/certbot-dns-route53/entrypoint.sh new file mode 100644 index 00000000..6036ef9c --- /dev/null +++ b/examples/certbot-dns-route53/entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +echo "Certbot started, domains = $DOMAINS" + +first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')" +if [ "$EMAIL" = "" ] ; then + EMAIL="contact@${first_domain}" +fi + +if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then + echo "Renewing certificates ..." + certbot renew +else + echo "Asking for certificates ..." + export AWS_CONFIG_FILE=/opt/aws.ini + certbot certonly -n --dns-route53 --email "$EMAIL" --agree-tos -d "$DOMAINS" +fi + +echo "Fixing permissions ..." +chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt + +echo "Certbot ended, sleeping for 24 hours" + +sleep 86400