-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #616 from notional-labs/feat/certbot-renew
add: certbot renew script & cronjob script
- Loading branch information
Showing
2 changed files
with
203 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,153 @@ | ||
#!/bin/bash | ||
|
||
#################################################################################################### | ||
# VARIABLES | ||
#################################################################################################### | ||
|
||
# Color | ||
black='\033[0;30m' | ||
red='\033[0;31m' | ||
green='\033[0;32m' | ||
orange='\033[0;33m' | ||
blue='\033[0;34m' | ||
purple='\033[0;35m' | ||
cyan='\033[0;36m' | ||
gray='\033[0;37m' | ||
gray2='\033[1;30m' | ||
red2='\033[1;31m' | ||
green2='\033[1;32m' | ||
yellow='\033[1;33m' | ||
blue2='\033[1;34m' | ||
purple2='\033[1;35m' | ||
cyan2='\033[1;36m' | ||
white='\033[1;37m' | ||
nc='\033[0m' # No Color | ||
|
||
# napi_proxy for notionalapi.net | ||
CONTAINER_NAME=$1 | ||
DOMAIN=$2 | ||
|
||
# Basic variables for certbot | ||
CREDENTIAL_PATH="./cloudflare.ini" | ||
CERTBOT_DIR="/tmp/certbot" | ||
CERTBOT_SERVER="https://acme-v02.api.letsencrypt.org/directory" | ||
|
||
#################################################################################################### | ||
# FUNCTIONS | ||
#################################################################################################### | ||
|
||
# Get configs | ||
agent_id=$(docker ps -aqf "name=agent") | ||
# DOMAINS=$(docker exec $agent_id curl -s "http://tasks.web_config/config/cloudflare.domains") | ||
EMAILS=$(docker exec $agent_id curl -s "http://tasks.web_config/config/cloudflare.$DOMAIN.emails") | ||
CREDENTIAL=$(docker exec $agent_id curl -s "http://tasks.web_config/config/cloudflare.$DOMAIN.credential") | ||
DOMAINS="*.${DOMAIN}" | ||
|
||
# install binary if not exist | ||
install_binary_if_not_exist () { | ||
|
||
local BINARY=$1 | ||
local FUNCTION=$2 | ||
|
||
if command -v ${BINARY} &> /dev/null; then | ||
continue | ||
else | ||
$FUNCTION | ||
fi | ||
} | ||
|
||
# install pip package if not exist | ||
install_package_if_not_exist () { | ||
|
||
local PACKAGE_NAME=$1 | ||
local FUNCTION=$2 | ||
|
||
if pip show "$PACKAGE_NAME" &> /dev/null; then | ||
continue | ||
else | ||
$FUNCTION | ||
fi | ||
|
||
} | ||
|
||
# Install pip binary function | ||
install_pip_binary () { | ||
curl -O https://bootstrap.pypa.io/get-pip.py | ||
python get-pip.py --break-system-package | ||
} | ||
|
||
# Install certbot dns cloudflare function | ||
install_certbot_dns_cloudflare () { | ||
pip install certbot-dns-cloudflare --break-system-package | ||
} | ||
|
||
# Obtain certificates function | ||
obtain_certs () { | ||
|
||
local DOMAINS=$1 | ||
local EMAILS=$2 | ||
local CERTBOT_DIR=$3 | ||
local CERTBOT_SERVER=$4 | ||
local CREDENTIAL_PATH=$5 | ||
|
||
certbot certonly \ | ||
--dns-cloudflare \ | ||
--dry-run \ | ||
--dns-cloudflare-credentials $CREDENTIAL_PATH \ | ||
--dns-cloudflare-propagation-seconds 60 \ | ||
--domains $DOMAINS \ | ||
--logs-dir $CERTBOT_DIR \ | ||
--config-dir $CERTBOT_DIR \ | ||
--work-dir $CERTBOT_DIR \ | ||
--email $EMAILS \ | ||
--agree-tos \ | ||
--non-interactive \ | ||
--server $CERTBOT_SERVER \ | ||
|
||
} | ||
|
||
#################################################################################################### | ||
# IMPLEMENTATION | ||
#################################################################################################### | ||
|
||
# Install pip and certbot dns cloudflare | ||
install_binary_if_not_exist pip install_pip_binary | ||
install_package_if_not_exist certbot-dns-cloudflare install_certbot_dns_cloudflare | ||
|
||
# Write credentials to file | ||
cat << EOF | sudo tee -a $CREDENTIAL_PATH | ||
$CREDENTIAL | ||
EOF | ||
|
||
# Obtain certifications | ||
obtain_certs $DOMAINS $EMAILS $CERTBOT_DIR $CERTBOT_SERVER $CREDENTIAL_PATH | ||
|
||
# Remove credential after obtain certs | ||
rm -rf $CREDENTIAL_PATH | ||
|
||
# Remove old certificate configs | ||
docker config rm $PRIVKEY_CONFIG | ||
docker config rm $FULLCHAIN_CONFIG | ||
|
||
# Create new certificate configs | ||
docker config create $PRIVKEY_CONFIG $CERTBOT_DIR/${DOMAINS}/privkey.pem | ||
docker config create $FULLCHAIN_CONFIG $CERTBOT_DIR/${DOMAINS}.ventures/fullchain.pem | ||
|
||
# Get current timestamp | ||
TIMESTAMP=`date +"%s-%A-%d-%B-%Y-@-%Hh%Mm%Ss"` | ||
|
||
# Get container id | ||
export SERVICE=$CONTAINER_NAME | ||
CONTAINER_ID=$(docker ps -a | grep $SERVICE | grep -E "$SERVICE." | awk '{print $1}') | ||
docker exec $CONTAINER_ID ls | ||
|
||
# Backup old certifications | ||
docker exec $CONTAINER_ID mkdir -p /etc/nginx/$TIMESTAMP | ||
docker exec $CONTAINER_ID cp /etc/nginx/privkey.pem /etc/nginx/$TIMESTAMP/privkey.pem | ||
docker exec $CONTAINER_ID cp /etc/nginx/fullchain.pem /etc/nginx/$TIMESTAMP/fullchain.pem | ||
|
||
# Update nginx proxy | ||
docker exec $CONTAINER_ID wget "http://tasks.web_config/config/${DOMAINS}_fullchain.pem" -O /etc/nginx/fullchain.pem | ||
docker exec $CONTAINER_ID wget "http://tasks.web_config/config/${DOMAINS}_privkey.pem" -O /etc/nginx/privkey.pem | ||
docker exec $CONTAINER_ID sleep 3 | ||
docker exec $CONTAINER_ID /usr/sbin/nginx -s reload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
#!/bin/bash | ||
|
||
#################################################################################################### | ||
# VARIABLES | ||
#################################################################################################### | ||
CONTAINER_NAME=$1 | ||
DOMAIN=$2 | ||
|
||
# check for container name | ||
if [ -z "${CONTAINER_NAME}" ]; then | ||
echo "missing container name" | ||
echo "Usage: ./cronjob.sh container_name domain_name" | ||
echo "Eg: ./cronjob.sh napi_proxy notionalapi.net" | ||
exit | ||
fi | ||
|
||
# check for domain name | ||
if [ -z "${DOMAIN}" ]; then | ||
echo "missing domain name" | ||
echo "Usage: ./cronjob.sh container_name domain_name" | ||
echo "Eg: ./cronjob.sh napi_proxy notionalapi.net" | ||
exit | ||
fi | ||
|
||
# Install cronnie on archlinux | ||
pacman -Syyu --noconfirm | ||
pacman -Sy cronie --noconfirm | ||
|
||
# Enable cronnie on archlinux | ||
sudo systemctl enable cronie | ||
sudo systemctl start cronie | ||
|
||
# Add new cronjob | ||
rm -rf $HOME/cron/* | ||
mkdir -p $HOME/cron | ||
cp -f ./certbot-renew.sh $HOME/cron/certbot-renew | ||
|
||
# Your task here | ||
echo "Task is running at $(date)" | ||
|
||
# Calculate the next run date (30 days from now) | ||
NEXT_RUN_DATE=$(date -d "30 days" "+%Y-%m-%d %H:%M:%S") | ||
|
||
# Convert next run date to cron format | ||
NEXT_RUN_CRON=$(date -d "$NEXT_RUN_DATE" "+%M %H %d %m *") | ||
|
||
# Schedule the next run | ||
(crontab -l ; echo "$NEXT_RUN_CRON /bin/sh $HOME/cron/certbot-renew.sh $CONTAINER_NAME $DOMAIN") | crontab - | ||
|
||
echo "Next run scheduled for $NEXT_RUN_DATE" |