-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
114 lines (106 loc) · 5.22 KB
/
docker-compose.yml
File metadata and controls
114 lines (106 loc) · 5.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
services:
certbot:
image: certbot/dns-cloudflare:latest
entrypoint: []
command:
- /bin/sh
- -euxc
- |
echo "Certbot: starting for DOMAIN=${DOMAIN}"
if [ -z "${DOMAIN:-}" ] || [ -z "${LETSENCRYPT_EMAIL:-}" ]; then
echo "Certbot: DOMAIN and LETSENCRYPT_EMAIL must be set"; sleep 3600; exit 1; fi
# Check if CloudFlare API token is provided
if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
echo "Certbot: Using CloudFlare DNS plugin"
# Create CloudFlare credentials file
mkdir -p /etc/letsencrypt
echo "dns_cloudflare_api_token = ${CLOUDFLARE_API_TOKEN}" > /etc/letsencrypt/cloudflare.ini
chmod 600 /etc/letsencrypt/cloudflare.ini
# Initial certificate request with DNS challenge
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
--non-interactive --agree-tos -m "${LETSENCRYPT_EMAIL}" -d "${DOMAIN}" \
--keep-until-expiring || true
# Export readable copies for mm2 (avoid archive symlink/permissions)
mkdir -p /etc/letsencrypt/export/"${DOMAIN}"
cp -L /etc/letsencrypt/live/"${DOMAIN}"/fullchain.pem /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
cp -L /etc/letsencrypt/live/"${DOMAIN}"/privkey.pem /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
chmod 644 /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
chmod 600 /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
while :; do
echo "Certbot: running renewal check..."
certbot renew --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
--no-random-sleep-on-renew || true
mkdir -p /etc/letsencrypt/export/"${DOMAIN}"
cp -L /etc/letsencrypt/live/"${DOMAIN}"/fullchain.pem /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
cp -L /etc/letsencrypt/live/"${DOMAIN}"/privkey.pem /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
chmod 644 /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
chmod 600 /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
sleep 12h
done
else
echo "Certbot: Using standalone mode (port 80 required)"
certbot certonly --standalone --non-interactive --agree-tos \
-m "${LETSENCRYPT_EMAIL}" -d "${DOMAIN}" --keep-until-expiring \
--preferred-challenges http || true
# Export readable copies for mm2 (avoid archive symlink/permissions)
mkdir -p /etc/letsencrypt/export/"${DOMAIN}"
cp -L /etc/letsencrypt/live/"${DOMAIN}"/fullchain.pem /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
cp -L /etc/letsencrypt/live/"${DOMAIN}"/privkey.pem /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
chmod 644 /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
chmod 600 /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
while :; do
echo "Certbot: running renewal check..."
certbot renew --standalone --no-random-sleep-on-renew || true
mkdir -p /etc/letsencrypt/export/"${DOMAIN}"
cp -L /etc/letsencrypt/live/"${DOMAIN}"/fullchain.pem /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
cp -L /etc/letsencrypt/live/"${DOMAIN}"/privkey.pem /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
chmod 644 /etc/letsencrypt/export/"${DOMAIN}"/fullchain.pem || true
chmod 600 /etc/letsencrypt/export/"${DOMAIN}"/privkey.pem || true
sleep 12h
done
fi
environment:
- DOMAIN=${DOMAIN}
- LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
- CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN:-}
- USER_ID=${USER_ID:-1000}
- GROUP_ID=${GROUP_ID:-1000}
# Port 80 is only needed for standalone mode (when CLOUDFLARE_API_TOKEN is not set)
# When using CloudFlare DNS plugin, port 80 is not needed and won't be used.
# Note: docker-compose doesn't support conditional port mapping, so port 80 will be mapped
# but remain unused when DNS plugin is active. To completely disable port mapping,
# you can manually remove this ports section when using DNS plugin.
ports:
- "80:80"
volumes:
- letsencrypt:/etc/letsencrypt
restart: unless-stopped
kdf:
build:
context: .
dockerfile: Dockerfile
args:
USER_ID: ${USER_ID:-1000}
GROUP_ID: ${GROUP_ID:-1000}
user: "0:0"
command: >-
sh -c "until [ -f /etc/letsencrypt/export/${DOMAIN}/fullchain.pem ] &&
[ -f /etc/letsencrypt/export/${DOMAIN}/privkey.pem ]; do
echo 'Waiting for certificates...'; sleep 10; done;
./run_kdf.sh"
environment:
- USERPASS=${USERPASS:-RPC_UserP@SSW0RD}
- DOMAIN=${DOMAIN}
- PASSPHRASE=${PASSPHRASE:-}
- HOME=/home/komodian
volumes:
- .:/home/komodian/kdf
- letsencrypt:/etc/letsencrypt:ro
ports:
- "127.0.0.1:7783:7783"
- "42855:42855"
- "42845:42845"
depends_on:
- certbot
volumes:
letsencrypt: