wip: 使用Dockerfile给certbot的容器添加docker compose命令

Author: cli

.env.default

@@ -51,6 +51,18 @@ WEB_PORT_HTTPS=443
 # jtt808和maintain分开部署时, 必须填写这个变量
 WEB_BASE_URL='' # https://livedvr.tripsdd.com
 
+# certbot的配置
+# 注意: 修改这些配置之后, 必须强制重建(docker compose up --force-recreate certbot), 才会生效
+#
+# DNS解析的提供商, 常用的提供商如下:
+# - dnspod: https://console.dnspod.cn/account/token/token
+# - cloudflare: https://go-acme.github.io/lego/dns/cloudflare/
+# - tencentcloud: https://console.cloud.tencent.com/cam/capi
+CERTBOT_DNS_PROVIDER='dnspod'
+CERTBOT_DNS_API_KEY='' # 必填
+# tencentcloud还需要额外设置这个变量
+CERTBOT_TENCENTCLOUD_SECRET_ID=''
+
 ## ================================ Services ================================
 
 ## 视频服务器

certbot/Dockerfile

@@ -0,0 +1,7 @@
+# 支持100+DNS提供商的Certbot插件
+# 详见: https://github.com/alexzorin/certbot-dns-multi
+FROM ghcr.io/alexzorin/certbot-dns-multi:4.27.0
+
+# 添加docker和docker compose命令
+COPY --from=docker:cli /usr/local/bin/docker /usr/local/bin/docker
+COPY --from=docker:cli /usr/local/libexec/docker/cli-plugins/docker-compose /usr/local/libexec/docker/cli-plugins/docker-compose

certbot/certbot-renew.sh

@@ -1,23 +1,23 @@
 services:
   certbot:
-    # image: ghcr.io/alexzorin/certbot-dns-multi:4.27.0
-    # command:
-    #   - certonly
-    #   - --non-interactive
-    #   - --agree-tos
-    #   - --authenticator=dns-multi
-    #   - --dns-multi-credentials=/etc/letsencrypt/dns-multi.ini
-    #   - --domains=${TRACK_HOSTNAME:?required}
-    #   - --domains=${BUS_HOSTNAME:?required}
-      # - --dry-run
-    image: docker:cli
-    command: /home/docker/certbot/certbot-renew.sh
+    build: .
+    command:
+      - certonly
+      - --non-interactive
+      - --agree-tos
+      - --authenticator=dns-multi
+      - --dns-multi-credentials=/etc/letsencrypt/dns-multi.ini
+      # 两个域名可以同时申请, 故不要求两个都必填
+      - --domains=${TRACK_HOSTNAME}
+      - --domains=${BUS_HOSTNAME}
+      - --deploy-hook
+      - "sh -c 'COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME} DATA=${DATA_DIR:-/data} /home/docker/certbot/deploy-hook.sh'"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ${DATA_DIR:-/data}/certbot:/etc/letsencrypt
     configs:
-      - source: certbot-renew.sh
-        target: /home/docker/certbot/certbot-renew.sh
+      - source: certbot-deploy-hook.sh
+        target: /home/docker/certbot/deploy-hook.sh
       - source: certbot-dns-multi.ini
         target: /etc/letsencrypt/dns-multi.ini
         mode: 0600
@@ -29,21 +29,22 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     labels:
+      # 通过ofelia重启其他服务, 需要这样绕一道
       # https://github.com/mcuadros/ofelia/issues/280#issuecomment-2561863012
       ofelia.job-run.certbot-renew.schedule: "@daily"
       ofelia.job-run.certbot-renew.command: "sh -c 'docker compose -p ${COMPOSE_PROJECT_NAME} restart certbot'"
       ofelia.job-run.certbot-renew.image: "docker:cli"
       ofelia.job-run.certbot-renew.volume: "/var/run/docker.sock:/var/run/docker.sock"
 
 configs:
-  certbot-renew.sh:
-    file: ./certbot-renew.sh
+  certbot-deploy-hook.sh:
+    file: ./deploy-hook.sh
+  # certbot-dns-multi的配置文件
+  # https://github.com/alexzorin/certbot-dns-multi#usage
   certbot-dns-multi.ini:
     content: |
-      dns_multi_provider=cloudflare
-      CLOUDFLARE_DNS_API_TOKEN=
-  certbot-dns-multi-tencentcloud.ini:
-    content: |
-      dns_multi_provider=tencentcloud
-      TENCENTCLOUD_SECRET_ID=
-      TENCENTCLOUD_SECRET_KEY=
+      dns_multi_provider=${CERTBOT_DNS_PROVIDER:-dnspod}
+      DNSPOD_API_KEY=${CERTBOT_DNS_API_KEY:?required}
+      CLOUDFLARE_DNS_API_TOKEN=${CERTBOT_DNS_API_KEY:?required}
+      TENCENTCLOUD_SECRET_KEY=${CERTBOT_DNS_API_KEY:?required}
+      TENCENTCLOUD_SECRET_ID=${CERTBOT_TENCENTCLOUD_SECRET_ID}

certbot/compose.yml

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+cp "$RENEWED_LINEAGE/fullchain.pem" "$RENEWED_LINEAGE/certificate.crt"
+cp "$RENEWED_LINEAGE/privkey.pem" "$RENEWED_LINEAGE/certificate.key"
+
+echo "请保证将证书变量设置为:"
+echo "SSL_CERTIFICATE=${DATA_DIR:-/data}/certbot/live/$(basename "$RENEWED_DOMAINS")/certificate"
+
+echo "重启Nginx..."
+docker compose -p "${COMPOSE_PROJECT_NAME}" restart nginx