colben/docker
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
colben
2022-04-18 11:21:20 +08:00
commit 45a7af638f
210 changed files with 8997 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
letsencrypt/ADD/ccmd Executable file
View File

@@ -0,0 +1,79 @@
#!/bin/bash
##################################################
# Mount dir #
# - /etc/letsencrypt #
# - /var/log/letsencrypt #
# ENV #
# - DOMAINS #
##################################################
set -euo pipefail
export LANG=en_US.UTF-8
trap Quit EXIT
GOT_SIGTERM=
function Print {
local file=/dev/null
[ '-f' = "$1" ] && file=$2 && shift && shift
date +"[%F %T] $*" | tee -a $file
}
function Quit {
while :; do
pkill -f python && Print killing python ... || break
sleep 1
done
Print Container stopped.
test -n "$GOT_SIGTERM"
}
function Usage {
Print 'This container should run with
**host network**
**env DOMAINS**
**/etc/letsencrypt and /var/log/letsencrypt mounted from host**
'
}
function StartProc {
if [ ! -e /etc/letsencrypt/accounts ]; then
Print Register ...
certbot register --register-unsafely-without-email --agree-tos
if echo "$DOMAINS" | grep -qo '^*'; then
Print Request wildcard certificate ...
certbot certonly -q --manual \
--manual-auth-hook /etc/letsencrypt/manual-hook.sh \
-d "$DOMAINS" --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
else
Print Request certificate ...
certbot certonly -q -n --standalone -d $DOMAINS
fi
Print Generate dhparam.pem ...
openssl dhparam -out /etc/letsencrypt/dhparam.pem 2048 \
&>/var/log/letsencrypt/dhparam.out
else
if echo "$DOMAINS" | grep -qo '^*'; then
Print Renew wildcard certificate ...
certbot certonly --force-renewal -q --manual \
--manual-auth-hook /etc/letsencrypt/manual-hook.sh \
-d "$DOMAINS" --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
else
Print Renew certificate ...
certbot renew -q --force-renewal
fi
fi
}
function Main {
Usage
trap "GOT_SIGTERM=1; Print Got SIGTERM ..." SIGTERM
StartProc
}
# Start here
Main

35
letsencrypt/Demo/SingleNode/README.md Normal file
View File

@@ -0,0 +1,35 @@
# 部署 letsencrypt
- 为域名 x1.xx.com 和 x2.xx.com 申请 ssl 证书,并在每月的 31 号晚上十一点更新一次
- 为域名 \*.xxx.com 申请 ssl 证书,并在每月的 31 号晚上十点更新一次
- 根据实际环境修改
- docker-compose.yml
- 创建目录
```
grep '\<source:' docker-compose.yml | cut -d: -f2 | xargs mkdir -p
```
- 获取通配域名的证书时,需要手动设置 TXT 解析记录,这里配合脚本实现自动化获取和更新
- 调用腾讯云接口设置 TXT 解析记录
```
cp tencent-api.sh letsencrypt-wildcard/etc/manual-hook.sh
```
- 调用腾讯云接口设置 TXT 解析记录
```
cp aliyun-api.sh letsencrypt-wildcard/etc/manual-hook.sh
```
- 启动
```
docker-compose up -d
```
- 创建定时任务
```
0 23 31 * * docker-compose -f /compose/docker-compose.yml up -d letsencrypt
0 22 31 * * docker-compose -f /compose/docker-compose.yml up -d letsencrypt-wildcard
```

147
letsencrypt/Demo/SingleNode/aliyun-api.sh Executable file
View File

@@ -0,0 +1,147 @@
#!/bin/bash
#=========================================
# Author : Colben
# Create : 2022-04-11 19:48
#=========================================
set -euo pipefail
export LANG=en_US.UTF-8
trap Quit EXIT
ACCESS_KEY_ID='aliyun access key id'
ACCESS_KEY_SECRET='aliyun access key secret'
DOMAIN=$CERTBOT_DOMAIN
SUB_DOMAIN=_acme-challenge
RECORD_ID=
RECORD_VA=$CERTBOT_VALIDATION
PID_FILE=/tmp/$(basename ${0%.sh}).pid
if [ -t 0 ]; then
function Print { echo -e "\033[32;1m$(date +'[%F %T]') $*\033[0m"; }
function Warn { echo -e "\033[33;1m$(date +'[%F %T]') $*\033[0m"; }
function Error { echo -e "\033[31;1m$(date +'[%F %T]') $*\033[0m"; exit 1; }
else
#exec &> ${0%.sh}.out
function Print { echo -e "$(date +'[%F %T] INFO') $*"; }
function Warn { echo -e "$(date +'[%F %T] WARN') $*"; }
function Error { echo -e "$(date +'[%F %T] ERROR') $*"; exit 1; }
fi
function Quit {
local exitCode=$?
[ 0 -ne $exitCode ] && Error Failed to request aliyun api!
[ -z "${END:-}" ] && echo && Error Interrupted manually!
Print Succeeded to request aliyun api and wait 30 seconds.
sleep 30
}
function GetSignature {
local uriEncoded="GET&%2F&$(echo "$1" | sed -e 's/=/%3D/g' -e 's/:/%253A/g' -e 's/&/%26/g')"
local sha1Str=$(echo -n "$uriEncoded" | openssl dgst -sha1 -hmac "$ACCESS_KEY_SECRET&" -binary)
echo -n "$sha1Str" | base64 | sed -e 's/=/%3D/g' -e 's/+/%2B/g' -e 's,/,%2F,g'
}
function ListRecord {
Warn Get request uri ...
local sign=
local resp=
local uri="AccessKeyId=$ACCESS_KEY_ID"
uri="${uri}&Action=DescribeDomainRecords"
uri="${uri}&DomainName=$DOMAIN"
uri="${uri}&Format=JSON"
uri="${uri}&KeyWord=$SUB_DOMAIN"
uri="${uri}&SearchMode=EXACT"
uri="${uri}&SignatureMethod=HMAC-SHA1"
uri="${uri}&SignatureNonce=$RANDOM"
uri="${uri}&SignatureVersion=1.0"
uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
uri="${uri}&Type=TXT"
uri="${uri}&Version=2015-01-09"
sign=$(GetSignature "$uri")
Warn List record ...
resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
RECORD_ID=$(echo $resp | jq -crM .DomainRecords.Record[].RecordId)
[ 'null' == "$RECORD_ID" ] && echo "$resp" && exit 1
return 0
}
function CreateRecord {
Warn Get request uri ...
local sign=
local resp=
local uri="AccessKeyId=$ACCESS_KEY_ID"
uri="${uri}&Action=AddDomainRecord"
uri="${uri}&DomainName=$DOMAIN"
uri="${uri}&Format=JSON"
uri="${uri}&RR=$SUB_DOMAIN"
uri="${uri}&SignatureMethod=HMAC-SHA1"
uri="${uri}&SignatureNonce=$RANDOM"
uri="${uri}&SignatureVersion=1.0"
uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
uri="${uri}&Type=TXT"
uri="${uri}&Value=$RECORD_VA"
uri="${uri}&Version=2015-01-09"
sign=$(GetSignature "$uri")
Warn Create sub_domain: $SUB_DOMAIN with value: $RECORD_VA ...
resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
[ 'null' != "$(echo $resp | jq -crM .Message)" ] && echo "$resp" && exit 1
return 0
}
function ModifyRecord {
Warn Get request uri ...
local sign=
local resp=
local uri="AccessKeyId=$ACCESS_KEY_ID"
uri="${uri}&Action=UpdateDomainRecord"
uri="${uri}&DomainName=$DOMAIN"
uri="${uri}&Format=JSON"
uri="${uri}&RR=$SUB_DOMAIN"
uri="${uri}&RecordId=$RECORD_ID"
uri="${uri}&SignatureMethod=HMAC-SHA1"
uri="${uri}&SignatureNonce=$RANDOM"
uri="${uri}&SignatureVersion=1.0"
uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
uri="${uri}&Type=TXT"
uri="${uri}&Value=$RECORD_VA"
uri="${uri}&Version=2015-01-09"
sign=$(GetSignature "$uri")
Warn Modify record: $RECORD_ID with value: $RECORD_VA ...
resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
[ 'null' != "$(echo $resp | jq -crM .Message)" ] && echo "$resp" && exit 1
return 0
}
function DeleteRecord {
Warn Get request uri ...
local sign=
local resp=
local uri="AccessKeyId=$ACCESS_KEY_ID"
uri="${uri}&Action=DeleteDomainRecord"
uri="${uri}&DomainName=$DOMAIN"
uri="${uri}&Format=JSON"
uri="${uri}&RecordId=$RECORD_ID"
uri="${uri}&SignatureMethod=HMAC-SHA1"
uri="${uri}&SignatureNonce=$RANDOM"
uri="${uri}&SignatureVersion=1.0"
uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
uri="${uri}&Version=2015-01-09"
sign=$(GetSignature "$uri")
Warn Delete record $RECORD_ID ...
resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
[ 'null' != "$(echo $resp | jq -crM .Message)" ] && echo "$resp" && exit 1
return 0
}
function Main {
[ -e "$PID_FILE" ] && Error Pid file $PID_FILE already exists, quit!
echo $$ > $PID_FILE
ListRecord
[ -z "$RECORD_ID" ] && CreateRecord
[ -n "$RECORD_ID" ] && ModifyRecord
END=1
}
# Start here
Main

35
letsencrypt/Demo/SingleNode/docker-compose.yml Normal file
View File

@@ -0,0 +1,35 @@
version: "3.7"
services:
letsencrypt:
image: harbor.colben.cn/general/letsencrypt
container_name: letsencrypt
restart: "no"
stop_grace_period: 1m
environment:
DOMAINS: x1.xx.com,x2.xx.com
network_mode: host
volumes:
- type: bind
source: ./letsencrypt/etc
target: /etc/letsencrypt
- type: bind
source: ./letsencrypt/log
target: /var/log/letsencrypt
letsencrypt-wildcard:
image: harbor.colben.cn/general/letsencrypt
container_name: letsencrypt-wildcard
restart: "no"
stop_grace_period: 1m
environment:
DOMAINS: "*.xxx.com"
network_mode: host
volumes:
- type: bind
source: ./letsencrypt-wildcard/etc
target: /etc/letsencrypt
- type: bind
source: ./letsencrypt-wildcard/log
target: /var/log/letsencrypt

136
letsencrypt/Demo/SingleNode/tencent-api.sh Executable file
View File

@@ -0,0 +1,136 @@
i#!/bin/bash
#=========================================
# Author : colben
# Create : 2022-04-04 10:12
#=========================================
set -euo pipefail
export LANG=en_US.UTF-8
trap Quit EXIT
SECRET_ID='tencent secret id'
SECRET_KEY='tencent secret key'
DOMAIN=$CERTBOT_DOMAIN
SUB_DOMAIN=_acme-challenge
RECORD_ID=
RECORD_VA=$CERTBOT_VALIDATION
PID_FILE=/tmp/$(basename ${0%.sh}).pid
if [ -t 0 ]; then
function Print { echo -e "\033[32;1m$(date +'[%F %T]') $*\033[0m"; }
function Warn { echo -e "\033[33;1m$(date +'[%F %T]') $*\033[0m"; }
function Error { echo -e "\033[31;1m$(date +'[%F %T]') $*\033[0m"; exit 1; }
else
#exec &> ${0%.sh}.out
function Print { echo -e "$(date +'[%F %T] INFO') $*"; }
function Warn { echo -e "$(date +'[%F %T] WARN') $*"; }
function Error { echo -e "$(date +'[%F %T] ERROR') $*"; exit 1; }
fi
function Quit {
local exitCode=$?
[ 0 -ne $exitCode ] && Error Failed to request tencent api!
[ -z "${END:-}" ] && echo && Error Interrupted manually!
Print Succeeded to request tencent api and wait 30 seconds.
sleep 30
}
function GetSignature {
local sha1Str=$(echo -n "GET$1" | openssl dgst -sha1 -hmac "$SECRET_KEY" -binary)
echo -n "$sha1Str" | base64 | sed -e 's/=/%3D/g' -e 's/+/%2B/g'
}
function ListRecord {
Warn Get request url ...
local sign=
local resp=
local url='cns.api.qcloud.com/v2/index.php'
url="${url}?Action=RecordList"
url="${url}&Nonce=$RANDOM"
url="${url}&SecretId=$SECRET_ID"
url="${url}&Timestamp=$(date +%s)"
url="${url}&Version=2018-08-08"
url="${url}&domain=$DOMAIN"
sign=$(GetSignature "$url")
Warn List record ...
resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
[ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
RECORD_ID=$(echo $resp | jq -crM ".data.records[] | select(.name == \"$SUB_DOMAIN\") | .id")
}
function CreateRecord {
Warn Get request url ...
local sign=
local resp=
local url='cns.api.qcloud.com/v2/index.php'
url="${url}?Action=RecordCreate"
url="${url}&Nonce=$RANDOM"
url="${url}&SecretId=$SECRET_ID"
url="${url}&Timestamp=$(date +%s)"
url="${url}&Version=2018-08-08"
url="${url}&domain=$DOMAIN"
url="${url}&recordLine=默认"
url="${url}&recordType=TXT"
url="${url}&subDomain=$SUB_DOMAIN"
url="${url}&value=$RECORD_VA"
sign=$(GetSignature "$url")
Warn Create sub_domain: $SUB_DOMAIN with value: $RECORD_VA ...
resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
[ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
return 0
}
function ModifyRecord {
Warn Get request url ...
local sign=
local resp=
local url='cns.api.qcloud.com/v2/index.php'
url="${url}?Action=RecordModify"
url="${url}&Nonce=$RANDOM"
url="${url}&SecretId=$SECRET_ID"
url="${url}&Timestamp=$(date +%s)"
url="${url}&Version=2018-08-08"
url="${url}&domain=$CERTBOT_DOMAIN"
url="${url}&recordId=$RECORD_ID"
url="${url}&recordLine=默认"
url="${url}&recordType=TXT"
url="${url}&subDomain=$SUB_DOMAIN"
url="${url}&value=$RECORD_VA"
sign=$(GetSignature "$url")
Warn Modify record: $RECORD_ID with value: $RECORD_VA ...
resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
[ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
return 0
}
function DeleteRecord {
Warn Get request url ...
local sign=
local resp=
local url='cns.api.qcloud.com/v2/index.php'
url="${url}?Action=RecordDelete"
url="${url}&Nonce=$RANDOM"
url="${url}&SecretId=$SECRET_ID"
url="${url}&Timestamp=$(date +%s)"
url="${url}&Version=2018-08-08"
url="${url}&domain=$DOMAIN"
url="${url}&recordId=$RECORD_ID"
sign=$(GetSignature "$url")
Warn Delete record $RECORD_ID ...
resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
[ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
return 0
}
function Main {
[ -e "$PID_FILE" ] && Error Pid file $PID_FILE already exists, quit!
echo $$ > $PID_FILE
ListRecord
[ -z "$RECORD_ID" ] && CreateRecord
[ -n "$RECORD_ID" ] && ModifyRecord
END=1
}
# Start here
Main

10
letsencrypt/Dockerfile Normal file
View File

@@ -0,0 +1,10 @@
ARG ARCH
FROM harbor.colben.cn/general/alpine$ARCH
MAINTAINER Colben colbenlee@gmail.com
ADD --chown=root:root /ADD/ /opt/
RUN apk update \
&& apk add --no-cache certbot openssl jq \
&& mkdir -p /etc/letsencrypt /var/log/letsencrypt \
&& rm -rf /var/cache/apk/*
CMD ["/opt/ccmd"]

17
letsencrypt/README.md Normal file
View File

@@ -0,0 +1,17 @@
# 构建 letsencrypt 镜像
## 定制
- 安装 certbot 和 openssl
- 不支持通配域名
## 外挂目录和文件
- /etc/letsencrypt: letsencrypt 数据目录
- /var/log/letsencrypt: letsencrypt 日志目录
- /etc/letsencrypt/manual-hook.sh: 手动获取证书时用到的钩子脚本
## 引入环境变量
- DOMAINS: 待申请 ssl 证书的域名,多个域名用逗号间隔
## 案例 1
- [Demo/SingleNode/](/Demo/SingleNode/): 部署 letsencrypt

67
letsencrypt/letsencrypt.sh Executable file
View File

@@ -0,0 +1,67 @@
#!/bin/bash
#=========================================
# Author : colben
#=========================================
set -euo pipefail
export LANG=en_US.UTF-8
trap Quit EXIT
[ 'x86_64' == "$(uname -m)" ] && ARCH='' || ARCH="-$(uname -m)"
ROOT_DIR="$(cd $(dirname $0) && pwd)"
IMAGE="harbor.colben.cn/general/$(basename ${0%.sh})$ARCH:latest"
if [ -t 0 ]; then
function Print { echo -e "\033[36;1m$(date +'[%F %T]')\033[32;1m $*\033[0m"; }
function Warn { echo -e "\033[36;1m$(date +'[%F %T]')\033[33;1m $*\033[0m"; }
function Error { echo -e "\033[36;1m$(date +'[%F %T]')\033[31;1m $*\033[0m"; exit 1; }
else
function Print { echo -e "$(date +'[%F %T INFO]') $*"; }
function Warn { echo -e "$(date +'[%F %T WARN]') $*"; }
function Error { echo -e "$(date +'[%F %T ERROR]') $*"; exit 1; }
fi
function Quit {
local exitCode=$?
[ 0 -ne $exitCode ] && Error Failed to build or push image!
[ -z "${END:-}" ] && echo && Error Interrupted manually!
Print Succeeded to build and push image.
}
function YesOrNo {
Warn $*
local sw=
while :; do
read -p '(Yes/No/Quit) ' -n1 sw
[[ "$sw" =~ ^Y|y$ ]] && echo && return 0
[[ "$sw" =~ ^N|n$ ]] && echo && return 1
[[ "$sw" =~ ^Q|q$ ]] && echo && exit 0
[ -n "$sw" ] && echo
done
}
function Update {
:
}
function Build {
local yn
cd $ROOT_DIR
docker images --format='{{.Repository}}:{{.Tag}}' | grep "^$IMAGE$" \
&& Warn Removing image $IMAGE ... \
&& docker rmi $IMAGE
Warn Building image: $IMAGE ...
docker build --force-rm --build-arg ARCH="$ARCH" -t $IMAGE .
YesOrNo Push image: $IMAGE? && docker push $IMAGE
}
function Main {
Update
Build
END=1
}
# Start here
Main