diff --git a/.gitignore b/.gitignore index 68f5d131..72afbf49 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ /data/certbot +/data/nginx/app.conf +.env diff --git a/README.md b/README.md index 8c3bd886..2f8eeb4e 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,12 @@ application. 2. Clone this repository: `git clone https://github.com/wmnnd/nginx-certbot.git .` 3. Modify configuration: -- Add domains and email addresses to init-letsencrypt.sh -- Replace all occurrences of example.org with primary domain (the first one you added to init-letsencrypt.sh) in data/nginx/app.conf +- Create a .env file and add domains and email addresses using the env variables defined below +- NGINX_DOMAIN_LIST - [REQUIRED] the list of domains for nginx (also used by letsencrypt); each domain name should be separated by a space; the first domain name will be taken as the primary domain unless NGINX_PRIMARY_DOMAIN env variable is also provided; defaults to "example.org www.example.org" +- NGINX_PRIMARY_DOMAIN - [OPTIONAL] the primary domain name to use for certificate registration; defaults to "example.org" +- NGINX_PROXY_PASS - [REQUIRED] the url to route all incoming requests on ports 80, 443; for example "http://localhost:8080" to forward all incoming to localhost:8080; defaults to "http://example.org" +- LETSENCRYPT_EMAIL - [OPTIONAL] the email id to use for LetsEncrypt registration; defaults to "" +- LETSENCRYPT_STAGING - [OPTIONAL] Set to 1 if you're testing your setup to avoid hitting request limits; defaults to 0 4. Run the init script: diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index a3f3cb01..fd2a9be6 100755 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -5,11 +5,26 @@ if ! [ -x "$(command -v docker-compose)" ]; then exit 1 fi -domains=(example.org www.example.org) +if [ -f ./.env ]; then + source ./.env +else + echo "No .env file found, using defaults." +fi + + +domains_env="${NGINX_DOMAIN_LIST:-"example.org www.example.org"}" +IFS=' ' read -r -a domains <<< "$domains_env" +primary_domain=${domains[0]:-$NGINX_PRIMARY_DOMAIN} rsa_key_size=4096 data_path="./data/certbot" -email="" # Adding a valid address is strongly recommended -staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits +email=${LETSENCRYPT_EMAIL:-""} # Adding a valid address is strongly recommended +staging=${LETSENCRYPT_STAGING:-0} # Set to 1 if you're testing your setup to avoid hitting request limits +proxy_pass=${NGINX_PROXY_PASS:-"http://example.org"} +escaped_proxy_pass=$(printf '%s\n' "$proxy_pass" | sed -e 's/[\/&]/\\&/g') + +echo "### Creating nginx app.conf from template ..." +sed "s/\${NGINX_DOMAIN_LIST}/${domains_env}/g; s/\${NGINX_PRIMARY_DOMAIN}/${primary_domain}/g; s/\${NGINX_PROXY_PASS}/${escaped_proxy_pass}/g" ./templates/nginx/app.conf.template > ./data/nginx/app.conf +echo if [ -d "$data_path" ]; then read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision diff --git a/data/nginx/app.conf b/templates/nginx/app.conf.template similarity index 67% rename from data/nginx/app.conf rename to templates/nginx/app.conf.template index 52dc0e78..61c53796 100644 --- a/data/nginx/app.conf +++ b/templates/nginx/app.conf.template @@ -1,6 +1,6 @@ server { listen 80; - server_name example.org; + server_name ${NGINX_DOMAIN_LIST}; server_tokens off; location /.well-known/acme-challenge/ { @@ -14,16 +14,16 @@ server { server { listen 443 ssl; - server_name example.org; + server_name ${NGINX_DOMAIN_LIST}; server_tokens off; - ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; + ssl_certificate /etc/letsencrypt/live/${NGINX_PRIMARY_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${NGINX_PRIMARY_DOMAIN}/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { - proxy_pass http://example.org; + proxy_pass ${NGINX_PROXY_PASS}; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;