mirror of
https://github.com/element-hq/element-docker-demo.git
synced 2026-01-25 06:26:58 +03:00
LE fixes
This commit is contained in:
Matthew Hodgson
@@ -94,7 +94,7 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
|
- ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
|
||||||
- ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
|
- ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
|
||||||
entrypoint: "/bin/sh -c 'trap exit TERM; while [ -f /etc/letsencrypt/live ]; do certbot renew; sleep 12h & wait $${!}; done;'"
|
entrypoint: "/bin/sh -c 'trap exit TERM; while [ -e /etc/letsencrypt/live ]; do certbot renew; sleep 12h & wait $${!}; done;'"
|
||||||
depends_on:
|
depends_on:
|
||||||
init:
|
init:
|
||||||
condition: service_completed_successfully
|
condition: service_completed_successfully
|
||||||
|
|||||||
76
setup.sh
76
setup.sh
@@ -1,5 +1,8 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
set -x
|
||||||
|
|
||||||
# set up data & secrets dir with the right ownerships in the default location
|
# set up data & secrets dir with the right ownerships in the default location
|
||||||
# to stop docker autocreating them with random owners.
|
# to stop docker autocreating them with random owners.
|
||||||
# originally these were checked into the git repo, but that's pretty ugly, so doing it here instead.
|
# originally these were checked into the git repo, but that's pretty ugly, so doing it here instead.
|
||||||
@@ -8,44 +11,49 @@ mkdir -p secrets/{livekit,postgres,synapse}
|
|||||||
|
|
||||||
# create blank secrets to avoid docker creating empty directories in the host
|
# create blank secrets to avoid docker creating empty directories in the host
|
||||||
touch secrets/livekit/livekit_{api,secret}_key \
|
touch secrets/livekit/livekit_{api,secret}_key \
|
||||||
secrets/postgres/postgres_password \
|
secrets/postgres/postgres_password \
|
||||||
secrets/synapse/signing.key
|
secrets/synapse/signing.key
|
||||||
|
|
||||||
# grab an env if we don't have one already
|
# grab an env if we don't have one already
|
||||||
if [[ ! -e .env ]]; then
|
if [[ ! -e .env ]]; then
|
||||||
cp .env-sample .env
|
cp .env-sample .env
|
||||||
|
|
||||||
sed -ir s/^USER_ID=/USER_ID=$(id -u)/ .env
|
sed -ir s/^USER_ID=/USER_ID=$(id -u)/ .env
|
||||||
sed -ir s/^GROUP_ID=/GROUP_ID=$(id -g)/ .env
|
sed -ir s/^GROUP_ID=/GROUP_ID=$(id -g)/ .env
|
||||||
|
|
||||||
read -p "Enter base domain name (e.g. example.com): " DOMAIN
|
read -p "Enter base domain name (e.g. example.com): " DOMAIN
|
||||||
sed -ir s/^example.com/$DOMAIN/ .env
|
sed -ir s/^example.com/$DOMAIN/ .env
|
||||||
|
|
||||||
# SSL setup
|
# SSL setup
|
||||||
mkdir -p data/ssl
|
mkdir -p data/certbot/{conf,www} # stop broken binds
|
||||||
read -p "Use local mkcert CA for SSL? [y/n]" use_mkcert
|
read -p "Use local mkcert CA for SSL? [y/n] " use_mkcert
|
||||||
if [[ use_mkcert =~ ^[Yy]$ ]]; then
|
if [[ use_mkcert =~ [Yy] ]]; then
|
||||||
if [[ ! -x mkcert ]]; then
|
if [[ ! -x mkcert ]]; then
|
||||||
echo "Please install mkcert from brew/apt/yum etc"
|
echo "Please install mkcert from brew/apt/yum etc"
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
mkcert -install
|
mkcert -install
|
||||||
mkcert $DOMAIN '*.'$DOMAIN
|
mkcert $DOMAIN '*.'$DOMAIN
|
||||||
mv ${DOMAIN}+1.pem data/ssl/fullchain.pem
|
mkdir -p data/ssl
|
||||||
mv ${DOMAIN}+1-key.pem data/ssl/privkey.pem
|
mv ${DOMAIN}+1.pem data/ssl/fullchain.pem
|
||||||
cp "$(mkcert -CAROOT)"/rootCA.pem data/ssl/ca-certificates.crt
|
mv ${DOMAIN}+1-key.pem data/ssl/privkey.pem
|
||||||
# borrow letsencrypt's SSL config
|
cp "$(mkcert -CAROOT)"/rootCA.pem data/ssl/ca-certificates.crt
|
||||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "data/ssl/options-ssl-nginx.conf"
|
# borrow letsencrypt's SSL config
|
||||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "data/ssl/ssl-dhparams.pem"
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "data/ssl/options-ssl-nginx.conf"
|
||||||
else
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "data/ssl/ssl-dhparams.pem"
|
||||||
read -p "Use letsencrypt for SSL? [y/n]" use_letsencrypt
|
else
|
||||||
if [[ use_letsencrypt =~ ^[Yy]$ ]]; then
|
read -p "Use letsencrypt for SSL? [y/n] " use_letsencrypt
|
||||||
mkdir -p data/certbot/{conf,www}
|
if [[ use_letsencrypt =~ [Yy] ]]; then
|
||||||
ln -s data/ssl data/certbot/conf/live/$DOMAIN
|
mkdir -p data/certbot/conf/live/$DOMAIN
|
||||||
touch data/ssl/ca-certificates.crt # will get overwritten by init-letsencrypt.sh
|
if [[ ! -L data/ssl ]]; then
|
||||||
exec scripts/init-letsencrypt.sh
|
ln -s ../data/certbot/conf/live/$DOMAIN data/ssl
|
||||||
else
|
fi
|
||||||
echo "Please put a valid {privkey,fullchain}.pem and ca-certificates.crt into data/ssl/"
|
touch data/ssl/ca-certificates.crt # will get overwritten by init-letsencrypt.sh
|
||||||
fi
|
exec ./init-letsencrypt.sh
|
||||||
fi
|
else
|
||||||
|
echo "Please put a valid {privkey,fullchain}.pem and ca-certificates.crt into data/ssl/"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo ".env already exists; move it out of the way first to re-setup"
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user