skynet-webportal/docker/certbot/entrypoint.sh

#!/bin/bash

# Portal domain requires 3 domain certificates:
# - exact portal domain, ie. example.com
# - wildcard subdomain on portal domain, ie. *.example.com
#   used for skylinks served from portal subdomain
# - wildcard subdomain on hns portal domain subdomain, ie. *.hns.example.com
#   used for resolving handshake domains
DOMAINS=${PORTAL_DOMAIN},*.${PORTAL_DOMAIN},*.hns.${PORTAL_DOMAIN}

# Add server domain when it is not empty and different from portal domain
if [ ! -z "${SERVER_DOMAIN}" ] && [ "${PORTAL_DOMAIN}" != "${SERVER_DOMAIN}" ]; then
    # In case where server domain is not covered by portal domain's
    # wildcard certificate, add server domain name to domains list.
    # - server-001.example.com is covered by *.example.com
    # - server-001.servers.example.com or server-001.example-severs.com
    #   are not covered by any already requested wildcard certificates
    #
    # The condition checks whether server domain does not match portal domain
    # with exactly one level of subdomain (portal domain wildcard cert):
    # (start) [anything but the dot] + [dot] + [portal domain] (end)
    if ! printf "${SERVER_DOMAIN}" | grep -q -E "^[^\.]+\.${PORTAL_DOMAIN}$"; then
        DOMAINS=${DOMAINS},${SERVER_DOMAIN}
    fi

    # Server domain requires the same set of domain certificates as portal domain.
    # Exact server domain case is handled above.
    DOMAINS=${DOMAINS},*.${SERVER_DOMAIN},*.hns.${SERVER_DOMAIN}
fi

# The "wait" will prevent an exit from the script while background tasks are
# still active, so we are adding the line below as a method to prevent orphaning
# the background child processe. The trap fires when docker terminates the container.
trap exit TERM

while :; do
    # Execute certbot and generate or maintain certificates for given domain string.
    # --non-interactive: we are running this as an automation so we cannot be prompted
    # --agree-tos: required flag marking agreement with letsencrypt tos
    # --cert-name: output directory name
    # --email: required for generating certificates, used for communication with CA
    # --domains: comma separated list of domains (will generate one bundled SAN cert)
    # Use CERTBOT_ARGS env variable to pass any additional arguments, ie --dns-route53
    certbot certonly \
        --non-interactive --agree-tos --cert-name skynet-portal \
        --email ${EMAIL_ADDRESS} --domains ${DOMAINS} ${CERTBOT_ARGS}

    # Run a background sleep process that counts down given time
    # Certbot docs advise running maintenance process every 12 hours
    sleep 12h &
    
    # Await execution until sleep process is finished (it's a background process)
    # Syntax explanation: ${!} expands to a pid of last ran process
    wait ${!}
done
replace caddy with certbot 2022-03-19 23:34:52 +00:00			`#!/bin/bash`

			`# Portal domain requires 3 domain certificates:`
			`# - exact portal domain, ie. example.com`
			`# - wildcard subdomain on portal domain, ie. *.example.com`
			`# used for skylinks served from portal subdomain`
			`# - wildcard subdomain on hns portal domain subdomain, ie. *.hns.example.com`
			`# used for resolving handshake domains`
			`DOMAINS=${PORTAL_DOMAIN},.${PORTAL_DOMAIN},.hns.${PORTAL_DOMAIN}`

			`# Add server domain when it is not empty and different from portal domain`
			`if [ ! -z "${SERVER_DOMAIN}" ] && [ "${PORTAL_DOMAIN}" != "${SERVER_DOMAIN}" ]; then`
			`# In case where server domain is not covered by portal domain's`
			`# wildcard certificate, add server domain name to domains list.`
			`# - server-001.example.com is covered by *.example.com`
			`# - server-001.servers.example.com or server-001.example-severs.com`
			`# are not covered by any already requested wildcard certificates`
			`#`
			`# The condition checks whether server domain does not match portal domain`
			`# with exactly one level of subdomain (portal domain wildcard cert):`
			`# (start) [anything but the dot] + [dot] + [portal domain] (end)`
			`if ! printf "${SERVER_DOMAIN}" \| grep -q -E "^[^\.]+\.${PORTAL_DOMAIN}$"; then`
			`DOMAINS=${DOMAINS},${SERVER_DOMAIN}`
			`fi`

			`# Server domain requires the same set of domain certificates as portal domain.`
			`# Exact server domain case is handled above.`
			`DOMAINS=${DOMAINS},.${SERVER_DOMAIN},.hns.${SERVER_DOMAIN}`
			`fi`

			`# The "wait" will prevent an exit from the script while background tasks are`
			`# still active, so we are adding the line below as a method to prevent orphaning`
			`# the background child processe. The trap fires when docker terminates the container.`
			`trap exit TERM`

			`while :; do`
			`# Execute certbot and generate or maintain certificates for given domain string.`
			`# --non-interactive: we are running this as an automation so we cannot be prompted`
			`# --agree-tos: required flag marking agreement with letsencrypt tos`
			`# --cert-name: output directory name`
			`# --email: required for generating certificates, used for communication with CA`
			`# --domains: comma separated list of domains (will generate one bundled SAN cert)`
			`# Use CERTBOT_ARGS env variable to pass any additional arguments, ie --dns-route53`
			`certbot certonly \`
			`--non-interactive --agree-tos --cert-name skynet-portal \`
			`--email ${EMAIL_ADDRESS} --domains ${DOMAINS} ${CERTBOT_ARGS}`

			`# Run a background sleep process that counts down given time`
			`# Certbot docs advise running maintenance process every 12 hours`
			`sleep 12h &`

			`# Await execution until sleep process is finished (it's a background process)`
			`# Syntax explanation: ${!} expands to a pid of last ran process`
			`wait ${!}`
			`done`