replace caddy with certbot

.github/dependabot.yml

@@ -20,10 +20,6 @@ updates:
     directory: "/packages/website"
     schedule:
       interval: weekly
-  - package-ecosystem: docker
-    directory: "/docker/caddy"
-    schedule:
-      interval: weekly
   - package-ecosystem: docker
     directory: "/docker/nginx"
     schedule:

docker-compose.yml

@@ -39,21 +39,19 @@ services:
     expose:
       - 9980
 
-  caddy:
+  certbot:
-    build:
+    image: certbot/dns-route53:v1.25.0
-      context: ./docker/caddy
+    entrypoint: sh /entrypoint.sh
-      dockerfile: Dockerfile
+    container_name: certbot
-    container_name: caddy
     restart: unless-stopped
     logging: *default-logging
     env_file:
       - .env
+    environment:
+      - CERTBOT_ARGS=--dns-route53
     volumes:
-      - ./docker/data/caddy/data:/data
+      - ./docker/certbot/entrypoint.sh:/entrypoint.sh
-      - ./docker/data/caddy/config:/config
+      - ./docker/data/certbot:/etc/letsencrypt
-    networks:
-      shared:
-        ipv4_address: 10.10.10.20
 
   nginx:
     build:
@@ -70,7 +68,7 @@ services:
       - ./docker/data/nginx/logs:/usr/local/openresty/nginx/logs
       - ./docker/data/nginx/skynet:/data/nginx/skynet:ro
       - ./docker/data/sia/apipassword:/data/sia/apipassword:ro
-      - ./docker/data/caddy/data:/data/caddy:ro
+      - ./docker/data/certbot:/etc/letsencrypt
     networks:
       shared:
         ipv4_address: 10.10.10.30
@@ -79,7 +77,6 @@ services:
       - "80:80"
     depends_on:
       - sia
-      - caddy
       - handshake-api
       - dnslink-api
       - website
@@ -174,5 +171,3 @@ services:
       - STATE_DIR=/usr/app/state
     expose:
       - 3100
-    depends_on:
-      - caddy

docker/caddy/Dockerfile

@@ -1,18 +0,0 @@
-FROM caddy:2.4.6-builder AS caddy-builder
-
-# available dns resolvers: https://github.com/caddy-dns
-RUN xcaddy build --with github.com/caddy-dns/route53
-
-FROM caddy:2.4.6-alpine
-
-COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
-
-# bash required for mo to work (mo is mustache templating engine - https://github.com/tests-always-included/mo)
-RUN apk add --no-cache bash
-
-COPY caddy.json.template mo /etc/caddy/
-
-CMD [ "sh", "-c", \
-      "/etc/caddy/mo < /etc/caddy/caddy.json.template > /etc/caddy/caddy.json ; \
-       caddy run --config /etc/caddy/caddy.json" \
-    ]

docker/caddy/caddy.json.template

@@ -1,38 +0,0 @@
-{
-  "apps": {
-    "tls": {
-      "certificates": {
-        "automate": [
-          {{#PORTAL_DOMAIN}}
-              "{{PORTAL_DOMAIN}}", "*.{{PORTAL_DOMAIN}}", "*.hns.{{PORTAL_DOMAIN}}"
-          {{/PORTAL_DOMAIN}}
-
-          {{#PORTAL_DOMAIN}}{{#SERVER_DOMAIN}},{{/SERVER_DOMAIN}}{{/PORTAL_DOMAIN}}
-
-          {{#SERVER_DOMAIN}}
-              "{{SERVER_DOMAIN}}", "*.{{SERVER_DOMAIN}}", "*.hns.{{SERVER_DOMAIN}}"
-          {{/SERVER_DOMAIN}}
-        ]
-      },
-      "automation": {
-        "policies": [
-          {
-            "issuers": [
-              {
-                "module": "acme",
-                "email": "{{EMAIL_ADDRESS}}",
-                "challenges": {
-                  "dns": {
-                    "provider": {
-                      "name": "route53"
-                    }
-                  }
-                }
-              }
-            ]
-          }
-        ]
-      }
-    }
-  }
-}

docker/certbot/entrypoint.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# Portal domain requires 3 domain certificates:
+# - exact portal domain, ie. example.com
+# - wildcard subdomain on portal domain, ie. *.example.com
+#   used for skylinks served from portal subdomain
+# - wildcard subdomain on hns portal domain subdomain, ie. *.hns.example.com
+#   used for resolving handshake domains
+DOMAINS=${PORTAL_DOMAIN},*.${PORTAL_DOMAIN},*.hns.${PORTAL_DOMAIN}
+
+# Add server domain when it is not empty and different from portal domain
+if [ ! -z "${SERVER_DOMAIN}" ] && [ "${PORTAL_DOMAIN}" != "${SERVER_DOMAIN}" ]; then
+    # In case where server domain is not covered by portal domain's
+    # wildcard certificate, add server domain name to domains list.
+    # - server-001.example.com is covered by *.example.com
+    # - server-001.servers.example.com or server-001.example-severs.com
+    #   are not covered by any already requested wildcard certificates
+    #
+    # The condition checks whether server domain does not match portal domain
+    # with exactly one level of subdomain (portal domain wildcard cert):
+    # (start) [anything but the dot] + [dot] + [portal domain] (end)
+    if ! printf "${SERVER_DOMAIN}" | grep -q -E "^[^\.]+\.${PORTAL_DOMAIN}$"; then
+        DOMAINS=${DOMAINS},${SERVER_DOMAIN}
+    fi
+
+    # Server domain requires the same set of domain certificates as portal domain.
+    # Exact server domain case is handled above.
+    DOMAINS=${DOMAINS},*.${SERVER_DOMAIN},*.hns.${SERVER_DOMAIN}
+fi
+
+# The "wait" will prevent an exit from the script while background tasks are
+# still active, so we are adding the line below as a method to prevent orphaning
+# the background child processe. The trap fires when docker terminates the container.
+trap exit TERM
+
+while :; do
+    # Execute certbot and generate or maintain certificates for given domain string.
+    # --non-interactive: we are running this as an automation so we cannot be prompted
+    # --agree-tos: required flag marking agreement with letsencrypt tos
+    # --cert-name: output directory name
+    # --email: required for generating certificates, used for communication with CA
+    # --domains: comma separated list of domains (will generate one bundled SAN cert)
+    # Use CERTBOT_ARGS env variable to pass any additional arguments, ie --dns-route53
+    certbot certonly \
+        --non-interactive --agree-tos --cert-name skynet-portal \
+        --email ${EMAIL_ADDRESS} --domains ${DOMAINS} ${CERTBOT_ARGS}
+
+    # Run a background sleep process that counts down given time
+    # Certbot docs advise running maintenance process every 12 hours
+    sleep 12h &
+    
+    # Await execution until sleep process is finished (it's a background process)
+    # Syntax explanation: ${!} expands to a pid of last ran process
+    wait ${!}
+done

docker/nginx/Dockerfile

@@ -18,5 +18,6 @@ CMD [ "bash", "-c", \
        ./mo < /etc/nginx/conf.d.templates/server.api.conf > /etc/nginx/conf.d/server.api.conf; \
        ./mo < /etc/nginx/conf.d.templates/server.hns.conf > /etc/nginx/conf.d/server.hns.conf; \
        ./mo < /etc/nginx/conf.d.templates/server.skylink.conf > /etc/nginx/conf.d/server.skylink.conf ; \
+       while :; do sleep 6h & wait ${!}; /usr/local/openresty/bin/openresty -s reload; done & \
        /usr/local/openresty/bin/openresty '-g daemon off;'" \
     ]

docker/nginx/conf.d.templates/server.account.conf

@@ -18,9 +18,6 @@
 			return "{{SERVER_DOMAIN}}"
 		}
 
-		ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.crt;
-		ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.key;
-
 		include /etc/nginx/conf.d/server/server.account;
 	}
 	{{/PORTAL_DOMAIN}}
@@ -37,9 +34,6 @@
 	server {
 		server_name account.{{SERVER_DOMAIN}}; # example: account.eu-ger-1.siasky.net
 
-		ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.crt;
-		ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.key;
-
 		set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
 		set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
 

docker/nginx/conf.d.templates/server.api.conf

@@ -17,9 +17,6 @@ server {
 		return "{{SERVER_DOMAIN}}"
 	}
 
-	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{PORTAL_DOMAIN}}/{{PORTAL_DOMAIN}}.crt;
-	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{PORTAL_DOMAIN}}/{{PORTAL_DOMAIN}}.key;
-
 	include /etc/nginx/conf.d/server/server.api;
 }
 {{/PORTAL_DOMAIN}}
@@ -36,9 +33,6 @@ server {
 server {
 	server_name {{SERVER_DOMAIN}}; # example: eu-ger-1.siasky.net
 
-	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{SERVER_DOMAIN}}/{{SERVER_DOMAIN}}.crt;
-	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{SERVER_DOMAIN}}/{{SERVER_DOMAIN}}.key;
-
 	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
 	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
 

docker/nginx/conf.d.templates/server.hns.conf

@@ -17,9 +17,6 @@ server {
 		return "{{SERVER_DOMAIN}}"
 	}
 
-	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{PORTAL_DOMAIN}}/wildcard_.hns.{{PORTAL_DOMAIN}}.crt;
-	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{PORTAL_DOMAIN}}/wildcard_.hns.{{PORTAL_DOMAIN}}.key;
-    
 	proxy_set_header Host {{PORTAL_DOMAIN}};
 	include /etc/nginx/conf.d/server/server.hns;
 }
@@ -37,9 +34,6 @@ server {
 server {
 	server_name *.hns.{{SERVER_DOMAIN}}; # example: *.hns.eu-ger-1.siasky.net
 	
-	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{SERVER_DOMAIN}}/wildcard_.hns.{{SERVER_DOMAIN}}.crt;
-	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.hns.{{SERVER_DOMAIN}}/wildcard_.hns.{{SERVER_DOMAIN}}.key;
-
 	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
 	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
     

docker/nginx/conf.d.templates/server.skylink.conf

@@ -17,9 +17,6 @@ server {
 		return "{{SERVER_DOMAIN}}"
 	}
 
-	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.crt;
-	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{PORTAL_DOMAIN}}/wildcard_.{{PORTAL_DOMAIN}}.key;
-	
 	include /etc/nginx/conf.d/server/server.skylink;
 }
 {{/PORTAL_DOMAIN}}
@@ -39,9 +36,6 @@ server {
 	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
 	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
 	
-	ssl_certificate     /data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.crt;
-	ssl_certificate_key	/data/caddy/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.{{SERVER_DOMAIN}}/wildcard_.{{SERVER_DOMAIN}}.key;
-	
 	include /etc/nginx/conf.d/server/server.skylink;
 	
 	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }

docker/nginx/conf.d/include/ssl-settings

@@ -1,7 +1,10 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6
 
+ssl_certificate /etc/letsencrypt/live/skynet-portal/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/skynet-portal/privkey.pem;
+
 ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ssl_session_tickets off;
 
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
@@ -11,3 +14,13 @@ ssl_dhparam /etc/nginx/conf.d/dhparam.pem;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /etc/letsencrypt/live/skynet-portal/chain.pem;