use lego from baseimage

Dockerfile

@@ -1,13 +1,8 @@
-FROM golang:alpine as builder
-
-RUN apk --no-cache add git
-RUN go get -v -u github.com/xenolf/lego
-
-FROM registry.gitlab.com/thallian/docker-confd-env:master
-
-COPY --from=builder /go/bin/lego /bin/lego
+FROM registry.gitlab.com/thallian/docker-confd-env:lego
 
 ENV PGDATA /var/lib/postgresql/data
+ENV CERT_HOME /var/lib/postgresql
+ENV CERT_USER postgres
 
 RUN apk add --no-cache postgresql postgresql-contrib ca-certificates
 

README.md

@@ -2,6 +2,9 @@
 tls certificates through [Let's Encrypt](https://letsencrypt.org/) with
 [lego](https://github.com/xenolf/lego). 
 
+Take a look at the [base image](https://gitlab.com/thallian/docker-confd-env/tree/lego)
+for the certificate configuration.
+
 # Volumes
 - `/var/lib/postgresql/data`
 - `/var/lib/postgresql/.lego`: certificates directory
@@ -11,19 +14,5 @@ tls certificates through [Let's Encrypt](https://letsencrypt.org/) with
 
 Password for the postgre admin user.
 
-## POSTGRES_CA
-- default: "https://acme-v01.api.letsencrypt.org/directory"
-
-Which Acme Endpoint to use.
-
-## POSTGRES_ACME_EMAIL
-Email to use in the acme account.
-
-## POSTGRES_DOMAIN
-The domain the certificate uses.
-
-## POSTGRES_DNS_PROVIDER
-One of the list here: https://github.com/xenolf/lego/tree/master/providers/dns
-
 # Ports
 - 5432

rootfs/bin/concat-sans

@@ -1,11 +0,0 @@
-#!/usr/bin/with-contenv sh
-
-SAN_DOMAINS=""
-
-export IFS=";"
-for SAN in ${POSTGRES_SAN}
-do
-    SAN_DOMAINS="${SAN_DOMAINS} --domains=\"${SAN}\""
-done
-
-echo ${SAN_DOMAINS}

rootfs/bin/renew-certificates

@@ -1,21 +0,0 @@
-#!/usr/bin/with-contenv sh
-
-cd /var/lib/postgresql
-
-SAN_DOMAINS=$(/bin/concat-sans)
-
-OLD_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
-
-lego \
-        --accept-tos \
-        --server="${POSTGRES_CA}" \
-        --email="${POSTGRES_ACME_EMAIL}" \
-        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
-        --dns="${POSTGRES_DNS_PROVIDER}" \
-        renew --days 30
-
-NEW_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
-
-if [ "${OLD_MOD}" != "${NEW_MOD}" ]; then
-    kill -s TERM $(head -1 ${PGDATA}/postmaster.pid)
-fi

rootfs/bin/restart-services

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv sh
+
+kill -s TERM $(head -1 ${PGDATA}/postmaster.pid)

rootfs/etc/cont-init.d/02-certificates

@@ -1,24 +0,0 @@
-#!/usr/bin/with-contenv sh
-
-cd /var/lib/postgresql
-
-SAN_DOMAINS=$(/bin/concat-sans)
-
-if [ ! -f /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt ]; then
-    chown -R postgres /var/lib/postgresql/.lego
-    s6-setuidgid postgres lego \
-        --accept-tos \
-        --server="${POSTGRES_CA}" \
-        --email="${POSTGRES_ACME_EMAIL}" \
-        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
-        --dns="${POSTGRES_DNS_PROVIDER}" \
-        run
-else
-    s6-setuidgid postgres lego \
-        --accept-tos \
-        --server="${POSTGRES_CA}" \
-        --email="${POSTGRES_ACME_EMAIL}" \
-        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
-        --dns="${POSTGRES_DNS_PROVIDER}" \
-        renew --days 30
-fi

rootfs/var/spool/cron/crontab/postgres

@@ -1 +0,0 @@
-0  3  *  *  * /bin/renew-certificates