diff --git a/Dockerfile b/Dockerfile index ccd1796..9fc9599 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,8 @@ -FROM golang:alpine as builder - -RUN apk --no-cache add git -RUN go get -v -u github.com/xenolf/lego - -FROM registry.gitlab.com/thallian/docker-confd-env:master - -COPY --from=builder /go/bin/lego /bin/lego +FROM registry.gitlab.com/thallian/docker-confd-env:lego ENV PGDATA /var/lib/postgresql/data +ENV CERT_HOME /var/lib/postgresql +ENV CERT_USER postgres RUN apk add --no-cache postgresql postgresql-contrib ca-certificates diff --git a/README.md b/README.md index 3a20277..e2b8e33 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ tls certificates through [Let's Encrypt](https://letsencrypt.org/) with [lego](https://github.com/xenolf/lego). +Take a look at the [base image](https://gitlab.com/thallian/docker-confd-env/tree/lego) +for the certificate configuration. + # Volumes - `/var/lib/postgresql/data` - `/var/lib/postgresql/.lego`: certificates directory @@ -11,19 +14,5 @@ tls certificates through [Let's Encrypt](https://letsencrypt.org/) with Password for the postgre admin user. -## POSTGRES_CA -- default: "https://acme-v01.api.letsencrypt.org/directory" - -Which Acme Endpoint to use. - -## POSTGRES_ACME_EMAIL -Email to use in the acme account. - -## POSTGRES_DOMAIN -The domain the certificate uses. - -## POSTGRES_DNS_PROVIDER -One of the list here: https://github.com/xenolf/lego/tree/master/providers/dns - # Ports - 5432 diff --git a/rootfs/bin/concat-sans b/rootfs/bin/concat-sans deleted file mode 100755 index 776ccec..0000000 --- a/rootfs/bin/concat-sans +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/with-contenv sh - -SAN_DOMAINS="" - -export IFS=";" -for SAN in ${POSTGRES_SAN} -do - SAN_DOMAINS="${SAN_DOMAINS} --domains=\"${SAN}\"" -done - -echo ${SAN_DOMAINS} diff --git a/rootfs/bin/renew-certificates b/rootfs/bin/renew-certificates deleted file mode 100755 index 9493f1d..0000000 --- a/rootfs/bin/renew-certificates +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/with-contenv sh - -cd /var/lib/postgresql - -SAN_DOMAINS=$(/bin/concat-sans) - -OLD_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt) - -lego \ - --accept-tos \ - --server="${POSTGRES_CA}" \ - --email="${POSTGRES_ACME_EMAIL}" \ - --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \ - --dns="${POSTGRES_DNS_PROVIDER}" \ - renew --days 30 - -NEW_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt) - -if [ "${OLD_MOD}" != "${NEW_MOD}" ]; then - kill -s TERM $(head -1 ${PGDATA}/postmaster.pid) -fi diff --git a/rootfs/bin/restart-services b/rootfs/bin/restart-services new file mode 100644 index 0000000..49f7158 --- /dev/null +++ b/rootfs/bin/restart-services @@ -0,0 +1,3 @@ +#!/usr/bin/with-contenv sh + +kill -s TERM $(head -1 ${PGDATA}/postmaster.pid) diff --git a/rootfs/etc/cont-init.d/02-certificates b/rootfs/etc/cont-init.d/02-certificates deleted file mode 100644 index 48bef67..0000000 --- a/rootfs/etc/cont-init.d/02-certificates +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/with-contenv sh - -cd /var/lib/postgresql - -SAN_DOMAINS=$(/bin/concat-sans) - -if [ ! -f /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt ]; then - chown -R postgres /var/lib/postgresql/.lego - s6-setuidgid postgres lego \ - --accept-tos \ - --server="${POSTGRES_CA}" \ - --email="${POSTGRES_ACME_EMAIL}" \ - --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \ - --dns="${POSTGRES_DNS_PROVIDER}" \ - run -else - s6-setuidgid postgres lego \ - --accept-tos \ - --server="${POSTGRES_CA}" \ - --email="${POSTGRES_ACME_EMAIL}" \ - --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \ - --dns="${POSTGRES_DNS_PROVIDER}" \ - renew --days 30 -fi diff --git a/rootfs/var/spool/cron/crontab/postgres b/rootfs/var/spool/cron/crontab/postgres deleted file mode 100644 index 0377661..0000000 --- a/rootfs/var/spool/cron/crontab/postgres +++ /dev/null @@ -1 +0,0 @@ -0 3 * * * /bin/renew-certificates