Update dependency go to v1.24.2

Reviewed-on: #49

.drone.yml

@@ -1,176 +0,0 @@
-kind: pipeline
-type: docker
-name: build-release-images
-trigger:
-  event:
-    exclude:
-    - pull_request
-  ref:
-    - refs/tags/**
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-
-- name: get-tags
-  image: docker:git
-  commands:
-    - git fetch --tags
-  depends_on:
-    - clone
-
-- name: make-tags
-  image: node
-  commands:
-    - echo -n "${DRONE_TAG}, latest" > .tags
-  depends_on:
-    - get-tags
-
-- name: build-gitea
-  image: thegeeklab/drone-docker-buildx
-  privileged: true
-  settings:
-    provenance: false
-    registry: git.mrmeeb.stream
-    username: 
-      from_secret: docker_username
-    password: 
-      from_secret: docker_password
-    repo: git.mrmeeb.stream/mrmeeb/certbot-cron
-    platforms:
-      - linux/arm64
-      - linux/amd64
-  depends_on:
-    - make-tags
-
-- name: release-gitea
-  image: goreleaser/goreleaser
-  environment:
-    GITEA_TOKEN:
-      from_secret: gitea_token
-  commands:
-    - goreleaser release -f .goreleaser-gitea.yaml
-  depends_on:
-    - build-gitea
-
-- name: notify
-  image: plugins/slack
-  when:
-    status:
-    - success
-    - failure
-  settings:
-    webhook: 
-      from_secret: slack_webhook
-  depends_on:
-    - release-gitea
-
----
-kind: pipeline
-type: docker
-name: build-main-images
-trigger:
-  event:
-    exclude:
-    - pull_request
-  ref:
-    - refs/heads/master
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-
-- name: make-tags
-  image: node
-  commands:
-    - echo -n "${DRONE_COMMIT_SHA:0:8}, latest" > .tags
-  when:
-    ref:
-      - refs/heads/master
-  depends_on:
-    - clone
-
-- name: build-gitea
-  image: thegeeklab/drone-docker-buildx
-  privileged: true
-  settings:
-    provenance: false
-    registry: git.mrmeeb.stream
-    username: 
-      from_secret: docker_username
-    password: 
-      from_secret: docker_password
-    repo: git.mrmeeb.stream/mrmeeb/certbot-cron
-    platforms:
-      - linux/arm64
-      - linux/amd64
-  depends_on:
-    - make-tags
-
-- name: notify
-  image: plugins/slack
-  when:
-    status:
-    - success
-    - failure
-  settings:
-    webhook: 
-      from_secret: slack_webhook
-  depends_on:
-    - build-gitea
-
----
-kind: pipeline
-type: docker
-name: build-develop-images
-trigger:
-  event:
-    exclude:
-    - pull_request
-  branch:
-    - develop
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-  # Set tags for develop branch - git commit SHA and 'develop'
-- name: make-tags
-  image: node
-  commands:
-    - echo -n "develop-${DRONE_COMMIT_SHA:0:8}, develop" > .tags
-   
-  # Build containers from develop branch
-- name: build-gitea
-  image: thegeeklab/drone-docker-buildx
-  privileged: true
-  settings:
-    provenance: false
-    registry: git.mrmeeb.stream
-    username: 
-      from_secret: docker_username
-    password: 
-      from_secret: docker_password
-    repo: git.mrmeeb.stream/mrmeeb/certbot-cron
-    platforms:
-      - linux/arm64
-      - linux/amd64
-  depends_on:
-    - make-tags
-
-- name: notify
-  image: plugins/slack
-  when:
-    status:
-    - success
-    - failure
-  settings:
-    webhook: 
-      from_secret: slack_webhook
-  depends_on:
-    - build-gitea

.gitea/workflows/build-main.yaml

@@ -0,0 +1,91 @@
+name: Build Image
+on:
+  push:
+    branches:
+      - 'master'
+
+env:
+  TEST_TAG: mrmeeb/certbot-cron:test
+  FULL_TAG: git.mrmeeb.stream/mrmeeb/certbot-cron:latest
+
+jobs:
+  "Validate Image":
+    runs-on: [ubuntu-docker-latest, linux/amd64]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build locally
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: true
+          tags: ${{ env.TEST_TAG }}
+          provenance: false
+      - name: Test certificate issuing
+        id: test
+        run: |
+          # First create a volume
+          docker volume create ${{ gitea.sha }} && \
+          # Then issue a certificate
+          docker run --rm -v ${{ gitea.sha }}:/config -e STAGING=true -e EMAIL=${{ secrets.EMAIL }} -e DOMAINS=${{ gitea.sha }}.mrmeeb.stream -e PLUGIN=cloudflare -e CLOUDFLARE_TOKEN=${{ secrets.CLOUDFLARE_TOKEN }} -e ONE_SHOT=true -e GENERATE_DHPARAM=false ${{ env.TEST_TAG }} && \
+          # Then revoke it again
+          docker run --rm --entrypoint "/usr/bin/certbot" -v ${{ gitea.sha }}:/config ${{ env.TEST_TAG }} revoke --non-interactive --agree-tos --email ${{ secrets.EMAIL }} --staging --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --cert-path /config/letsencrypt/live/${{ gitea.sha }}.mrmeeb.stream/fullchain.pem          
+      - name: Tidy up
+        if: always()
+        run: |
+          echo "Removing docker volume ${{ gitea.sha }}" && \
+          docker volume rm ${{ gitea.sha }}          
+      - name: Test Failure
+        uses: rjstone/discord-webhook-notify@v1
+        if: failure()
+        with:
+          severity: error
+          details: Test Failed!
+          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
+          username: Gitea
+          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
+  
+  "Publish Image":
+    runs-on: [ubuntu-docker-latest, linux/amd64]
+    needs: ["Validate Image"]
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.mrmeeb.stream
+          username: ${{ env.GITHUB_ACTOR }}
+          password: ${{ secrets.GTCR_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ env.FULL_TAG }}
+          provenance: false
+      - name: Build Failure
+        uses: rjstone/discord-webhook-notify@v1
+        if: failure()
+        with:
+          severity: error
+          details: Build Failed!
+          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
+          username: Gitea
+          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
+
+  "Notify":
+    runs-on: [ubuntu-docker-latest, linux/amd64]
+    needs: ["Validate Image", "Publish Image"]
+    steps:
+      - name: Notify of success
+        uses: rjstone/discord-webhook-notify@v1
+        if: success()
+        with:
+          severity: info
+          details: Build succeeded!
+          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
+          username: Gitea
+          avatarUrl: ${{ vars.RUNNER_ICON_URL }}

.gitea/workflows/build-tagged-release.yaml

@@ -0,0 +1,80 @@
+name: Build Tagged Release Image
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  FULL_TAG: git.mrmeeb.stream/mrmeeb/certbot-cron
+
+jobs:
+  "Build Image":
+    runs-on: [ubuntu-docker-latest, linux/amd64]
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.mrmeeb.stream
+          username: ${{ env.GITHUB_ACTOR }}
+          password: ${{ secrets.GTCR_TOKEN }}
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.FULL_TAG }}
+          tags: |
+            type=pep440,pattern={{version}}            
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          provenance: false
+      - name: Notify on failure
+        uses: rjstone/discord-webhook-notify@v1
+        if: failure()
+        with:
+          severity: error
+          details: Build failed!
+          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
+          username: Gitea
+          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
+  "Create Release":
+    runs-on: ubuntu-latest
+    needs: ["Build Image"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with: 
+          go-version: 1.24.2
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean -f .goreleaser-gitea.yaml
+        env:
+          GITEA_TOKEN: ${{ secrets.GORELEASER_TOKEN }}
+
+  "Notify":
+    runs-on: [ubuntu-docker-latest, linux/amd64]
+    needs: ["Build Image", "Create Release"]
+    steps:
+      - name: Notify of success
+        uses: rjstone/discord-webhook-notify@v1
+        if: success()
+        with:
+          severity: info
+          details: Build succeeded!
+          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
+          username: Gitea
+          avatarUrl: ${{ vars.RUNNER_ICON_URL }}

.gitea/workflows/test-pr.yaml

@@ -0,0 +1,47 @@
+name: Test Pull Request
+on:
+  pull_request:
+    branches:
+      - 'master'
+      - 'develop'
+
+env:
+  FULL_TAG: git.mrmeeb.stream/mrmeeb/certbot-cron:develop
+
+jobs:
+  "Build Image":
+    runs-on: [ubuntu-docker-latest, linux/amd64]
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build
+        uses: docker/build-push-action@v5
+        with:
+          push: false
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ env.FULL_TAG }}
+          provenance: false
+      - name: Notify on failure
+        uses: rjstone/discord-webhook-notify@v1
+        if: failure()
+        with:
+          severity: error
+          details: Build failed!
+          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
+          username: Gitea
+          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
+  "Notify":
+    runs-on: [ubuntu-docker-latest, linux/amd64]
+    needs: ["Build Image"]
+    steps:
+      - name: Notify of success
+        uses: rjstone/discord-webhook-notify@v1
+        if: success()
+        with:
+          severity: info
+          details: Build succeeded!
+          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
+          username: Gitea
+          avatarUrl: ${{ vars.RUNNER_ICON_URL }}

.goreleaser-gitea.yaml

@@ -1,14 +1,21 @@
 
 dist: dist-gitea
 
-build:
-  skip: true
+builds:
+- skip: true
 
 archives:
 - format: binary
 
 release:
   draft: true
+
+  header: |
+    # Certbot Cron v{{ .Tag }}
+
+    ## Docker Image:
+    `git.mrmeeb.stream/mrmeeb/certbot-cron:{{ .Tag }}`
+
   gitea:
     owner: MrMeeb
     name: certbot-cron-docker

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:latest as base
+FROM alpine:3.21.3 AS base
 ARG TARGETARCH
 
 FROM base AS base-amd64
@@ -9,7 +9,7 @@ ENV S6_OVERLAY_ARCH=aarch64
 
 FROM base-${TARGETARCH}${TARGETVARIANT}
 
-ARG S6_OVERLAY_VERSION=3.1.5.0
+ARG S6_OVERLAY_VERSION="3.2.0.2"
 
 # Core variables
 ENV PUID=1000
@@ -18,6 +18,9 @@ ENV TZ=UTC
 ENV GENERATE_DHPARAM=true
 ENV INTERVAL="0 */6 * * *"
 ENV ONE_SHOT=false
+ENV APPRISE_URL=
+ENV NOTIFY_ON_FAILURE=false
+ENV NOTIFY_ON_SUCCESS=false
 
 # Single domain
 ENV DOMAINS=
@@ -37,7 +40,7 @@ ENV CLOUDFLARE_TOKEN=
 ENV CERT_COUNT=1
 
 #Get required packages
-RUN apk update && apk add curl bash python3 py3-virtualenv procps tzdata nano shadow xz busybox-suid openssl
+RUN apk update && apk add curl bash python3 py3-virtualenv procps tzdata nano shadow xz busybox-suid openssl logrotate
 
 #Make folders
 RUN mkdir /config && \
@@ -57,19 +60,18 @@ RUN python3 -m venv /app/certbot/ && /app/certbot/bin/pip install --upgrade pip
 
 #Get required packages for building, build, then cleanup
 #Added additional pip steps to fix cython 3.0.0 issue - https://github.com/yaml/pyyaml/issues/601
+COPY requirements.txt /app/certbot/requirements.txt
 RUN apk add --no-cache --virtual .deps gcc python3-dev libc-dev libffi-dev && \
-    /app/certbot/bin/pip install wheel && \
+    /app/certbot/bin/pip install wheel setuptools && \
     /app/certbot/bin/pip install "Cython<3.0" pyyaml --no-build-isolation && \
-    /app/certbot/bin/pip install certbot certbot-dns-cloudflare && \
-    ln -s /app/certbot/bin/certbot /usr/bin/certbot &&\
+    /app/certbot/bin/pip install -r /app/certbot/requirements.txt && \
+    ln -s /app/certbot/bin/certbot /usr/bin/certbot && \
+    ln -s /app/certbot/bin/apprise /usr/bin/apprise && \
     apk del .deps
 
 COPY root /
 
-RUN chmod +x /container-init.sh && \
-    chmod +x /certbot-prepare.sh && \
-    chmod +x /certbot-renew.sh && \
-    chmod +x /check-one-shot.sh && \
+RUN chmod +x /container-init.sh /certbot-prepare.sh /check-one-shot.sh /renew-function.sh && \
     chown -R ${PUID}:${PGID} /app /config
 
 ENTRYPOINT [ "/init" ]

README.md

@@ -1,15 +1,12 @@
 # Certbot Cron Docker
 
-![Drone (self-hosted) with branch](https://img.shields.io/drone/build/MrMeeb/certbot-cron-docker/master?label=latest&server=https%3A%2F%2Fdrone.mrmeeb.stream&style=for-the-badge) ![Drone (self-hosted) with branch](https://img.shields.io/drone/build/MrMeeb/certbot-cron-docker/develop?label=develop&server=https%3A%2F%2Fdrone.mrmeeb.stream&style=for-the-badge)
-
 Dockerised Certbot that utilises cron to schedule creating and renewing SSL certificates. Supports standalone, webroot or Cloudflare methods. Automatic renewal attempt happens every 6 hours by default.
 
 ## Tags
 
-|Tag    |Description|
-|-------|-----------|
-|latest |Latest image built from the main branch. Usually coincides with a tagged release.|
-|develop|Latest image built from the develop branch. Commits are made to the develop branch before being merged to main. Old versions of `develop` are removed after 14 days.|
+I use the [Feature Branch](https://www.atlassian.com/git/tutorials/comparing-workflows/feature-branch-workflow) workflow. The `latest` tag contains all of the latest changes that have been merged from individual feature branches. Feature branches are squashed into `master`.
+
+Pinned releases are created by creating a tag off `master` to capture the repo in a particular state. They are recommended for stability.
 
 ## Running
 
@@ -55,7 +52,10 @@ Core options to the container
 | ONE_SHOT | false | Whether container exits after first run of certbot, or starts cron-based auto-renewal |
 | GENERATE_DHPARAM | true (case-sensitive) | Generate Diffie-Hellman keys in /config/letsencrypt/keys |
 | INTERVAL | 0 */6 * * * | How often certbot attempts to renew the certificate. Cron syntax |
-| CERT_COUNT | 1 | How many certificates certbot will try to issue (more than 1 not yet implemented) |
+| CERT_COUNT | 1 | How many certificates certbot will try to issue. [Details here](https://git.mrmeeb.stream/MrMeeb/certbot-cron-docker#multiple-certificates) |
+| APPRISE_URL | None | URL for Apprise notifications. [Syntax](https://github.com/caronc/apprise?tab=readme-ov-file#supported-notifications)
+| NOTIFY_ON_SUCCESS | false | Notify on a successful renewal attempt. Note that this isn't just when the cert is renewed, but on every renewal attempt. |
+| NOTIFY_ON_FAILURE | false | Notify on a failed renewal attempt.
 
 ### Certificate Options
 

renovate.json

@@ -0,0 +1,29 @@
+{
+    "extends": [":automergeMinor", ":automergePr", ":automergeRequireAllStatusChecks", ":dependencyDashboard", ":disableRateLimiting", ":rebaseStalePrs"],
+    "baseBranches": ["master"],
+    "major": {
+        "dependencyDashboardApproval": true
+    },
+    "minimumReleaseAge": "7 days",
+    "customManagers": [
+        {
+        "customType": "regex",
+        "fileMatch": ["Dockerfile"],
+        "matchStrings": ["ARG S6_OVERLAY_VERSION=[\"](?<currentValue>.*)[\"]"],
+        "datasourceTemplate": "github-releases",
+        "depNameTemplate": "just-containers/s6-overlay"
+        }
+    ],
+    "packageRules": [
+        {
+        "matchDatasources": ["github-releases"],
+        "matchDepNames": ["just-containers/s6-overlay"],
+        "extractVersion": "^v(?<version>.*)$",
+        "versioning": "loose"
+        },
+        {
+        "matchPackagePatterns": ["certbot"],
+        "groupName": "certbot"
+        }
+    ]
+}

requirements.txt

@@ -0,0 +1,5 @@
+# For pinning Python packages to then be parsed by Renovate
+
+certbot ==3.3.0
+certbot-dns-cloudflare ==3.3.0
+apprise ==1.9.3

root/certbot-prepare.sh

@@ -46,9 +46,22 @@ function better_exit {
 
 }
 
+# Check APPRISE_URL is set if either NOTIFY_ON_SUCCESS or NOTIFY_ON_FAILURE are set
+if [ "${NOTIFY_ON_SUCCESS}" = "true" ] || [ "${NOTIFY_ON_FAILURE}" = "true" ] && [ -z "${APPRISE_URL}" ]; then
+
+    echo "You have notifications enabled but have not set APPRISE_URL. Please set APPRISE_URL and restart the container."
+    better_exit
+
+fi
+
 # Cleanup renew list and create it fresh, ready for commands to be run and added
-echo "#!/command/with-contenv bash" > /config/.renew-list.sh
-echo "" >> /config/.renew-list.sh
+echo "#!/command/with-contenv bash
+
+date
+echo \"Attempting to renew certificates\"
+source /renew-function.sh
+" > /config/.renew-list.sh
+chmod +x /config/.renew-list.sh
 
 # Create original config file to track changes to environmental variables
 if [ ! -f /config/.donoteditthisfile ]
@@ -306,14 +319,14 @@ function single_domain {
             echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
             ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         elif [ $STAGING = false ]
         then
             echo "Using production endpoint"
             ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         else
             echo "Unrecognised option for STAGING variable - check your configuration"
@@ -332,14 +345,14 @@ function single_domain {
             echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         elif [ $STAGING = false ]
         then
             echo "Using production endpoint"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         else
             echo "Unrecognised option for STAGING variable - check your configuration"
@@ -358,14 +371,14 @@ function single_domain {
             echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         elif [ $STAGING = false ]
         then
             echo "Using production endpoint"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         else
             echo "Unrecognised option for STAGING variable - check your configuration"
@@ -631,7 +644,7 @@ echo \
                 ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
+                echo "renew \"${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             elif [ ${STAGING_MULTI} = false ]
@@ -640,7 +653,7 @@ echo \
                 ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             else
@@ -661,7 +674,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             elif [ ${STAGING_MULTI} = false ]
@@ -670,7 +683,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             else
@@ -691,7 +704,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             elif [ ${STAGING_MULTI} = false ]
@@ -700,7 +713,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             else
@@ -754,6 +767,10 @@ else
     echo "CERT_COUNT varaible not recognised. It needs to be a value of 1 or greater."
 fi
 
+# Finish /config/.renew-list.sh now all certs have been added
+echo "
+echo \"Renewal attempts complete\"" >> /config/.renew-list.sh
+
 if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ]
 then
     echo ""
@@ -769,7 +786,8 @@ if [ $ONE_SHOT == "true" ]; then
 
 elif [ $ONE_SHOT == "false" ]; then
 
-    echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt
+    echo "$INTERVAL /config/.renew-list.sh >> /config/logs/renew.log
+    0 0 * * * logrotate -v --state /config/logs/logrotate.status /logrotate.conf" > /config/.crontab.txt
 
     echo ""
 

root/certbot-renew.sh

@@ -1,6 +0,0 @@
-#!/command/with-contenv bash
-# shellcheck shell=bash
-echo ''
-date
-echo "Attempting to renew certificates"
-bash /config/.renew-list.sh

root/check-one-shot.sh

@@ -4,6 +4,7 @@
 if [ $ONE_SHOT == "true" ]; then
 
     # Cleanly kill container by sending kill signal to supervisor process
-    kill 1
+    echo 0 > /run/s6-linux-init-container-results/exitcode
+    /run/s6/basedir/bin/halt
 
 fi

root/container-init.sh

@@ -31,7 +31,13 @@ TZ=${TZ}
 ONE_SHOT=${ONE_SHOT}
 INTERVAL=${INTERVAL}
 GENERATE_DHPARAM=${GENERATE_DHPARAM}
-CERT_COUNT=${CERT_COUNT}"
+CERT_COUNT=${CERT_COUNT}
+NOTIFY_ON_SUCCESS=${NOTIFY_ON_SUCCESS}
+NOTIFY_ON_FAILURE=${NOTIFY_ON_FAILURE}"
+if [ ! -z ${APPRISE_URL} ]; then
+echo \
+"APPRISE_URL=[hidden]"
+fi
 ## Send extra detail to logs if single certificate config
 if [ ${CERT_COUNT} == 1 ]; then
 echo \

root/etc/s6-overlay/s6-rc.d/cron/finish

@@ -1 +1,9 @@
-echo "$e" > /run/s6-linux-init-container-results/exitcode
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+if [ $ONE_SHOT == "false" ]; then
+
+    # Export exit code if not a ONE_SHOT
+    echo "$e" > /run/s6-linux-init-container-results/exitcode
+
+fi

root/etc/s6-overlay/s6-rc.d/logs/finish

@@ -1 +1,9 @@
-echo "$e" > /run/s6-linux-init-container-results/exitcode
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+if [ $ONE_SHOT == "false" ]; then
+
+    # Export exit code if not a ONE_SHOT
+    echo "$e" > /run/s6-linux-init-container-results/exitcode
+
+fi

root/logrotate.conf

@@ -0,0 +1,15 @@
+missingok
+
+/config/logs/letsencrypt.log {
+    daily
+    rotate 10
+    postrotate
+        find /config/logs -type f -regex '.*letsencrypt\.log\.\(.[2-9]\|[2-9].\|[1-9][0-9]\{2,\}\).*' -delete
+    endscript
+}
+
+/config/logs/renew.log {
+    rotate 5
+    size 100k
+    compress
+}

root/renew-function.sh

@@ -0,0 +1,27 @@
+function renew() {
+
+    #Variables:
+
+    #$1 = Certbot command
+
+    RENEWAL_DOMAINS=$(echo $1 | sed -r 's/.*\s-d\s(\S*).*/\1/')
+    CUSTOM_CA_PATH=$(echo $1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\1/')
+    CERTBOT_COMMAND=$(echo $1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\2/')
+
+    echo "Renewing certificate for ${RENEWAL_DOMAINS}"
+
+    echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH} ${CERTBOT_COMMAND}" | bash
+
+    if [ $? = 0 ]; then
+        echo "Renewal attempt of certificate for ${RENEWAL_DOMAINS} succeeded"
+        if [ "${NOTIFY_ON_SUCCESS}" = "true" ]; then
+            apprise -b "Renewal of certificate for ${RENEWAL_DOMAINS} succeeded" ${APPRISE_URL}
+        fi
+    else
+        echo "Renewal attempt of certificate for ${RENEWAL_DOMAINS} failed"
+        if [ "${NOTIFY_ON_FAILURE}" = "true" ]; then
+            apprise -b "Renewal of certificate for ${RENEWAL_DOMAINS} failed" ${APPRISE_URL}
+        fi
+    fi
+
+}