Correct detection of missing APPRISE_URL

Move renewal function to its own file
Add new env vars to readme
2024-05-30 20:58:57 +00:00 · 2024-05-30 20:58:57 +00:00 · 2024-05-30 20:58:57 +00:00 · 2024-05-30 20:58:57 +00:00 · 2024-05-30 20:55:47 +00:00
8 changed files with 81 additions and 121 deletions
--- a/.gitea/workflows/build-develop.yaml
+++ b/.gitea/workflows/build-develop.yaml
@ -1,88 +0,0 @@
 name: Build Image
 on:
  push:
    branches:
      - 'develop'
 env:
  TEST_TAG: mrmeeb/certbot-cron:test
  FULL_TAG: git.mrmeeb.stream/mrmeeb/certbot-cron:develop
 jobs:
  "Validate Image":
    runs-on: [ubuntu-docker-latest, linux/amd64]
    steps:
      - name: Build locally
        uses: docker/build-push-action@v5
        with:
          load: true
          tags: ${{ env.TEST_TAG }}
          provenance: false
      - name: Test certificate issuing
        id: test
        run: |
          # First create a volume
          docker volume create ${{ gitea.sha }} && \
          # Then issue a certificate
          docker run --rm -v ${{ gitea.sha }}:/config -e STAGING=true -e EMAIL=${{ secrets.EMAIL }} -e DOMAINS=${{ gitea.sha }}.mrmeeb.stream -e PLUGIN=cloudflare -e CLOUDFLARE_TOKEN=${{ secrets.CLOUDFLARE_TOKEN }} -e ONE_SHOT=true -e GENERATE_DHPARAM=false ${{ env.TEST_TAG }} && \
          # Then revoke it again
          docker run --rm --entrypoint "/usr/bin/certbot" -v ${{ gitea.sha }}:/config ${{ env.TEST_TAG }} revoke --non-interactive --agree-tos --email ${{ secrets.EMAIL }} --staging --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --cert-path /config/letsencrypt/live/${{ gitea.sha }}.mrmeeb.stream/fullchain.pem          
      - name: Tidy up
        if: always()
        run: |
          echo "Removing docker volume ${{ gitea.sha }}" && \
          docker volume rm ${{ gitea.sha }}          
      - name: Test Failure
        uses: rjstone/discord-webhook-notify@v1
        if: failure()
        with:
          severity: error
          details: Test Failed!
          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
          username: Gitea
          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
  "Publish Image":
    runs-on: [ubuntu-docker-latest, linux/amd64]
    needs: ["Validate Image"]
    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to Gitea Container Registry
        uses: docker/login-action@v3
        with:
          registry: git.mrmeeb.stream
          username: ${{ env.GITHUB_ACTOR }}
          password: ${{ secrets.GTCR_TOKEN }}
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          platforms: linux/amd64,linux/arm64
          tags: ${{ env.FULL_TAG }}
          provenance: false
      - name: Build Failure
        uses: rjstone/discord-webhook-notify@v1
        if: failure()
        with:
          severity: error
          details: Build Failed!
          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
          username: Gitea
          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
  "Notify":
    runs-on: [ubuntu-docker-latest, linux/amd64]
    needs: ["Validate Image", "Publish Image"]
    steps:
      - name: Notify of success
        uses: rjstone/discord-webhook-notify@v1
        if: success()
        with:
          severity: info
          details: Build succeeded!
          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
          username: Gitea
          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
--- a/11
+++ b/11
@ -18,6 +18,9 @@ ENV TZ=UTC
 ENV GENERATE_DHPARAM=true
 ENV INTERVAL="0 */6 * * *"
 ENV ONE_SHOT=false
 ENV APPRISE_URL=
 ENV NOTIFY_ON_FAILURE=false
 ENV NOTIFY_ON_SUCCESS=false
 # Single domain
 ENV DOMAINS=
@ -62,15 +65,13 @@ RUN apk add --no-cache --virtual .deps gcc python3-dev libc-dev libffi-dev && \
    /app/certbot/bin/pip install wheel setuptools && \
    /app/certbot/bin/pip install "Cython<3.0" pyyaml --no-build-isolation && \
    /app/certbot/bin/pip install -r /app/certbot/requirements.txt && \
-    ln -s /app/certbot/bin/certbot /usr/bin/certbot &&\
+    ln -s /app/certbot/bin/certbot /usr/bin/certbot && \
    ln -s /app/certbot/bin/apprise /usr/bin/apprise && \
    apk del .deps
 COPY root /
-RUN chmod +x /container-init.sh && \
+RUN chmod +x /container-init.sh /certbot-prepare.sh /check-one-shot.sh /renew-function.sh && \
    chmod +x /certbot-prepare.sh && \
    chmod +x /certbot-renew.sh && \
    chmod +x /check-one-shot.sh && \
    chown -R ${PUID}:${PGID} /app /config
 ENTRYPOINT [ "/init" ]
--- a/README.md
+++ b/README.md
@ -4,10 +4,9 @@ Dockerised Certbot that utilises cron to schedule creating and renewing SSL cert
 ## Tags
-|Tag    |Description|
+I use the [Feature Branch](https://www.atlassian.com/git/tutorials/comparing-workflows/feature-branch-workflow) workflow. The `latest` tag contains all of the latest changes that have been merged from individual feature branches. Feature branches are squashed into `master`.
-|-------|-----------|
+
-|latest |Latest image built from the main branch. Usually coincides with a tagged release.|
+Pinned releases are created by creating a tag off `master` to capture the repo in a particular state. They are recommended for stability.
 |develop|Latest image built from the develop branch. Commits are made to the develop branch before being merged to main. Old versions of `develop` are removed after 14 days.|
 ## Running
@ -54,6 +53,9 @@ Core options to the container
 | GENERATE_DHPARAM | true (case-sensitive) | Generate Diffie-Hellman keys in /config/letsencrypt/keys |
 | INTERVAL | 0 */6 * * * | How often certbot attempts to renew the certificate. Cron syntax |
 | CERT_COUNT | 1 | How many certificates certbot will try to issue. [Details here](https://git.mrmeeb.stream/MrMeeb/certbot-cron-docker#multiple-certificates) |
 | APPRISE_URL | None | URL for Apprise notifications. [Syntax](https://github.com/caronc/apprise?tab=readme-ov-file#supported-notifications)
 | NOTIFY_ON_SUCCESS | false | Notify on a successful renewal attempt. Note that this isn't just when the cert is renewed, but on every renewal attempt. |
 | NOTIFY_ON_FAILURE | false | Notify on a failed renewal attempt.
 ### Certificate Options
--- a/requirements.txt
+++ b/requirements.txt
@ -1,4 +1,5 @@
-# For pinning Certbot packages to then be parsed by Renovate
+# For pinning Python packages to then be parsed by Renovate
 certbot ==2.10.0
 certbot-dns-cloudflare ==2.10.0
 apprise ==1.8.0
--- a/root/certbot-prepare.sh
+++ b/root/certbot-prepare.sh
@ -46,9 +46,22 @@ function better_exit {
 }
 # Check APPRISE_URL is set if either NOTIFY_ON_SUCCESS or NOTIFY_ON_FAILURE are set
 if [ "${NOTIFY_ON_SUCCESS}" = "true" ] || [ "${NOTIFY_ON_FAILURE}" = "true" ] && [ -z "${APPRISE_URL}" ]; then
    echo "You have notifications enabled but have not set APPRISE_URL. Please set APPRISE_URL and restart the container."
    better_exit
 fi
 # Cleanup renew list and create it fresh, ready for commands to be run and added
-echo "#!/command/with-contenv bash" > /config/.renew-list.sh
+echo "#!/command/with-contenv bash
-echo "" >> /config/.renew-list.sh
+
 date
 echo \"Attempting to renew certificates\"
 source /renew-function.sh
 " > /config/.renew-list.sh
 chmod +x /config/.renew-list.sh
 # Create original config file to track changes to environmental variables
 if [ ! -f /config/.donoteditthisfile ]
@ -306,14 +319,14 @@ function single_domain {
            echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
            ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
            # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
            echo "Creation/renewal attempt complete"
        elif [ $STAGING = false ]
        then
            echo "Using production endpoint"
            ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
            # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
            echo "Creation/renewal attempt complete"
        else
            echo "Unrecognised option for STAGING variable - check your configuration"
@ -332,14 +345,14 @@ function single_domain {
            echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging
            # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
            echo "Creation/renewal attempt complete"
        elif [ $STAGING = false ]
        then
            echo "Using production endpoint"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone
            # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
            echo "Creation/renewal attempt complete"
        else
            echo "Unrecognised option for STAGING variable - check your configuration"
@ -358,14 +371,14 @@ function single_domain {
            echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
            # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
            echo "Creation/renewal attempt complete"
        elif [ $STAGING = false ]
        then
            echo "Using production endpoint"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
            # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
            echo "Creation/renewal attempt complete"
        else
            echo "Unrecognised option for STAGING variable - check your configuration"
@ -631,7 +644,7 @@ echo \
                ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
                # Add to renewal list
                echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
+                echo "renew \"${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
                echo ""  >> /config/.renew-list.sh
                echo "Creation/renewal attempt complete"
            elif [ ${STAGING_MULTI} = false ]
@ -640,7 +653,7 @@ echo \
                ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
                # Add to renewal list
                echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
                echo ""  >> /config/.renew-list.sh
                echo "Creation/renewal attempt complete"
            else
@ -661,7 +674,7 @@ echo \
                REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging
                # Add to renewal list
                echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
                echo ""  >> /config/.renew-list.sh
                echo "Creation/renewal attempt complete"
            elif [ ${STAGING_MULTI} = false ]
@ -670,7 +683,7 @@ echo \
                REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone
                # Add to renewal list
                echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
                echo ""  >> /config/.renew-list.sh
                echo "Creation/renewal attempt complete"
            else
@ -691,7 +704,7 @@ echo \
                REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
                # Add to renewal list
                echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
                echo ""  >> /config/.renew-list.sh
                echo "Creation/renewal attempt complete"
            elif [ ${STAGING_MULTI} = false ]
@ -700,7 +713,7 @@ echo \
                REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
                # Add to renewal list
                echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
                echo ""  >> /config/.renew-list.sh
                echo "Creation/renewal attempt complete"
            else
@ -754,6 +767,10 @@ else
    echo "CERT_COUNT varaible not recognised. It needs to be a value of 1 or greater."
 fi
 # Finish /config/.renew-list.sh now all certs have been added
 echo "
 echo \"Renewal attempts complete\"" >> /config/.renew-list.sh
 if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ]
 then
    echo ""
@ -769,7 +786,7 @@ if [ $ONE_SHOT == "true" ]; then
 elif [ $ONE_SHOT == "false" ]; then
-    echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt
+    echo "$INTERVAL /config/.renew-list.sh >> /config/logs/renew.log" > /config/.crontab.txt
    echo ""
--- a/root/certbot-renew.sh
+++ b/root/certbot-renew.sh
@ -1,6 +0,0 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 echo ''
 date
 echo "Attempting to renew certificates"
 bash /config/.renew-list.sh
--- a/root/container-init.sh
+++ b/root/container-init.sh
@ -31,7 +31,13 @@ TZ=${TZ}
 ONE_SHOT=${ONE_SHOT}
 INTERVAL=${INTERVAL}
 GENERATE_DHPARAM=${GENERATE_DHPARAM}
-CERT_COUNT=${CERT_COUNT}"
+CERT_COUNT=${CERT_COUNT}
 NOTIFY_ON_SUCCESS=${NOTIFY_ON_SUCCESS}
 NOTIFY_ON_FAILURE=${NOTIFY_ON_FAILURE}"
 if [ ! -z ${APPRISE_URL} ]; then
 echo \
 "APPRISE_URL=[hidden]"
 fi
 ## Send extra detail to logs if single certificate config
 if [ ${CERT_COUNT} == 1 ]; then
 echo \
--- a/root/renew-function.sh
+++ b/root/renew-function.sh
@ -0,0 +1,27 @@
 function renew() {
    #Variables:
    #$1 = Certbot command
    RENEWAL_DOMAINS=$(echo $1 | sed -r 's/.*\s-d\s(\S*).*/\1/')
    CUSTOM_CA_PATH=$(echo $1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\1/')
    CERTBOT_COMMAND=$(echo $1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\2/')
    echo "Renewing certificate for ${RENEWAL_DOMAINS}"
    echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH} ${CERTBOT_COMMAND}" | bash
    if [ $? = 0 ]; then
        echo "Renewal attempt of certificate for ${RENEWAL_DOMAINS} succeeded"
        if [ "${NOTIFY_ON_SUCCESS}" = "true" ]; then
            apprise -b "Renewal of certificate for ${RENEWAL_DOMAINS} succeeded" ${APPRISE_URL}
        fi
    else
        echo "Renewal attempt of certificate for ${RENEWAL_DOMAINS} failed"
        if [ "${NOTIFY_ON_FAILURE}" = "true" ]; then
            apprise -b "Renewal of certificate for ${RENEWAL_DOMAINS} failed" ${APPRISE_URL}
        fi
    fi
 }
Author	SHA1	Message	Date
MrMeeb	2452650b38	Correct detection of missing APPRISE_URL All checks were successful Test Pull Request / Build Image (pull_request) Successful in 6m8s Details Test Pull Request / Notify (pull_request) Successful in 3s Details	2024-05-30 20:58:57 +00:00
MrMeeb	8c4314e311	Move renewal function to its own file	2024-05-30 20:58:57 +00:00
MrMeeb	c16a19d965	Add new env vars to readme	2024-05-30 20:58:57 +00:00
MrMeeb	ff11414fa0	Add support for alerting on success or failure of renewal Installs apprise and allows config of alerting for successful or failed renewals. Currently only supports renewals, not inital issuing. Not necessarily a problem as I'd hope you'd be watching the logs on first run. I don't love how I create /config/.renew-list.sh. I should readdress this somehow	2024-05-30 20:58:57 +00:00
MrMeeb	1dce5880f3	Move to Feature Branch Workflow [skip ci] (#23 ) Change branch method for [Feature Branch](https://www.atlassian.com/git/tutorials/comparing-workflows/feature-branch-workflow) workflow. Gitflow workflow is overkill for my needs. Reviewed-on: #23 Co-authored-by: MrMeeb <charles.macdonald@me.com> Co-committed-by: MrMeeb <charles.macdonald@me.com>	2024-05-30 20:55:47 +00:00