From e4f697c2f44c64a92fdff947b0812239c0c8790b Mon Sep 17 00:00:00 2001
From: Luke 10X <spam@luke10x.dev>
Date: Mon, 20 Mar 2023 19:57:33 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=8E=89=20Awesome=20Nginx=20Certbot=20Comp?=
 =?UTF-8?q?ose!=20with=20some=20improvements?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- domain names are figured out from /etc/nginx/conf.d/*.conf filenames;
- top-level directories in repo represent Compose services (for
  autocomplete);
- static websites will be contained in a mounted directory
  /var/www/websites.
---
 .gitignore              |  2 +-
 data/nginx/app.conf     | 31 -------------------------------
 docker-compose.yml      | 11 ++++++-----
 init-letsencrypt.sh     | 23 ++++++++++++++++-------
 nginx/conf.d/.gitignore |  2 ++
 nginx/www/.gitignore    |  2 ++
 6 files changed, 27 insertions(+), 44 deletions(-)
 delete mode 100644 data/nginx/app.conf
 create mode 100644 nginx/conf.d/.gitignore
 create mode 100644 nginx/www/.gitignore

diff --git a/.gitignore b/.gitignore
index 68f5d131..8d3b4fb3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-/data/certbot
+certbot/
diff --git a/data/nginx/app.conf b/data/nginx/app.conf
deleted file mode 100644
index 52dc0e78..00000000
--- a/data/nginx/app.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-server {
-    listen 80;
-    server_name example.org;
-    server_tokens off;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-server {
-    listen 443 ssl;
-    server_name example.org;
-    server_tokens off;
-
-    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
-    location / {
-        proxy_pass  http://example.org;
-        proxy_set_header    Host                $http_host;
-        proxy_set_header    X-Real-IP           $remote_addr;
-        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    }
-}
diff --git a/docker-compose.yml b/docker-compose.yml
index 9615cc1f..ff2cfbd7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,9 +5,10 @@ services:
     image: nginx:1.15-alpine
     restart: unless-stopped
     volumes:
-      - ./data/nginx:/etc/nginx/conf.d
-      - ./data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
+      - ./nginx/conf.d:/etc/nginx/conf.d:ro
+      - ./nginx/www:/var/www/sites:ro
+      - ./certbot/letsencrypt:/etc/letsencrypt:ro
+      - ./certbot/www:/var/www/certbot:ro
     ports:
       - "80:80"
       - "443:443"
@@ -16,6 +17,6 @@ services:
     image: certbot/certbot
     restart: unless-stopped
     volumes:
-      - ./data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
+      - ./certbot/letsencrypt:/etc/letsencrypt:rw
+      - ./certbot/www:/var/www/certbot:rw
     entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh
index a3f3cb01..d0259024 100755
--- a/init-letsencrypt.sh
+++ b/init-letsencrypt.sh
@@ -5,9 +5,18 @@ if ! [ -x "$(command -v docker-compose)" ]; then
   exit 1
 fi
 
-domains=(example.org www.example.org)
+function lsconf() {
+  for file in ./nginx/conf.d/*.conf; do
+      filename=$(basename "$file")
+      echo "${filename%.*}"
+  done
+}
+
+configs=$(lsconf | xargs)
+domains=($configs)
+
 rsa_key_size=4096
-data_path="./data/certbot"
+data_path="./certbot/letsencrypt"
 email="" # Adding a valid address is strongly recommended
 staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
 
@@ -19,17 +28,17 @@ if [ -d "$data_path" ]; then
 fi
 
 
-if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+if [ ! -e "$data_path/options-ssl-nginx.conf" ] || [ ! -e "$data_path/ssl-dhparams.pem" ]; then
   echo "### Downloading recommended TLS parameters ..."
-  mkdir -p "$data_path/conf"
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  mkdir -p "$data_path"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/ssl-dhparams.pem"
   echo
 fi
 
 echo "### Creating dummy certificate for $domains ..."
 path="/etc/letsencrypt/live/$domains"
-mkdir -p "$data_path/conf/live/$domains"
+mkdir -p "$data_path/live/$domains"
 docker-compose run --rm --entrypoint "\
   openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
     -keyout '$path/privkey.pem' \
diff --git a/nginx/conf.d/.gitignore b/nginx/conf.d/.gitignore
new file mode 100644
index 00000000..d6b7ef32
--- /dev/null
+++ b/nginx/conf.d/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/nginx/www/.gitignore b/nginx/www/.gitignore
new file mode 100644
index 00000000..d6b7ef32
--- /dev/null
+++ b/nginx/www/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore