diff --git a/Dockerfile b/Dockerfile index 13c8fb5..6c6ee7a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,26 @@ FROM docker.jcg.re/base-alpine -MAINTAINER Jan Christian Grünhage -ENV UID=192 \ - GID=192 +RUN apk add --no-cache \ + --virtual .build-deps \ + git \ + python3-dev \ + libffi-dev \ + build-base \ + openssl-dev \ + && apk add --no-cache \ + --virtual .runtime-deps \ + openssl \ + curl \ + sed \ + grep \ + bash \ + su-exec \ + libxml2-utils \ + && git clone https://github.com/lukas2511/dehydrated /dehydrated \ + && pip3 install requests[security] \ + && pip3 install dns-lexicon \ + && apk del .build-deps -RUN apk update \ - && apk add --upgrade \ - git \ - openssl \ - curl \ - sed \ - grep \ - bash \ - su-exec \ - libxml2-utils \ - && git clone https://github.com/lukas2511/dehydrated /dehydrated - -# Add the files in the 'root' folder to the images filesystem ADD root / VOLUME /etc/dehydrated diff --git a/root/usr/local/bin/lexicon-hook b/root/usr/local/bin/lexicon-hook new file mode 100755 index 0000000..dacb64a --- /dev/null +++ b/root/usr/local/bin/lexicon-hook @@ -0,0 +1,130 @@ +#!/usr/bin/env bash +# +# Example how to deploy a DNS challenge using lexicon + +set -e +set -u +set -o pipefail + +export PROVIDER=${PROVIDER:-"cloudflare"} + +function deploy_challenge { + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + + echo "deploy_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}" + + lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" + + sleep 30 + + # This hook is called once for every domain that needs to be + # validated, including any alternative names you may have listed. + # + # Parameters: + # - DOMAIN + # The domain name (CN or subject alternative name) being + # validated. + # - TOKEN_FILENAME + # The name of the file containing the token to be served for HTTP + # validation. Should be served by your web server as + # /.well-known/acme-challenge/${TOKEN_FILENAME}. + # - TOKEN_VALUE + # The token value that needs to be served for validation. For DNS + # validation, this is what you want to put in the _acme-challenge + # TXT record. For HTTP validation it is the value that is expected + # be found in the $TOKEN_FILENAME file. +} + +function clean_challenge { + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + + echo "clean_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}" + + lexicon $PROVIDER delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" + + # This hook is called after attempting to validate each domain, + # whether or not validation was successful. Here you can delete + # files or DNS records that are no longer needed. + # + # The parameters are the same as for deploy_challenge. +} + +function invalid_challenge() { + local DOMAIN="${1}" RESPONSE="${2}" + + echo "invalid_challenge called: ${DOMAIN}, ${RESPONSE}" + + # This hook is called if the challenge response has failed, so domain + # owners can be aware and act accordingly. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - RESPONSE + # The response that the verification server returned +} + +function deploy_cert { + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" + + echo "deploy_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}" + + # This hook is called once for each certificate that has been + # produced. Here you might, for instance, copy your new certificates + # to service-specific locations and reload the service. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). +} + +function unchanged_cert { + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" + + echo "unchanged_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}" + + # This hook is called once for each certificate that is still + # valid and therefore wasn't reissued. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). +} + +exit_hook() { + # This hook is called at the end of a dehydrated command and can be used + # to do some final (cleanup or other) tasks. + + : +} + +startup_hook() { + # This hook is called before the dehydrated command to do some initial tasks + # (e.g. starting a webserver). + + : +} + +HANDLER=$1; shift; +if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then + $HANDLER "$@" +fi