feat: 添加certbot自动更新证书的配置 (#28)

* wip: 添加certbot

* wip: 尝试改成执行脚本

* wip: 使用Dockerfile给certbot的容器添加docker compose命令

* wip: 添加过期提醒邮箱

* wip: email参数不支持=分隔

* fix: 规范ini文件格式

* wip: 添加自动申请证书的demo和说明

* wip: 重启所有包含nginx的服务

* wip: 优化日志

---------

Co-authored-by: ipcjs.mac4 <[email protected]>
Co-authored-by: cli <cli@debian>
Co-authored-by: th-ci <[email protected]>

Author: 4 people

.env.default

@@ -36,6 +36,7 @@ SERVER_HOSTNAME='' # livedvr.tripsdd.com
 
 # 使用https时, 必填, 证书文件的绝对路径, 排除.crt/.key后缀, nginx实际读取的是 ${SSL_CERTIFICATE}.crt 和 ${SSL_CERTIFICATE}.key 两个文件
 # 如果暂时没有申请到证书, 可以使用内置的假证书: /home/docker/nginx/ssl/placeholder
+# 若使用crotbot自动申请证书, 证书的路径会在日志中打印, 一般为: /data/certbot/live/${SERVER_HOSTNAME}/certificate
 SSL_CERTIFICATE='' # /home/docker-compose/ssl/livedvr_tripsdd_com
 
 # bus和track部署在同一台服务器上时, 需要通过域名区分两者
@@ -51,6 +52,20 @@ WEB_PORT_HTTPS=443
 # jtt808和maintain分开部署时, 必须填写这个变量
 WEB_BASE_URL='' # https://livedvr.tripsdd.com
 
+# certbot的配置
+# 注意: 修改这些配置之后, 必须强制重建(docker compose up --force-recreate certbot), 才会生效
+#
+# DNS解析的提供商, 常用的提供商如下:
+# - dnspod: https://console.dnspod.cn/account/token/token
+# - cloudflare: https://go-acme.github.io/lego/dns/cloudflare/
+# - tencentcloud: https://console.cloud.tencent.com/cam/capi
+CERTBOT_DNS_PROVIDER='dnspod'
+CERTBOT_DNS_API_KEY='' # 必填
+# tencentcloud还需要额外设置这个变量
+CERTBOT_TENCENTCLOUD_SECRET_ID=''
+# 接收证书过期提醒的email
+CERTBOT_EMAIL='[email protected]'
+
 ## ================================ Services ================================
 
 ## 视频服务器

certbot/.env

@@ -0,0 +1 @@
+../.env.default

certbot/Dockerfile

@@ -0,0 +1,7 @@
+# 支持100+DNS提供商的Certbot插件
+# 详见: https://github.com/alexzorin/certbot-dns-multi
+FROM ghcr.io/alexzorin/certbot-dns-multi:4.27.0
+
+# 添加docker和docker compose命令
+COPY --from=docker:cli /usr/local/bin/docker /usr/local/bin/docker
+COPY --from=docker:cli /usr/local/libexec/docker/cli-plugins/docker-compose /usr/local/libexec/docker/cli-plugins/docker-compose

certbot/compose.yml

@@ -0,0 +1,54 @@
+services:
+  certbot:
+    build: .
+    command:
+      - certonly
+      - --non-interactive
+      - --agree-tos
+      - --email
+      - ${CERTBOT_EMAIL:[email protected]}
+      - --authenticator=dns-multi
+      - --dns-multi-credentials=/etc/letsencrypt/dns-multi.ini
+      # 四个域名可以同时申请, 故不要求必填
+      - --domains=${SERVER_HOSTNAME}
+      - --domains=${TRACK_HOSTNAME}
+      - --domains=${BUS_HOSTNAME}
+      - --domains=${VIDEO_HOSTNAME}
+      - --deploy-hook
+      - "sh -c 'COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME} DATA=${DATA_DIR:-/data} /home/docker/certbot/deploy-hook.sh'"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${DATA_DIR:-/data}/certbot:/etc/letsencrypt
+    configs:
+      - source: certbot-deploy-hook.sh
+        target: /home/docker/certbot/deploy-hook.sh
+      - source: certbot-dns-multi.ini
+        target: /etc/letsencrypt/dns-multi.ini
+        mode: 0600
+  
+
+  ofelia:
+    image: mcuadros/ofelia
+    command: daemon --docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      # 通过ofelia重启其他服务, 需要这样绕一道
+      # https://github.com/mcuadros/ofelia/issues/280#issuecomment-2561863012
+      ofelia.job-run.certbot-renew.schedule: "@daily"
+      ofelia.job-run.certbot-renew.command: "sh -c 'docker compose -p ${COMPOSE_PROJECT_NAME} restart certbot'"
+      ofelia.job-run.certbot-renew.image: "docker:cli"
+      ofelia.job-run.certbot-renew.volume: "/var/run/docker.sock:/var/run/docker.sock"
+
+configs:
+  certbot-deploy-hook.sh:
+    file: ./deploy-hook.sh
+  # certbot-dns-multi的配置文件
+  # https://github.com/alexzorin/certbot-dns-multi#usage
+  certbot-dns-multi.ini:
+    content: |
+      dns_multi_provider = ${CERTBOT_DNS_PROVIDER:-dnspod}
+      DNSPOD_API_KEY = "${CERTBOT_DNS_API_KEY:?required}"
+      CLOUDFLARE_DNS_API_TOKEN = "${CERTBOT_DNS_API_KEY:?required}"
+      TENCENTCLOUD_SECRET_KEY = "${CERTBOT_DNS_API_KEY:?required}"
+      TENCENTCLOUD_SECRET_ID = "${CERTBOT_TENCENTCLOUD_SECRET_ID}"

certbot/deploy-hook.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+cp -f "$RENEWED_LINEAGE/fullchain.pem" "$RENEWED_LINEAGE/certificate.crt"
+cp -f "$RENEWED_LINEAGE/privkey.pem" "$RENEWED_LINEAGE/certificate.key"
+
+echo "======================"
+echo "请将证书变量设置为:"
+echo "SSL_CERTIFICATE='${DATA_DIR:-/data}/certbot/live/$(basename "$RENEWED_LINEAGE")/certificate'"
+echo
+
+echo "正在查找包含'nginx'的服务..."
+nginx_services=$(docker compose -p "${COMPOSE_PROJECT_NAME}" ps --services | grep nginx || true)
+
+if [ -n "$nginx_services" ]; then
+    echo "重启 $nginx_services 中..." | tr '\n' ' '
+    echo
+    echo "$nginx_services" | xargs docker compose -p "${COMPOSE_PROJECT_NAME}" restart
+    echo "重启完成"
+else
+    echo "未找到包含'nginx'的服务"
+fi
+echo "======================"

examples/bus-https/.env

@@ -1,22 +1,24 @@
-#---------服务器信息, 必须按实际服务器信息填写-----------------
-## 公网IP
+##---------服务器信息, 必须按实际服务器信息填写-----------------
+# 公网IP
 SERVER_IP_PUBLIC='81.71.36.80'
-## HOSTNAME 没有用域名IP替代
+# HOSTNAME 没有用域名IP替代
 SERVER_HOSTNAME='transcodegroup.cn'
-## SSL证书
-SSL_CERTIFICATE='/home/docker-compose/ssl/tg_com'
+# 自动申请的SSL证书
+SSL_CERTIFICATE="/data/certbot/live/${SERVER_HOSTNAME}/certificate"
+# dnspod的api key, 由id和token拼接而成: https://console.dnspod.cn/account/token/token
+CERTBOT_DNS_API_KEY='id,token'
 
-#---------自定义初始密码, 建议随机生成新的替换-------------
-## MYSQL, 必填
+##---------自定义初始密码, 建议随机生成新的替换-------------
+# MYSQL, 必填
 MYSQL_PASSWORD='ZfJwfEJvL8wbPr4LvCyx'
-## REDIS, 必填
+# REDIS, 必填
 REDIS_PASSWORD='ZfJwfEJvL8wbPr4LvCyx'
-## RABBIT_MQ, 必填
+# RABBIT_MQ, 必填
 RABBITMQ_PASSWORD='ZfJwfEJvL8wbPr4LvCyx'
-## Email，必填
+# Email，必填
 MAIL_PASSWORD='ZfJwfEJvL8wbPr4LvCyx'
 
-#----------自定义端口信息, 推荐开放9000~9100,443,80--------
+##----------自定义端口信息, 推荐开放9000~9100,443,80--------
 # 前端端口配置, HTTP默认80， HTTPS默认443
 WEB_PORT_HTTP=9070
 WEB_PORT_HTTPS=9080

examples/bus-https/compose.yaml

@@ -7,6 +7,7 @@ include:
   - ../docker/redis/compose.yml
   - ../docker/bus/compose.yml
   - ../docker/video-nginx/compose.yml
+  - ../docker/certbot/compose.yml
   - path:
     - ../docker/video/compose.yml
     - ../docker/video/compose.bus.yml