feat(compose.yaml, ssl-manager.sh): add persistent volume for Let's Encrypt data and improve certificate management

kzndotsh · kzndotsh · commit 68b4d0c927ba · 2025-09-09T16:08:45.000-04:00
Add a new volume `letsencrypt_data` to persist Let's Encrypt
certificates, ensuring they are not lost when containers are
recreated. Update `ssl-manager.sh` to prioritize copying certificates
from the certbot container, enhancing flexibility and reliability in
certificate management. This change allows for better handling of
certificates within Docker environments, ensuring they are accessible
and properly managed across container restarts.
diff --git a/compose.yaml b/compose.yaml
@@ -94,8 +94,9 @@ services:
       - path: .env.local
         required: false
 
-    # Volume mounts - direct access to UnrealIRCd TLS directory
+    # Volume mounts - persist certificates and access UnrealIRCd TLS directory
     volumes:
+      - letsencrypt_data:/etc/letsencrypt
       - ./unrealircd/conf/tls:/etc/letsencrypt/unrealircd:rw
       - ./cloudflare-credentials.ini:/etc/letsencrypt/cloudflare-credentials.ini:ro
 
@@ -230,4 +231,6 @@ volumes:
     driver: local
   thelounge_data:
     driver: local
+  letsencrypt_data:
+    driver: local
   
diff --git a/scripts/ssl-manager.sh b/scripts/ssl-manager.sh
@@ -123,20 +123,36 @@ copy_certificates() {
         return 0
     fi
     
-    # Try to copy from Let's Encrypt directory (if running on host)
-    local letsencrypt_dir="/etc/letsencrypt/live/$DOMAIN"
-    if [[ -d "$letsencrypt_dir" ]]; then
-        cp "$letsencrypt_dir/fullchain.pem" "$TLS_DIR/server.cert.pem"
-        cp "$letsencrypt_dir/privkey.pem" "$TLS_DIR/server.key.pem"
+    # Try to copy from Docker container first
+    log_info "Looking for certificates in certbot container..."
+    if docker compose run --rm certbot test -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" 2>/dev/null; then
+        log_info "Found certificates in certbot container, copying..."
+        
+        # Copy certificate from container
+        docker compose run --rm certbot cat "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" > "$TLS_DIR/server.cert.pem"
+        docker compose run --rm certbot cat "/etc/letsencrypt/live/$DOMAIN/privkey.pem" > "$TLS_DIR/server.key.pem"
         
         # Set proper permissions
         chmod 644 "$TLS_DIR/server.cert.pem"
         chmod 600 "$TLS_DIR/server.key.pem"
         
-        log_success "Certificates copied from Let's Encrypt directory to $TLS_DIR"
+        log_success "Certificates copied from certbot container to $TLS_DIR"
     else
-        log_warn "No certificates found to copy from Let's Encrypt directory"
-        log_info "Run 'make ssl-setup' to issue new certificates"
+        # Try to copy from Let's Encrypt directory (if running on host)
+        local letsencrypt_dir="/etc/letsencrypt/live/$DOMAIN"
+        if [[ -d "$letsencrypt_dir" ]]; then
+            cp "$letsencrypt_dir/fullchain.pem" "$TLS_DIR/server.cert.pem"
+            cp "$letsencrypt_dir/privkey.pem" "$TLS_DIR/server.key.pem"
+            
+            # Set proper permissions
+            chmod 644 "$TLS_DIR/server.cert.pem"
+            chmod 600 "$TLS_DIR/server.key.pem"
+            
+            log_success "Certificates copied from Let's Encrypt directory to $TLS_DIR"
+        else
+            log_warn "No certificates found to copy"
+            log_info "Certificates may have been issued but not accessible for copying"
+        fi
     fi
 }
 
