deflax/television
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Replace certbot with acme.sh container

Browse source
This commit is contained in:
deflax 2025-01-28 18:13:50 +00:00
parent 9427a9b157
commit b3125d02b3
5 changed files with 37 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
README.md
View file

@ -3,9 +3,28 @@ Multi channel stream setup with Flask REST API for scheduling channels.
### Install ### Install
1. `cp variables.env.dist variables.env` and set the required variables 1. `cp variables.env.dist variables.env` and set the required variables
2. run `./init.sh` to prepare data directories and generate self signed certs to bootstrap the load balancer
3. run the docker-compose stack using `docker-compose up -d --build --remove-orphans` 2. Start the acme-sh service:
4. run `./renew-certificates.sh` periodically to generate/update the certificates `docker-compose up -d acme-sh`
3. Register acme account:
`source variables.env; docker exec acme.sh --register-account -m $EMAIL`
4. Set the `ACCOUNT_THUMBPRINT` variable
5. Run the stack using `docker-compose up -d --build --remove-orphans`
6. Issue a certificate:
`source variables.env; docker exec acme.sh --issue -d $BASE_URL -d $SCHEDULER_API_HOSTNAME -d $CORE_API_HOSTNAME --stateless`
7. Install the certificate:
`source variables.env; docker exec acme.sh --install-cert -d $BASE_URL --reloadcmd "cat \$CERT_KEY_PATH \$CERT_FULLCHAIN_PATH > /certificates/$BASE_URL.pem"
8. Reastart haproxy container:
`docker kill -s USR2 haproxy`
9. Set crontab:
`0 0 1 * * docker exec acme.sh --cron && docker kill -s USR2 haproxy`
### Usage ### Usage
1. Access the admin panel at `https://stream.example.com/ui` 1. Access the admin panel at `https://stream.example.com/ui`

12
config/haproxy/haproxy.cfg
View file

@ -36,17 +36,11 @@ defaults
#stats refresh 5s #stats refresh 5s
# PUBLIC # PUBLIC
frontend http frontend web
bind :80 bind :80
option http-server-close bind :443 ssl crt /certificates strict-sni
redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
default_backend certbot
backend certbot http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
server c1 certbot:80
frontend https
bind :443 ssl crt /certificates alpn http/1.1
http-request set-header X-Forwarded-Protocol https http-request set-header X-Forwarded-Protocol https
http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Proto https

23
docker-compose.yml
View file

@ -7,6 +7,7 @@ networks:
services: services:
haproxy: haproxy:
image: haproxy:lts image: haproxy:lts
container_name: haproxy
env_file: env_file:
- "variables.env" - "variables.env"
ports: ports:
@ -16,7 +17,6 @@ services:
- "./data/certificates:/certificates" - "./data/certificates:/certificates"
- "./config/haproxy:/usr/local/etc/haproxy" - "./config/haproxy:/usr/local/etc/haproxy"
depends_on: depends_on:
- "certbot"
- "restreamer" - "restreamer"
- "api" - "api"
restart: unless-stopped restart: unless-stopped
@ -25,20 +25,17 @@ services:
labels: labels:
- meta.role=haproxy - meta.role=haproxy
certbot: acme-sh:
image: "certbot/certbot" image: neilpang/acme.sh
hostname: certbot container_name: acme.sh
volumes: volumes:
- "./data/acme:/acme.sh"
- "./data/certificates:/certificates" - "./data/certificates:/certificates"
- "./data/certbot/etc:/etc/letsencrypt" network_mode: host
- "./data/certbot/var:/var/lib/letsencrypt" command: daemon
- "./logs/certbot:/var/log/letsencrypt" stdin_open: true
restart: unless-stopped tty: true
networks: restart: "no"
- net
labels:
- meta.role=certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 15d & wait $${!}; done;'"
restreamer: restreamer:
image: datarhei/restreamer:2.11.0 image: datarhei/restreamer:2.11.0

17
init.sh
View file

@ -2,11 +2,8 @@
echo "creating data dir structure" echo "creating data dir structure"
# certbot # acme.sh
mkdir -v -p data/certbot/etc mkdir -v -p data/acme
mkdir -v -p data/certbot/var
mkdir -v -p logs/certbot
mkdir -v -p data/certificates mkdir -v -p data/certificates
# restreamer # restreamer
@ -24,13 +21,3 @@ touch logs/icecast/access.log
touch logs/icecast/error.log touch logs/icecast/error.log
chown 1000:1000 logs/icecast/access.log chown 1000:1000 logs/icecast/access.log
chown 1000:1000 logs/icecast/error.log chown 1000:1000 logs/icecast/error.log
echo "generating self signed certificates for haproxy bootstrap"
cd data/certificates
openssl genrsa -out default.key 2048
openssl req -new -key default.key -out default.csr
openssl x509 -req -days 3650 -in default.csr -signkey default.key -out default.crt
cat default.key default.crt >> default.pem
rm default.key
rm default.csr
rm default.crt

17
renew-certificates.sh
View file

@ -1,17 +0,0 @@
#!/bin/bash
parent_path=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P )
cd $parent_path
source variables.env
CB=`docker ps | grep certbot | cut -d ' ' -f 1`
#echo $BASE_URL
#echo $EMAIL
docker exec $CB certbot certonly --non-interactive --standalone --http-01-address 0.0.0.0 --email $EMAIL --agree-tos --keep --preferred-challenges http --cert-name $BASE_URL \
-d $BASE_URL -d api.$BASE_URL -d stream.$BASE_URL
cat "./data/certbot/etc/live/$BASE_URL/privkey.pem" "./data/certbot/etc/live/$BASE_URL/fullchain.pem" > "./data/certificates/$BASE_URL.pem"
docker kill -s USR2 television_haproxy_1