Commit 3b07ab2e authored by zauberstuhl's avatar zauberstuhl
Browse files

Add rancher v1.6 image with acme support

parent 7c491dc4
FROM rancher/server:stable
RUN apt-get update && apt-get -y install \
nginx augeas-lenses binutils cpp cpp-4.8 \
gcc gcc-4.8 libasan0 libatomic1 libaugeas0 \
libc-dev-bin libc6-dev libcloog-isl4 \
libexpat1-dev libffi-dev libgcc-4.8-dev \
libgmp10 libgomp1 libisl10 libitm1 libmpc3 \
libmpfr4 libpython-dev libpython-stdlib \
libpython2.7 libpython2.7-dev libpython2.7-minimal \
libpython2.7-stdlib libquadmath0 libssl-dev \
libtsan0 linux-libc-dev python python-dev \
python-minimal python-pkg-resources \
python-setuptools python-virtualenv \
python2.7 python2.7-dev python2.7-minimal zlib1g-dev
RUN curl -o /usr/bin/certbot-auto -L https://dl.eff.org/certbot-auto
RUN chmod +x /usr/bin/certbot-auto
ADD *.template /etc/nginx/conf.d/
ADD entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
#!/bin/bash
if [[ "$DOMAIN" == "" ]]; then
echo "You have to specify a valid domain name!"
sleep 10
exit 1
fi
defaultconf="/etc/nginx/conf.d/default.conf"
if [[ "$ACME_MAIL" != "" ]]; then
sed "s#<server>#${DOMAIN}#g" \
/etc/nginx/conf.d/nginx-ssl.conf.template > $defaultconf
# start cron
/usr/sbin/cron
echo "0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot-auto renew" | crontab -
# create a selfsigned cert for first run
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/nginx-selfsigned.key \
-out /etc/ssl/certs/nginx-selfsigned.crt \
-subj "/C=DE/ST=Denial/CN=www.example.com"
/usr/bin/certbot-auto --nginx --no-bootstrap \
-m $ACME_MAIL --agree-tos --non-interactive \
--no-eff-email --domains $DOMAIN
else
sed "s#<server>#${DOMAIN}#" \
/etc/nginx/conf.d/nginx.conf.template > $defaultconf
fi
# start nginx
service nginx start
# start rancher
/usr/bin/entry /usr/bin/s6-svscan /service
upstream rancher {
server localhost:8080;
}
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
listen 443 ssl;
server_name <server>;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
}
}
server {
listen 80;
server_name <server>;
return 301 https://$server_name$request_uri;
}
upstream rancher {
server localhost:8080;
}
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
listen 80;
server_name <server>;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment