docker-compose/authentik
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

change to use wildcard certificates

Browse source
This commit is contained in:
Philip Henning 2025-01-28 18:49:38 +01:00
parent 0272c062d3
commit 452c255314
4 changed files with 24 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

6
data/nginx/default.conf.template
View file

@ -51,8 +51,8 @@ server {
http2 on; http2 on;
server_name ${NGINX_SERVERNAME}; server_name ${NGINX_SERVERNAME};
ssl_certificate /etc/nginx/ssl/certs/sso.base23.de.crt; ssl_certificate /etc/nginx/ssl/certs/_.base23.de.crt;
ssl_certificate_key /etc/nginx/ssl/certs/sso.base23.de.key; ssl_certificate_key /etc/nginx/ssl/certs/_.base23.de.key;
ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT}; ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
ssl_session_cache ${NGINX_SSL_SESSION_CACHE}; ssl_session_cache ${NGINX_SSL_SESSION_CACHE};
@ -71,7 +71,7 @@ server {
ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY}; ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};
# verify chain of trust of OCSP response using Root CA and Intermediate certs # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/certs/sso.base23.de.issuer.crt; ssl_trusted_certificate /etc/nginx/ssl/certs/_.base23.de.issuer.crt;
# replace with the IP address of your resolver # replace with the IP address of your resolver
resolver ${NGINX_RESOLVER}; resolver ${NGINX_RESOLVER};

7
scripts/cert_renew.sh
View file

@ -6,7 +6,8 @@ cd "$(dirname "$(realpath "$0")")/../"
lego \ lego \
--path ./data/.lego \ --path ./data/.lego \
--email="acme@base23.de" \ --email="acme@base23.de" \
--domains="sso.base23.de" \ --domains="*.base23.de" \
--http.webroot="./data/nginx/acme" \ --dns hetzner \
--http renew \ --dns \
renew \
--renew-hook="./scripts/cert_renew_hook.sh" --renew-hook="./scripts/cert_renew_hook.sh"

2
scripts/cert_renew_hook.sh
View file

@ -3,6 +3,6 @@ set -euf -o pipefail
cd "$(dirname "$(realpath "$0")")/../" cd "$(dirname "$(realpath "$0")")/../"
install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{sso.base23.de.crt,sso.base23.de.issuer.crt,sso.base23.de.key} "./data/nginx/certs" install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{_.base23.de.crt,_.base23.de.issuer.crt,_.base23.de.key} "./data/nginx/certs"
docker compose restart nginx docker compose restart nginx

23
scripts/init.sh
View file

@ -42,6 +42,13 @@ if [[ ! -f ./.env ]]; then
echo "" >> ./.env echo "" >> ./.env
fi fi
# Check if lego.env exists and exit if it is
if [[ ! -f ./lego.env ]]; then
echo "# Lego - Let's Encrypt certificate tool" >> ./lego.env
prompt_password HETZNER_API_KEY; echo "HETZNER_API_KEY=${RETURNED_PASSWORD}" >> ./lego.env; unset RETURNED_PASSWORD
echo "" >> ./.env
fi
# Check if ssh key already exists, otherwise generate one # Check if ssh key already exists, otherwise generate one
[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ [[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/
[[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519 [[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519
@ -59,24 +66,26 @@ if [[ ! -d ./data/.lego ]]; then
--path ./data/.lego \ --path ./data/.lego \
--accept-tos \ --accept-tos \
--email="acme@base23.de" \ --email="acme@base23.de" \
--domains="sso.base23.de" \ --domains="*.base23.de" \
--http run \ --dns hetzner \
&& install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{sso.base23.de.crt,sso.base23.de.issuer.crt,sso.base23.de.key} "./data/nginx/certs" run \
&& install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{_.base23.de.crt,_.base23.de.issuer.crt,_.base23.de.key} "./data/nginx/certs"
fi fi
# Setup directory for acme cheallenges # Setup directory for acme cheallenges
[[ ! -d ./data/nginx/acme ]] && mkdir -p ./data/nginx/acme [[ ! -d ./data/nginx/acme ]] && mkdir -p ./data/nginx/acme
# Setup cronjob to automatically renew certificates # Setup cronjob to automatically renew certificates
[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.service ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.service && systemctl daemon-reload [[ ! -f /etc/systemd/system/lego-renew-wildcard-base23-de.service ]] && cat <<EOF > /etc/systemd/system/lego-renew-wildcard-base23-de.service && systemctl daemon-reload
[Unit] [Unit]
Description=SSL Certificate renewal for sso.base23.de with LEGO Description=SSL Certificate renewal for *.base23.de with LEGO
Documentation=https://go-acme.github.io/lego/ Documentation=https://go-acme.github.io/lego/
Wants=network-online.target Wants=network-online.target
After=network-online.target After=network-online.target
[Service] [Service]
Type=oneshot Type=oneshot
EnvironmentFile=${AUTHENTIK_DOCKER_COMPOSE_PATH}/lego.env
ExecStart=${AUTHENTIK_DOCKER_COMPOSE_PATH}/scripts/cert_renew.sh ExecStart=${AUTHENTIK_DOCKER_COMPOSE_PATH}/scripts/cert_renew.sh
WorkingDirectory=${AUTHENTIK_DOCKER_COMPOSE_PATH}/ WorkingDirectory=${AUTHENTIK_DOCKER_COMPOSE_PATH}/
User=root User=root
@ -87,9 +96,9 @@ RemainAfterExit=no
WantedBy=multi-user.target WantedBy=multi-user.target
EOF EOF
[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.timer ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-sso-base23-de.timer [[ ! -f /etc/systemd/system/lego-renew-wildcard-base23-de.timer ]] && cat <<EOF > /etc/systemd/system/lego-renew-wildcard-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-wildcard-base23-de.timer
[Unit] [Unit]
Description=SSL Certificate renewal for sso.base23.de with LEGO Timer Description=SSL Certificate renewal for *.base23.de with LEGO Timer
[Timer] [Timer]
OnCalendar=*-*-* 01:32:00 OnCalendar=*-*-* 01:32:00