From 831964b7075138f7e1ce1df7cdba3f08e45535a2 Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Tue, 3 May 2022 09:49:47 +0000
Subject: [PATCH] certbot: renew works

---
 nginx/certbot-renew                           | 17 ++++++
 nginx/data/certbot/conf/challenge.conf        |  3 ++
 .../data/nginx/templates/cloud.conf.template  | 54 +++++++++++++++++++
 nginx/data/nginx/templates/docs.conf.template |  1 +
 .../data/nginx/templates/login.conf.template  |  1 +
 .../data/nginx/templates/social.conf.template |  1 +
 6 files changed, 77 insertions(+)
 create mode 100755 nginx/certbot-renew
 create mode 100644 nginx/data/certbot/conf/challenge.conf
 create mode 100644 nginx/data/nginx/templates/cloud.conf.template

diff --git a/nginx/certbot-renew b/nginx/certbot-renew
new file mode 100755
index 0000000..b8d0b04
--- /dev/null
+++ b/nginx/certbot-renew
@@ -0,0 +1,17 @@
+#!/bin/bash
+source ../env.production
+source ./env.production
+
+domain_args="-d $KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME"
+rsa_key_size=2048
+
+set -x
+
+docker-compose run --rm certbot \
+  certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal
diff --git a/nginx/data/certbot/conf/challenge.conf b/nginx/data/certbot/conf/challenge.conf
new file mode 100644
index 0000000..9343507
--- /dev/null
+++ b/nginx/data/certbot/conf/challenge.conf
@@ -0,0 +1,3 @@
+location /.well-known/acme-challenge/ {
+    root /var/www/certbot;
+}
diff --git a/nginx/data/nginx/templates/cloud.conf.template b/nginx/data/nginx/templates/cloud.conf.template
new file mode 100644
index 0000000..646aa0e
--- /dev/null
+++ b/nginx/data/nginx/templates/cloud.conf.template
@@ -0,0 +1,54 @@
+server {
+	listen 80;
+	server_name ${NEXTCLOUD_HOSTNAME};
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	server_name ${NEXTCLOUD_HOSTNAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	#include /etc/nginx/mime.types;
+	#default_type application/octet-stream;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
+	chunked_transfer_encoding on;
+
+	location /.well-known/carddav {
+		return 301 $scheme://$host/remote.php/dav;
+	}
+
+	location /.well-known/caldav {
+		return 301 $scheme://$host/remote.php/dav;
+	}
+
+	location / {
+		proxy_pass http://host.docker.internal:9000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+}
+
+
diff --git a/nginx/data/nginx/templates/docs.conf.template b/nginx/data/nginx/templates/docs.conf.template
index cf7c025..c04c458 100644
--- a/nginx/data/nginx/templates/docs.conf.template
+++ b/nginx/data/nginx/templates/docs.conf.template
@@ -53,6 +53,7 @@ server {
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }
 
diff --git a/nginx/data/nginx/templates/login.conf.template b/nginx/data/nginx/templates/login.conf.template
index 15b7f43..8a0272b 100644
--- a/nginx/data/nginx/templates/login.conf.template
+++ b/nginx/data/nginx/templates/login.conf.template
@@ -22,6 +22,7 @@ server {
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }
 
diff --git a/nginx/data/nginx/templates/social.conf.template b/nginx/data/nginx/templates/social.conf.template
index a2957ec..dc16471 100644
--- a/nginx/data/nginx/templates/social.conf.template
+++ b/nginx/data/nginx/templates/social.conf.template
@@ -21,6 +21,7 @@ server {
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }