certbot: renew works

nginx/certbot-renew

@@ -0,0 +1,17 @@
+#!/bin/bash
+source ../env.production
+source ./env.production
+
+domain_args="-d $KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME"
+rsa_key_size=2048
+
+set -x
+
+docker-compose run --rm certbot \
+  certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal

nginx/data/certbot/conf/challenge.conf

@@ -0,0 +1,3 @@
+location /.well-known/acme-challenge/ {
+    root /var/www/certbot;
+}

nginx/data/nginx/templates/cloud.conf.template

@@ -0,0 +1,54 @@
+server {
+	listen 80;
+	server_name ${NEXTCLOUD_HOSTNAME};
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	server_name ${NEXTCLOUD_HOSTNAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	#include /etc/nginx/mime.types;
+	#default_type application/octet-stream;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
+	chunked_transfer_encoding on;
+
+	location /.well-known/carddav {
+		return 301 $scheme://$host/remote.php/dav;
+	}
+
+	location /.well-known/caldav {
+		return 301 $scheme://$host/remote.php/dav;
+	}
+
+	location / {
+		proxy_pass http://host.docker.internal:9000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+}
+
+

nginx/data/nginx/templates/docs.conf.template

@@ -53,6 +53,7 @@ server {
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }
 

nginx/data/nginx/templates/login.conf.template

@@ -22,6 +22,7 @@ server {
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }
 

nginx/data/nginx/templates/social.conf.template

@@ -21,6 +21,7 @@ server {
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }