Merge pull request #52 from MattKobayashi/certbot-cloudflare

Add certbot-cloudflare
MattKobayashi · Jun 27, 2023 · b1583ee · b1583ee
2 parents 592ac3f + cc42177
commit b1583ee
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 0 deletions.
diff --git a/.github/workflows/ghcr-publish.yml b/.github/workflows/ghcr-publish.yml
@@ -137,6 +137,66 @@ jobs:
           push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
           tags: ${{ env.REGISTRY }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:latest
 
+  build-certbot-cloudflare:
+
+    runs-on: self-hosted
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      # Login to Docker Hub to avoid pull rate limit
+      # https://github.com/docker/login-action
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Add support for more platforms with QEMU (optional)
+      # https://github.com/docker/setup-qemu-action
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      # Set up Docker Buildx
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # Gives two env variables
+      # One with lowercase repo owner's name
+      # Another with the name of the image
+      - name: Set image name
+        run: |
+          echo "REPO_NAME=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV} &&
+          echo "IMAGE_NAME=${GITHUB_JOB#*-}" >> ${GITHUB_ENV}
+
+      # Checkout repository
+      # https://github.com/actions/checkout
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: |
+          github.event_name == 'push' ||
+          github.event_name == 'schedule'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: ./${{ env.IMAGE_NAME }}
+          push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:latest
+
   build-iperf2:
 
     runs-on: self-hosted

diff --git a/certbot-cloudflare/Dockerfile b/certbot-cloudflare/Dockerfile
@@ -0,0 +1,27 @@
+FROM certbot/dns-cloudflare:latest
+
+ARG TARGETPLATFORM
+ENV SUPERCRONIC_SHA1SUM_amd64=642f4f5a2b67f3400b5ea71ff24f18c0a7d77d49 \
+    SUPERCRONIC_SHA1SUM_arm=4f625d77d2f9a790ea4ad679d0d2c318a14ec3be \
+    SUPERCRONIC_SHA1SUM_arm64=0b658d66bd54cf10aeccd9bdbd95fc7d9ba84a61 \
+    SUPERCRONIC_SHA1SUM_i386=1b5ebdd122b05cd2ff38b585022f1d909b0146ff \
+    SUPERCRONIC_VERSION=v0.2.25
+
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then ARCH=amd64; elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then ARCH=arm; elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then ARCH=arm64; elif [ "$TARGETPLATFORM" = "linux/i386" ]; then ARCH=i386; else exit 1; fi \
+    && export SUPERCRONIC="supercronic-linux-${ARCH}" \
+    && export SUPERCRONIC_URL="https://github.com/aptible/supercronic/releases/download/${SUPERCRONIC_VERSION}/${SUPERCRONIC}" \
+    && wget "$SUPERCRONIC_URL" \
+    && eval SUPERCRONIC_SHA1SUM='$SUPERCRONIC_SHA1SUM_'$ARCH \
+    && echo "${SUPERCRONIC_SHA1SUM}  ${SUPERCRONIC}" | sha1sum -c - \
+    && chmod +x "${SUPERCRONIC}" \
+    && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
+    && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic \
+    && mkdir /crontab/ \
+    && mkdir /opt/certs/
+
+COPY certbot-cron /crontab/
+COPY --chmod=0744 entrypoint.sh .
+
+ENTRYPOINT ["entrypoint.sh"]
+
+LABEL org.opencontainers.image.authors="MattKobayashi <[email protected]>"
diff --git a/certbot-cloudflare/certbot-cron b/certbot-cloudflare/certbot-cron
@@ -0,0 +1 @@
+*/5 * * * * certbot certonly --config cli.ini
diff --git a/certbot-cloudflare/docker-compose.yml b/certbot-cloudflare/docker-compose.yml
@@ -0,0 +1,14 @@
+---
+services:
+  certbot-cloudflare:
+    image: 'ghcr.io/mattkobayashi/certbot-cloudflare:latest'
+    restart: unless-stopped
+    environment:
+      - 'EMAIL='
+      - 'DOMAIN='
+    secrets:
+      - CERTBOT_CF_DNS_API_TOKEN
+
+secrets:
+  CERTBOT_CF_DNS_API_TOKEN:
+    file: ${PWD}/secrets/CERTBOT_CF_DNS_API_TOKEN  # Set this to the path on the host to your CERTBOT_CF_DNS_API_TOKEN secret file
diff --git a/certbot-cloudflare/entrypoint.sh b/certbot-cloudflare/entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+cat > cli.ini << EOF
+dns-cloudflare = True
+agree-tos = True
+no-eff-email = True
+keep-until-expiring = True
+dns-cloudflare-propagation-seconds = 30
+dns-cloudflare-credentials = /run/secrets/CERTBOT_CF_DNS_API_TOKEN
+deploy-hook = cp -RL /etc/letsencrypt/live/$DOMAIN/ /opt/certs/ && chmod -R o+r /opt/certs/
+domain = $DOMAIN
+email = $EMAIL
+EOF
+
+exec supercronic /crontab/certbot-cron