mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 05:30:45 +00:00
letsencrypt: Copy certs to host-specific directory
This should help make use of host-specific certificates easier, as otherwise containers will have access to all certificates and private keys.
This commit is contained in:
parent
2649741f3c
commit
f0fd067dca
@ -2,8 +2,7 @@
|
|||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
# Copy certificates to dedicated directories.
|
# Copy certificates to dedicated directory.
|
||||||
for dir in "/var/lib/letsencrypt-certificates" "/var/lib/letsencrypt-certificate-$CERT_DOMAIN"; do
|
install --owner letsencrypt --group letsencrypt --mode 0755 -d "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN"
|
||||||
install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "$dir"
|
install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.pem"
|
||||||
install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "$dir"
|
install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.key"
|
||||||
done
|
|
||||||
|
@ -2,7 +2,8 @@
|
|||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
# Correct permissions where needed.
|
# Create directories and correct permissions where needed.
|
||||||
|
install --owner letsencrypt --group letsencrypt --mode 0755 -d /var/lib/letsencrypt-certificates
|
||||||
chown -R letsencrypt:letsencrypt /var/lib/letsencrypt
|
chown -R letsencrypt:letsencrypt /var/lib/letsencrypt
|
||||||
|
|
||||||
# Run ACME verification with parameters given.
|
# Run ACME verification with parameters given.
|
||||||
|
@ -12,7 +12,6 @@ ExecStart=/bin/podman run --replace --rm --name letsencrypt-register-%i \
|
|||||||
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
|
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
|
||||||
--volume letsencrypt:/var/lib/letsencrypt:z \
|
--volume letsencrypt:/var/lib/letsencrypt:z \
|
||||||
--volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \
|
--volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \
|
||||||
--volume "letsencrypt-certificate-%i:/var/lib/letsencrypt-certificate-%i:z" \
|
|
||||||
localhost/letsencrypt:latest \
|
localhost/letsencrypt:latest \
|
||||||
--accept-tos --pem --path /var/lib/letsencrypt --domains "%i" \
|
--accept-tos --pem --path /var/lib/letsencrypt --domains "%i" \
|
||||||
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} run \
|
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} run \
|
||||||
|
@ -11,7 +11,6 @@ ExecStart=/bin/podman run --replace --rm --name letsencrypt-renew-%i \
|
|||||||
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
|
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
|
||||||
--volume letsencrypt:/var/lib/letsencrypt:z \
|
--volume letsencrypt:/var/lib/letsencrypt:z \
|
||||||
--volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \
|
--volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \
|
||||||
--volume "letsencrypt-certificate-%i:/var/lib/letsencrypt-certificate-%i:z" \
|
|
||||||
localhost/letsencrypt:latest \
|
localhost/letsencrypt:latest \
|
||||||
--pem --path /var/lib/letsencrypt --domains "%i" \
|
--pem --path /var/lib/letsencrypt --domains "%i" \
|
||||||
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} renew \
|
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} renew \
|
||||||
|
Loading…
Reference in New Issue
Block a user