diff --git a/.env.default b/.env.default index 0b3651d..9978964 100644 --- a/.env.default +++ b/.env.default @@ -36,6 +36,7 @@ SERVER_HOSTNAME='' # livedvr.tripsdd.com # 使用https时, 必填, 证书文件的绝对路径, 排除.crt/.key后缀, nginx实际读取的是 ${SSL_CERTIFICATE}.crt 和 ${SSL_CERTIFICATE}.key 两个文件 # 如果暂时没有申请到证书, 可以使用内置的假证书: /home/docker/nginx/ssl/placeholder +# 若使用crotbot自动申请证书, 证书的路径会在日志中打印, 一般为: /data/certbot/live/${SERVER_HOSTNAME}/certificate SSL_CERTIFICATE='' # /home/docker-compose/ssl/livedvr_tripsdd_com # bus和track部署在同一台服务器上时, 需要通过域名区分两者 @@ -51,6 +52,20 @@ WEB_PORT_HTTPS=443 # jtt808和maintain分开部署时, 必须填写这个变量 WEB_BASE_URL='' # https://livedvr.tripsdd.com +# certbot的配置 +# 注意: 修改这些配置之后, 必须强制重建(docker compose up --force-recreate certbot), 才会生效 +# +# DNS解析的提供商, 常用的提供商如下: +# - dnspod: https://console.dnspod.cn/account/token/token +# - cloudflare: https://go-acme.github.io/lego/dns/cloudflare/ +# - tencentcloud: https://console.cloud.tencent.com/cam/capi +CERTBOT_DNS_PROVIDER='dnspod' +CERTBOT_DNS_API_KEY='' # 必填 +# tencentcloud还需要额外设置这个变量 +CERTBOT_TENCENTCLOUD_SECRET_ID='' +# 接收证书过期提醒的email +CERTBOT_EMAIL='transcodegroupdeveloper@gmail.com' + ## ================================ Services ================================ ## 视频服务器 diff --git a/certbot/.env b/certbot/.env new file mode 120000 index 0000000..0ef0888 --- /dev/null +++ b/certbot/.env @@ -0,0 +1 @@ +../.env.default \ No newline at end of file diff --git a/certbot/Dockerfile b/certbot/Dockerfile new file mode 100644 index 0000000..28b0710 --- /dev/null +++ b/certbot/Dockerfile @@ -0,0 +1,7 @@ +# 支持100+DNS提供商的Certbot插件 +# 详见: https://github.com/alexzorin/certbot-dns-multi +FROM ghcr.io/alexzorin/certbot-dns-multi:4.27.0 + +# 添加docker和docker compose命令 +COPY --from=docker:cli /usr/local/bin/docker /usr/local/bin/docker +COPY --from=docker:cli /usr/local/libexec/docker/cli-plugins/docker-compose /usr/local/libexec/docker/cli-plugins/docker-compose diff --git a/certbot/compose.yml b/certbot/compose.yml new file mode 100644 index 0000000..592f822 --- /dev/null +++ b/certbot/compose.yml @@ -0,0 +1,54 @@ +services: + certbot: + build: . + command: + - certonly + - --non-interactive + - --agree-tos + - --email + - ${CERTBOT_EMAIL:-transcodegroupdeveloper@gmail.com} + - --authenticator=dns-multi + - --dns-multi-credentials=/etc/letsencrypt/dns-multi.ini + # 四个域名可以同时申请, 故不要求必填 + - --domains=${SERVER_HOSTNAME} + - --domains=${TRACK_HOSTNAME} + - --domains=${BUS_HOSTNAME} + - --domains=${VIDEO_HOSTNAME} + - --deploy-hook + - "sh -c 'COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME} DATA=${DATA_DIR:-/data} /home/docker/certbot/deploy-hook.sh'" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ${DATA_DIR:-/data}/certbot:/etc/letsencrypt + configs: + - source: certbot-deploy-hook.sh + target: /home/docker/certbot/deploy-hook.sh + - source: certbot-dns-multi.ini + target: /etc/letsencrypt/dns-multi.ini + mode: 0600 + + + ofelia: + image: mcuadros/ofelia + command: daemon --docker + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + labels: + # 通过ofelia重启其他服务, 需要这样绕一道 + # https://github.com/mcuadros/ofelia/issues/280#issuecomment-2561863012 + ofelia.job-run.certbot-renew.schedule: "@daily" + ofelia.job-run.certbot-renew.command: "sh -c 'docker compose -p ${COMPOSE_PROJECT_NAME} restart certbot'" + ofelia.job-run.certbot-renew.image: "docker:cli" + ofelia.job-run.certbot-renew.volume: "/var/run/docker.sock:/var/run/docker.sock" + +configs: + certbot-deploy-hook.sh: + file: ./deploy-hook.sh + # certbot-dns-multi的配置文件 + # https://github.com/alexzorin/certbot-dns-multi#usage + certbot-dns-multi.ini: + content: | + dns_multi_provider = ${CERTBOT_DNS_PROVIDER:-dnspod} + DNSPOD_API_KEY = "${CERTBOT_DNS_API_KEY:?required}" + CLOUDFLARE_DNS_API_TOKEN = "${CERTBOT_DNS_API_KEY:?required}" + TENCENTCLOUD_SECRET_KEY = "${CERTBOT_DNS_API_KEY:?required}" + TENCENTCLOUD_SECRET_ID = "${CERTBOT_TENCENTCLOUD_SECRET_ID}" diff --git a/certbot/deploy-hook.sh b/certbot/deploy-hook.sh new file mode 100755 index 0000000..e6962d7 --- /dev/null +++ b/certbot/deploy-hook.sh @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +cp -f "$RENEWED_LINEAGE/fullchain.pem" "$RENEWED_LINEAGE/certificate.crt" +cp -f "$RENEWED_LINEAGE/privkey.pem" "$RENEWED_LINEAGE/certificate.key" + +echo "======================" +echo "请将证书变量设置为:" +echo "SSL_CERTIFICATE='${DATA_DIR:-/data}/certbot/live/$(basename "$RENEWED_LINEAGE")/certificate'" +echo + +echo "正在查找包含'nginx'的服务..." +nginx_services=$(docker compose -p "${COMPOSE_PROJECT_NAME}" ps --services | grep nginx || true) + +if [ -n "$nginx_services" ]; then + echo "重启 $nginx_services 中..." | tr '\n' ' ' + echo + echo "$nginx_services" | xargs docker compose -p "${COMPOSE_PROJECT_NAME}" restart + echo "重启完成" +else + echo "未找到包含'nginx'的服务" +fi +echo "======================" diff --git a/examples/bus-https/.env b/examples/bus-https/.env index 8f3a8f1..f459115 100644 --- a/examples/bus-https/.env +++ b/examples/bus-https/.env @@ -1,22 +1,24 @@ -#---------服务器信息, 必须按实际服务器信息填写----------------- -## 公网IP +##---------服务器信息, 必须按实际服务器信息填写----------------- +# 公网IP SERVER_IP_PUBLIC='81.71.36.80' -## HOSTNAME 没有用域名IP替代 +# HOSTNAME 没有用域名IP替代 SERVER_HOSTNAME='transcodegroup.cn' -## SSL证书 -SSL_CERTIFICATE='/home/docker-compose/ssl/tg_com' +# 自动申请的SSL证书 +SSL_CERTIFICATE="/data/certbot/live/${SERVER_HOSTNAME}/certificate" +# dnspod的api key, 由id和token拼接而成: https://console.dnspod.cn/account/token/token +CERTBOT_DNS_API_KEY='id,token' -#---------自定义初始密码, 建议随机生成新的替换------------- -## MYSQL, 必填 +##---------自定义初始密码, 建议随机生成新的替换------------- +# MYSQL, 必填 MYSQL_PASSWORD='ZfJwfEJvL8wbPr4LvCyx' -## REDIS, 必填 +# REDIS, 必填 REDIS_PASSWORD='ZfJwfEJvL8wbPr4LvCyx' -## RABBIT_MQ, 必填 +# RABBIT_MQ, 必填 RABBITMQ_PASSWORD='ZfJwfEJvL8wbPr4LvCyx' -## Email,必填 +# Email,必填 MAIL_PASSWORD='ZfJwfEJvL8wbPr4LvCyx' -#----------自定义端口信息, 推荐开放9000~9100,443,80-------- +##----------自定义端口信息, 推荐开放9000~9100,443,80-------- # 前端端口配置, HTTP默认80, HTTPS默认443 WEB_PORT_HTTP=9070 WEB_PORT_HTTPS=9080 diff --git a/examples/bus-https/compose.yaml b/examples/bus-https/compose.yaml index 82d02b3..cfcdcf8 100644 --- a/examples/bus-https/compose.yaml +++ b/examples/bus-https/compose.yaml @@ -7,6 +7,7 @@ include: - ../docker/redis/compose.yml - ../docker/bus/compose.yml - ../docker/video-nginx/compose.yml + - ../docker/certbot/compose.yml - path: - ../docker/video/compose.yml - ../docker/video/compose.bus.yml