Certbot initial commits (#1)

- Add certbot container for manage TLS certificates
- Adds a docker volume shared with the nginx container for
retrieving TLS certificates
- Add README, CHANGELOG
- Add build scripts and setup Travis-CI builds

Author: hrpatel

.gitignore

@@ -0,0 +1,2 @@
+### JetBrains template
+.idea/

.travis.yml

@@ -0,0 +1,39 @@
+
+stages:
+  - Tests
+  - SDLC Tasks
+  - Build and Publish
+
+jobs:
+  include:
+  - stage: Tests
+    name: Shellcheck
+    env:
+      - SHELLCHECK_OPTS="-e SC1008 -e SC2154"
+    language: bash
+    script:
+      - shellcheck $(find . -type f -name '*.sh')
+  - name: Dockerfile linter
+    language: minimal
+    script:
+      - docker run --rm -v $PWD:/root/ projectatomic/dockerfile-lint dockerfile_lint -f ./Dockerfile
+  - stage: "SDLC Tasks"
+    name: Tag & iteration update
+    sudo: required
+    language: bash
+    script:
+      - bash bin/travis-ci/check_tag.sh
+  - stage: Build and Publish
+    name: Docker image
+    env:
+      - secure: "syHwTME2FzcgZnn8VZgi2WGSctRlhYmt+6F3KVwhOUfgwRLqJZuohXSWm7/siS6BAqtk6poXIjpn7uAJXk+h7gEefQPaqe4GwwXJAn+zNq7K1Q1DCOhHlTjWdEn0dd1lH1rc8PnrS48U+TkP5yjQ24Y/20MnJy2omQ2awxBphZbBK1X5L8DIeYeMXi39/qhY+yUdmkS7kmC0eYMGK0ijVhDCQGt+MBkTPtdq2XwtGy0L5wHGeGz+epXRSLU8JIN1w29dTbEIR+SfrRfOB3fJo8rNoIecMt68+Jb5Xg33AehYL4t65Cx2z9+KtGvWeLIQEGlsG9gntJjMHqTUjcZnrO7b5ynSUKn5loaHJc4oM8IA2cpwidDHGVD1hNqo9Bg4k6zHn98t+VqS8Cztxp2acHyubR+32jESxVbU+eR3A0eGSWTa8o+HLU1cEDw43x3qwG4E++msGAarnhKSYuKys6l2UKBYy9OP3j1rT9B+Oxm+dPQooUY1ueBhDwq7ijSt/n4qjwP7ZExCdggvT1PDeCwtwedMqJ5MskWLKwqpT3Hny7twBXBgZv+jKSb7ZxID4imbmr3lO0O+cuqve6N1Exc2labZEu90pawqem+a6OaspXriNu1YBD9GyXlUmpGBh5YgzCDBnwjlSTJ7p6xiXTF6AEd7nnnhWPwkp2SxPdI="
+      - secure: "aAjuXpAhD67jVis8/gHoe4mwXESRCKCOrsmgqDpIJzj+0WIs1Z9bEq84dcCmkAz+Fz6eA6kiJIHrHsHzASOysVtAIpJ0ApKkUtyDP41GjF7nS4d9SuMKzamEfgoFTQDBwF2i+L9wwdQ0UNVQ53bZomU1cbwhcDWXoKcpSvW3fWL0q8rKN4f0oLi73FYMQ3+Dq9NM5r7DH7CUtjxwVZuvxWnP5JC+Rqm8Du+ObVSxbLvkzSebnCPXh0BZxEIJYh3da3rcckJQfDIyTgXKytEjnbEf4vmlnKsNIIR3NuzgWFLToPKeckI/BNY930QxX3epZs2Pa6EgTzBdDZBuGmAPdnXRTD9i5y+6Ffpv7duRpTngRAujUmAzdwU/B2utmW1BnJpvbbepBcFjyHDOGHgeL1Q0JmpH573oRkkOip85nkIWv03qWVqOZSky5DtfQuPp6SEd5/WlvhC7Etcz49YZb6Wjl+cOYV+WYorjBwe1jSPOQO4oJ5Qlnbw8NQ3lNk93t71z7/YWtyaoHp/NHMPdf+ZsOZn+YS2Iu2dXfoTZNTgpJpFaAu3mkTV09XsygM5uDJ83kqAwMNoToHU1iyGD/SRzfpojyMeSXOyHaIqiHdSrqaKopyD1o81oiIdji4pKTw9sGFOmnFRvWHd7+/8kYFnK/IwN6CbmLdBcCMVhegg="
+      - secure: "okThdoKinSf0fpKZLb2Xw31nW5PdMZyF2l0FAP6TrjtcSc2PQ56BhcwWY8yjvFNfR8o2uVTwfKYhitXDDOngqBiJclRMV6zJfBzNKig/a3ouXQHbMybjxiAcH3kBYBzZEpkf7nf/R2xH0TfiMQS34b17VU0yYkOHjDe9NIWLZ8qDHPOMa3p0vuw23WpIaU6HaoD2Pzn/YqD79HlDwo4x+9FA4ffF0iYzRhRAlMK05WNXX0ZMoEvTMKwyGkVgu0U7kI+Tzj4z0O3ZIEc0tmthBuhOdjxc9FPjIN09tRhh15HeV55gn/uoZN79AOgBUG1ZLRahMEEXSGMtiWbBE8RRH8u46mP/bR6SLfqZ5whsDzQ4d8a1uNB7GRxaTHLZW+6Ij3YyNP6xtHQJiGk6U9iYTf4yUI4C2SkcDH+Zq+ipNuyJI4JduH5H1mQaK28I5Mu/s/BBVp6PJ7B/V3YKbv4Rv/DwiC8tGAfR+EQ/DGOvu69xiIKLc3IC4wI9TtLRQWrm7KZnPI1KlfFtYE7O/GotxoAbf/8kQ1HXfx1q0mP3o4ithtsz8XQX3h63jhD4hsBmNfiwEJCxO6Qwtq7ihxJOOh2rM9YGv8Ib3JQ6r+SLyfCO6Uhz0/buE/Xg+Xo1J8hMHmfy3T/d+MU7g+oOO2Oj9dxTSDiH7aLWwOlG653ltIM="
+    language: minimal
+    sudo: required
+    services:
+      - docker
+    script:
+      - bash bin/travis-ci/docker_upgrade.sh
+      - bash bin/travis-ci/docker_build.sh
+      - if [[ ${TRAVIS_BRANCH} = "master" ]]; then bash bin/travis-ci/docker_publish.sh; fi

CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [v0.1.1] - 2018-10-02
+### Added
+- Project `CHANGELOG.md`, `README.md`, and `LICENSE`
+- Initial commit of Docker, CI build, and configuration
+- Move `certbot` directory from `moodle-docker` to this repo

Dockerfile

@@ -0,0 +1,12 @@
+FROM certbot/certbot:v0.27.1
+
+LABEL name="certbot"
+LABEL version="latest"
+
+RUN apk --no-cache add openssl curl
+
+COPY ./bin/ /usr/local/bin/
+RUN chmod +x /usr/local/bin/run_certbot.sh \
+    && chmod +x /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

README.md

@@ -1 +1,65 @@
-# certbot-docker
+# certbot-docker
+
+A container that runs `certbot` to help manage certificates. 
+
+Docker volumes are used to share certificates and other files (e.g. challenges) across containers. This means multiple web server containers can take advantage of a single `certbot` container.  
+
+### Sample usage
+In your `docker-compose.yaml` file:
+
+```bash
+  nginx-web-server:
+    environment:
+      ...
+      CERT_DIR: "${CERT_DIR}"
+      CERT_DOMAIN: "${CERT_DOMAIN}"
+      CHALLENGE_DIR: "${CHALLENGE_DIR}"
+    volumes:
+      ...
+      # Directory for serving certbot challenge files
+      - type: volume
+        source: certbot-challenges
+        target: ${CHALLENGE_DIR}
+      # Directory for serving certificates
+      - type: volume
+        source: certbot-certs
+        target: ${CERT_DIR}
+
+  certbot:
+    depends_on:
+      - nginx-web-server
+    environment:
+      ADMIN_EMAIL: "${ADMIN_EMAIL}"
+      CERT_DOMAIN: "${CERT_DOMAIN}"
+    volumes:
+      - type: volume
+        source: certbot-challenges
+        target: /challenges
+      - type: volume
+        source: certbot-certs
+        target: /certs
+
+volumes:
+  certbot-challenges:
+  certbot-certs:
+```
+
+Web server configuration. E.g. for `nginx.conf`:
+
+```bash
+server {
+    listen ${HTTP_PORT};
+
+    server_name _;
+
+    location /.well-known/acme-challenge {
+        root ${CHALLENGE_DIR};
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+```

bin/entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+echo "Starting 'certbot' entrypoint..."
+
+cert_url="http://${CERT_DOMAIN}"
+until curl --output /dev/null --silent --head --fail --connect-timeout 30 "${cert_url}"; do
+    echo "Cannot resolve '${cert_url}', sleeping and trying again..."
+    sleep 60
+done
+
+echo "Successful response from '${cert_url}', attempting to obtain certificate..."
+/usr/local/bin/run_certbot.sh -e "${ADMIN_EMAIL}" -d "${CERT_DOMAIN}" -r /challenges

bin/run_certbot.sh

@@ -0,0 +1,148 @@
+#!/bin/sh
+# shellcheck disable=SC2039,SC2113
+
+set -e
+
+print_usage() {
+cat << EOF
+usage: ${0} options
+
+This script wraps certbot to obtain and renew certificates.
+
+OPTIONS:
+    Parameters:
+    -d Domain for certificate.
+    -e Administrator email used when obtaining certificates.
+    -r Webroot location to place challenge auth files.
+
+Version: ${VERSION}
+EOF
+}
+
+function check_for_cert {
+    if [ -z "${1}" ] ; then
+        echo "Missing parameter 1: Domain name"
+        return 1
+    fi
+    local cert_domain="${1}"
+
+    local cert_dir="/etc/letsencrypt/live/${cert_domain}"
+
+    echo "Check if certificate directory exists"
+    [ -d "${cert_dir}" ] && return 0 || return 1
+}
+
+function copy_certificates {
+    if [ -z "${1}" ] ; then
+        echo "Missing parameter 1: Domain name"
+        return 1
+    fi
+    local cert_domain="${1}"
+
+    echo "Copy certificate files to /certs/ docker volume"
+    cp -v /etc/letsencrypt/live/"${cert_domain}"/cert.pem /certs/"${cert_domain}".pem
+    cp -v /etc/letsencrypt/live/"${cert_domain}"/privkey.pem /certs/"${cert_domain}".key.pem
+    cp -v /etc/letsencrypt/live/"${cert_domain}"/chain.pem /certs/"${cert_domain}".chain.pem
+    cp -v /etc/letsencrypt/live/"${cert_domain}"/fullchain.pem /certs/"${cert_domain}".fullchain.pem
+}
+
+function obtain_certificate {
+    # Obtain certificate for provided domain
+    if [ -z "${1}" ] ; then
+        echo "Missing parameter 1: Admin email"
+        return 1
+    fi
+    local admin_email="${1}"
+
+    if [ -z "${2}" ] ; then
+        echo "Missing parameter 2: Certificate domain name"
+        return 1
+    fi
+    local cert_domain="${2}"
+
+    if [ -z "${3}" ] ; then
+        echo "Missing parameter 3: Webroot location"
+        return 1
+    fi
+    local cert_webroot="${3}"
+
+    echo "Obtaining certificate for ${cert_domain}"
+    certbot certonly \
+        --agree-tos \
+        --domain "${cert_domain}" \
+        --email "${admin_email}" \
+        --keep-until-expiring \
+        --max-log-backups 100 \
+        --non-interactive \
+        --renew-by-default \
+        --webroot -w "${cert_webroot}"
+}
+
+function renew_certificate {
+    if [ -z "${1}" ] ; then
+        echo "Missing parameter 1: Webroot location"
+        return 1
+    fi
+    local cert_webroot="${1}"
+
+    echo "Renewing certificates registered on system."
+    certbot renew \
+        --non-interactive \
+        --webroot -w "${cert_webroot}"
+}
+
+function process_certificates {
+    if [ -z "${1}" ] ; then
+        echo "Missing required parameter 1: Admin email"
+        return 1
+    fi
+    local admin_email="${1}"
+
+    if [ -z "${2}" ] ; then
+        echo "Missing required parameter 2: Certificate domain name"
+        return 1
+    fi
+    local cert_domain="${2}"
+
+    if [ -z "${3}" ] ; then
+        echo "Missing required parameter 3: Webroot location"
+        return 1
+    fi
+    local cert_webroot="${3}"
+
+    if check_for_cert "${cert_domain}"; then
+        renew_certificate "${cert_webroot}"
+    else
+        obtain_certificate "${admin_email}" "${cert_domain}" "${cert_webroot}"
+    fi
+
+    copy_certificates "${cert_domain}"
+}
+
+admin_email="${admin_email:-}"
+certificate_domain="${certificate_domain:-}"
+certificate_webroot="${certificate_webroot:-}"
+while getopts ":d:e:r:A:SD" opt; do
+    case ${opt} in
+        'd') certificate_domain="${OPTARG}" ;;
+        'e') admin_email="${OPTARG}" ;;
+        'r') certificate_webroot="${OPTARG}" ;;
+        '?')
+            echo "Invalid option: -${OPTARG}"
+            print_usage
+            exit 0
+        ;;
+        ':')
+            echo "Missing option argument for -${OPTARG}"
+            print_usage
+            exit 0
+        ;;
+        '*')    # Anything else
+            echo "Unknown error while processing options"
+            print_usage
+            exit 1
+        ;;
+    esac
+done
+
+process_certificates "${admin_email}" "${certificate_domain}" "${certificate_webroot}"

bin/travis-ci/check_tag.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+# Copyright (c) 2018 SD Elements Inc.
+#
+#  All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains
+# the property of SD Elements Incorporated and its suppliers,
+# if any.  The intellectual and technical concepts contained
+# herein are proprietary to SD Elements Incorporated
+# and its suppliers and may be covered by U.S., Canadian and other Patents,
+# patents in process, and are protected by trade secret or copyright law.
+# Dissemination of this information or reproduction of this material
+# is strictly forbidden unless prior written permission is obtained
+# from SD Elements Inc..
+# Version
+
+set -eo pipefail
+
+# echo "Installing shtdlib"
+shtdlib_local_path="/usr/local/bin/shtdlib.sh"
+sudo curl -s -L -o "${shtdlib_local_path}" https://github.com/sdelements/shtdlib/raw/master/shtdlib.sh
+sudo chmod 775 "${shtdlib_local_path}"
+# shellcheck disable=SC1091,SC1090
+source "${shtdlib_local_path}"
+color_echo green "shtdlib.sh installed successfully"
+
+# Get the latest tag from GitHub
+latest_tag="$(git fetch -t && git tag -l | sort --version-sort | tail -n1)"
+color_echo green "Latest Git tag: '${latest_tag}'"
+
+# Get the latest tag from the CHANGELOG
+changelog_ver="$(grep -oP '\[v\d\.\d\.\d\]' CHANGELOG.md | tr -d '[]' | sort -nr | head -n1)"
+color_echo green "CHANGELOG version: '${changelog_ver}'"
+
+# Validate version strings
+version_pattern='^v\d\.\d\.\d$'
+echo "${latest_tag}" | grep -qP ${version_pattern} || ( color_echo red "Invalid tag from repo: '${latest_tag}'" && exit 1 )
+echo "${changelog_ver}" | grep -qP ${version_pattern} || ( color_echo red "Invalid tag from CHANGELOG: '${changelog_ver}'" && exit 1 )
+
+# Ensure tags in CHANGELOG and iteration are greater than highest repo tag
+if [ "${latest_tag}" = "${changelog_ver}" ] \
+   || ! compare_versions "${latest_tag}" "${changelog_ver}"; then
+    color_echo red "Error: Version in CHANGELOG.md not updated"
+    exit 1
+else
+    color_echo green "Version bumps PASS!"
+fi

bin/travis-ci/docker_build.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# Copyright (c) 2018 SD Elements Inc.
+#
+#  All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains
+# the property of SD Elements Incorporated and its suppliers,
+# if any.  The intellectual and technical concepts contained
+# herein are proprietary to SD Elements Incorporated
+# and its suppliers and may be covered by U.S., Canadian and other Patents,
+# patents in process, and are protected by trade secret or copyright law.
+# Dissemination of this information or reproduction of this material
+# is strictly forbidden unless prior written permission is obtained
+# from SD Elements Inc..
+# Version
+
+set -eo pipefail
+
+# Build image
+docker build --no-cache --tag "${DOCKER_REGISTRY_URL}/postfix" .
+docker images

bin/travis-ci/docker_publish.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Copyright (c) 2018 SD Elements Inc.
+#
+#  All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains
+# the property of SD Elements Incorporated and its suppliers,
+# if any.  The intellectual and technical concepts contained
+# herein are proprietary to SD Elements Incorporated
+# and its suppliers and may be covered by U.S., Canadian and other Patents,
+# patents in process, and are protected by trade secret or copyright law.
+# Dissemination of this information or reproduction of this material
+# is strictly forbidden unless prior written permission is obtained
+# from SD Elements Inc..
+# Version
+
+set -eo pipefail
+
+# Log into our Docker registry
+echo "${DOCKER_REGISTRY_PASSWORD}" | docker login -u "${DOCKER_REGISTRY_USER}" --password-stdin "${DOCKER_REGISTRY_URL}"
+
+# Push image
+docker push "${DOCKER_REGISTRY_URL}/postfix:latest"