Letsencrypt.

php/Dockerfile.Flavours

@@ -32,14 +32,12 @@ RUN apt-get -qq update && \
     apt-get -yqq install --no-install-recommends \
         nginx \
         php$PHP_VERSION-fpm \
+        certbot \
+        python-certbot-nginx \
         && \
     apt-get remove -yqq \
         lsb-core \
         cups-common \
-        software-properties-common \
-        python-apt-common \
-        python3-software-properties \
-        python3.5 python3.5-minimal libpython3.5-minimal \
         && \
     apt-get autoremove -yqq && \
     apt-get clean && \
@@ -82,12 +80,14 @@ RUN apt-get -qq update && \
     # Create runit service directories
     mkdir -p /etc/service/nginx \
              /etc/service/php-fpm \
+             /etc/service/letsencrypt \
              /etc/service/logs-nginx-access \
              /etc/service/logs-nginx-error \
              /etc/service/logs-phpfpm-error && \
     # Copy our new service runits into location
     mv /conf/nginx.runit /etc/service/nginx/run && \
     mv /conf/php-fpm.runit /etc/service/php-fpm/run && \
+    mv /conf/letsencrypt.runit /etc/service/letsencrypt/run && \
     mv /conf/logs-nginx-access.runit /etc/service/logs-nginx-access/run && \
     mv /conf/logs-nginx-error.runit /etc/service/logs-nginx-error/run && \
     mv /conf/logs-phpfpm-error.runit /etc/service/logs-phpfpm-error/run && \
@@ -113,6 +113,9 @@ RUN apt-get -qq update && \
 EXPOSE 80/tcp
 EXPOSE 443/tcp
 
+# Make a volume for letsencrypt certs
+VOLUME /etc/letsencrypt
+
 # Create a healthcheck that makes sure our httpd is up
 HEALTHCHECK --interval=30s --timeout=3s \
     CMD curl -f http://localhost/ || exit 1

php/php+nginx/letsencrypt.runit

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+if [ -z "$LETSENCRYPT_DOMAINS" ]; then
+  echo "LetsEncrypt not enabled"
+  while true; do
+    sleep infinity
+  done
+fi
+
+if [ -z "$LETSENCRYPT_EMAIL" ]; then
+  echo "LetsEncrypt not enabled - You must set LETSENCRYPT_EMAIL"
+  while true; do
+    sleep infinity
+  done
+fi
+
+if [ "${LETSENCRYPT_MODE,,}" = "production" ]; then
+    echo "LetsEncrypt is running against the PRODUCTION servers."
+    LETSENCRYPT_MODE=
+else
+    echo "LetsEncrypt is running against the STAGING servers."
+    LETSENCRYPT_MODE=--test-cert
+fi
+
+echo "Certbot is running for ${LETSENCRYPT_EMAIL} / ${LETSENCRYPT_DOMAINS}..."
+certbot \
+  certonly \
+    --nginx \
+    $LETSENCRYPT_TEST_MODE \
+    -n \
+    -m $LETSENCRYPT_EMAIL \
+    --agree-tos \
+    -d $LETSENCRYPT_DOMAINS
+echo "Certbot complete!"
+sed -i     "s|ssl_certificate .*|ssl_certificate     /etc/letsencrypt/live/${LETSENCRYPT_DOMAINS}/fullchain.pem;|g" /etc/nginx/sites-enabled/default-ssl
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key /etc/letsencrypt/live/${LETSENCRYPT_DOMAINS}/privkey.pem;|g" /etc/nginx/sites-enabled/default-ssl
+echo "Reloading Nginx"
+cat /etc/nginx/sites-enabled/default-ssl
+nginx -s reload
+# Sleep for 24 hours and try again tomorrow with a renewal, just in case.
+sleep 86400