Support custom SSL certificates for the dashboard

docker/Dockerfile

@@ -1,6 +1,6 @@
 FROM alpine:3.14
 
-RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
+RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext sed \
     nginx curl supervisor certbot-nginx && \
     rm -rf /var/cache/apk/* && mkdir -p /run/nginx
 

docker/README.md

@@ -19,5 +19,7 @@ docker run -d --rm -p 80:80 -p 443:443 \
 > For SSL generation, you need to run this image in a server with proper public IP and a domain name pointing to it.
 ## Environment variables
 * ```NGINX_SSL_PORT``` Changes the port that Nginx listens to. Defaults to ```443```
+* ```NGINX_SSL_CERT``` Provide a pre-generated SSL certificate. Optional
+* ```NGINX_SSL_KEY``` Provide a pre-generated SSL certificate key. Optional
 * ```LETSENCRYPT_DOMAIN``` Enables Certbot`s client execution for the specified domain. Defaults to ```none```
 * ```LETSENCRYPT_EMAIL``` Email used in Certbot`s client execution to register the certificate request. Defaults to ```example@local```

docker/default.conf

@@ -1,10 +1,10 @@
 server {
-	listen 80 default_server;
-	listen [::]:80 default_server;
+   listen 80 default_server;
+   listen [::]:80 default_server;
 
-    root /usr/share/nginx/html;
+   root /usr/share/nginx/html;
 
-    location / {
+   location / {
       try_files $uri $uri.html $uri/ =404;
       add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
       expires off;

docker/init_cert.sh

@@ -1,22 +1,46 @@
 #!/bin/bash
 set -ex
-LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN:-"none"}
+
+LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN:-}
 LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL:-"example@local"}
+NGINX_SSL_CERT=${NGINX_SSL_CERT:-}
+NGINX_SSL_KEY=${NGINX_SSL_KEY:-}
 NGINX_SSL_PORT=${NGINX_SSL_PORT:-443}
+NGINX_CONF="/etc/nginx/http.d/default.conf"
 
-# If no domain is provided, skip certbot execution and configuration
-if [ "${LETSENCRYPT_DOMAIN}-x" == "none-x" ]; then
-    exit 0
-fi
+remove_ssl_config() {
+    sed -i -E "/ssl_certificate /,/^$/d" "${NGINX_CONF}"
+    sed -i -E "/ssl_certificate_key /,/^$/d" "${NGINX_CONF}"
+}
 
 # Request a certificate
 # this also updates the nginx config file with new SSL entries
-certbot -n --nginx --agree-tos --email ${LETSENCRYPT_EMAIL} -d ${LETSENCRYPT_DOMAIN} --https-port ${NGINX_SSL_PORT}
-# Add cron job file
-cat <<EOF >/etc/crontabs/root
+if [[ -n "${LETSENCRYPT_DOMAIN}" ]]; then
+    echo "Generating SSL certificate using certbot for ${LETSENCRYPT_DOMAIN} with automatic renewal."
+    certbot -n --nginx --agree-tos --email "${LETSENCRYPT_EMAIL}" -d "${LETSENCRYPT_DOMAIN}" --https-port "${NGINX_SSL_PORT}"
+    # Add cron job file
+    cat <<EOF >/etc/crontabs/root
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-0 */12 * * * certbot -q renew --nginx --https-port ${NGINX_SSL_PORT}
+0 */12 * * * certbot -q renew --nginx --https-port "${NGINX_SSL_PORT}"
 EOF
-# start cron daemon
-supervisorctl start cron
+    # start cron daemon
+    supervisorctl start cron
+# Update the nginx config file with the provided SSL entries
+elif [[ -n "${NGINX_SSL_CERT}" && -n "${NGINX_SSL_KEY}" ]]; then
+    echo "Configuring the provided SSL certificate at ${NGINX_SSL_CERT}"
+    remove_ssl_config
+    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} ssl http2;|" "${NGINX_CONF}"
+    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} ssl http2;\n\n   ssl_certificate ${NGINX_SSL_CERT};\n   ssl_certificate_key ${NGINX_SSL_KEY};|" "${NGINX_CONF}"
+# If the nginx port is provided but no other settings are, update the port
+elif [[ "${NGINX_SSL_PORT}" != 443 ]]; then
+    echo "Setting nginx listen port."
+    remove_ssl_config
+    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
+    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
+else
+    echo "No certificates or Letsencrypt domain was provided. Exiting."
+    exit 0
+fi
+
+/usr/sbin/nginx -s reload