Add nginx reloading if ssl updatet

Atleta-network · Sep 3, 2024 · acaa69d · acaa69d
1 parent 18d837c
commit acaa69d
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 3 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -2,7 +2,7 @@ name: Deploy
 
 on:
   push:
-    branches: [ "atleta" ]
+    branches: [ "devops/55-nginx-reloading" ]
 
 jobs:
   build:
@@ -13,13 +13,19 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@v3
 
-      - name: Create Image Tarball
+      - name: Create Image Tarball for explorer-frontend
         run: |
           docker build --build-arg GIT_COMMIT_SHA=$(git rev-parse --short HEAD) --build-arg GIT_TAG=$(git describe --tags --abbrev=0) -t explorer-frontend .
           docker save -o explorer-frontend.tar explorer-frontend
           mkdir -p artifacts
           mv explorer-frontend.tar artifacts/
           
+      - name: Create Image Tarball for nginx
+        run: |
+          docker build --build-arg GIT_COMMIT_SHA=$(git rev-parse --short HEAD) --build-arg GIT_TAG=$(git describe --tags --abbrev=0) -t nginx-explorer nginx-docker/
+          docker save -o nginx-explorer.tar nginx-explorer
+          mv nginx-explorer.tar artifacts/
+
       - name: Set up SSH
         run: |
           mkdir -p ~/.ssh/
@@ -44,6 +50,7 @@ jobs:
           script: |
             cd /blockscout
             docker load -i explorer-frontend.tar
+            docker load -i nginx-explorer.tar
             docker compose down
             docker compose pull
             docker compose up -d --build --remove-orphans
diff --git a/deploy/services/certbot.yml b/deploy/services/certbot.yml
@@ -3,6 +3,7 @@ version: '3.9'
 services:
   certbot:
     image: certbot/certbot
+    restart: unless-stopped
     volumes:
       - /etc/letsencrypt:/etc/letsencrypt
       - ./certbot/www:/var/www/certbot

diff --git a/deploy/services/nginx.yml b/deploy/services/nginx.yml
@@ -2,8 +2,10 @@ version: '3.9'
 
 services:
   proxy:
-    image: nginx
+    image: nginx-explorer
+    pull_policy: never
     container_name: proxy
+    restart: unless-stopped
     extra_hosts:
       - 'host.docker.internal:host-gateway'
     volumes:
@@ -17,3 +19,5 @@ services:
       - 443:443
       - 8080:8080
       - 8081:8081
+    command: /bin/sh -c "/check_ssl.sh & nginx -g 'daemon off;'"
+
diff --git a/nginx-docker/Dockerfile b/nginx-docker/Dockerfile
@@ -0,0 +1,12 @@
+FROM nginx:stable-alpine
+
+COPY docker-entrypoint.sh /
+COPY check_ssl.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+EXPOSE 80
+
+STOPSIGNAL SIGQUIT
+
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx-docker/check_ssl.sh b/nginx-docker/check_ssl.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+CERT_DIR="/etc/letsencrypt/live/blockscout.atleta.network"
+FULLCHAIN_PEM="$CERT_DIR/fullchain.pem"
+PRIVKEY_PEM="$CERT_DIR/privkey.pem"
+MD5SUM_FILE="/tmp/md5sum"
+
+while true; do
+  sleep 3600
+  if [ "$(md5sum "$FULLCHAIN_PEM" "$PRIVKEY_PEM" | md5sum)" != "$(cat "$MD5SUM_FILE" || echo '')" ]; then
+    nginx -s reload
+    md5sum "$FULLCHAIN_PEM" "$PRIVKEY_PEM" | md5sum > "$MD5SUM_FILE"
+  fi
+done
diff --git a/nginx-docker/docker-entrypoint.sh b/nginx-docker/docker-entrypoint.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+# Source: https://github.com/nginxinc/docker-nginx/blob/master/stable/alpine-slim/docker-entrypoint.sh
+
+set -e
+
+entrypoint_log() {
+    if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+        echo "$@"
+    fi
+}
+
+if  [ "$1" = "/bin/sh" ] || [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then
+    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+        entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
+        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+            case "$f" in
+                *.envsh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Sourcing $f";
+                        . "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *.sh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Launching $f";
+                        "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *) entrypoint_log "$0: Ignoring $f";;
+            esac
+        done
+
+        entrypoint_log "$0: Configuration complete; ready for start up"
+    else
+        entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+    fi
+fi
+
+exec "$@"