static-website-assistant

Best for static sites, but easily extensible.

Download

Container image:

• git.m724.eu/m724/static-website-assistant

Configuration

The following mounts are required:

• /etc/ssl/certs/<domain>: For certificates, fullchain.pem and privkey.pem. Also includes the control domain cert. Can be read-only if you don't use the control server to manage certificates.
• /var/www/html/<domain>: Website files, index.html goes here, mount this read-only.

Required environment variables:

• DOMAINS: One or more domains to handle, separated with ,s or spaces.
• CONTROL_TOKEN: Token to access the control server.

You're also encouraged to provide your own:

• /etc/ssl/dhparam.pem (read-only), generated with:

  openssl dhparam -out dhparam.pem 4096
  

• /etc/ssl/snakeoil.key (read-only) & /etc/ssl/snakeoil.pem (read-only), generated with:

  openssl req -new -x509 -days 398 -noenc -out snakeoil.pem -keyout snakeoil.key -subj "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd"
  

• SERVER_ID: Label this server (not used currently)
• CONTROL_DOMAIN: Domain to access the control server. Default: control.localhost
• ACME_CHALLENGE_HOST: The target URL to proxy .well-known/acme-challenge. Default: http://acme-challenge.localhost/.well-known/acme-challenge

Control server

Authentication via Bearer token.

Endpoints:

• /: Health check
• /reload: Reloads nginx
• /certificate/<domain>: Uploads a certificate (POST, upload like a form with field names certificate and private_key)

Response format:

{
   "status": "ok|client_error|server_error",
   "message": "Optional, human-readable feedback message"
}

If you get an empty response, the status code will tell you what's going on.

Nginx configs

Override by mounting to /templates/ (read-only please):

• Control: control.conf.template (default)
• Website: website.conf.template (default)
• Specific website: website-$DOMAIN.conf.template (generated from above)