docs, various fixes and certbot-cloudflare example

examples/certbot-cloudflare/certbot-new.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# you need to run it before starting bunkerized-nginx to get the first certificate
+
+# edit according to your values
+DOMAINS="kakou-corp.fr,*.kakou-corp.fr"
+EMAIL="contact@kakou-corp.fr"
+SERVICE="mywww"
+
+# ask for the certificate
+# don't forget to first edit the cloudflare.ini file
+docker run --rm \
+       -v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
+       -v "${PWD}/letsencrypt:/etc/letsencrypt" \
+       certbot/dns-cloudflare \
+       certonly \
+       --dns-cloudflare \
+       --dns-cloudflare-credentials /tmp/cloudflare.ini \
+       --dns-cloudflare-propagation-seconds 60 \
+       -d "$DOMAINS" \
+       --email "$EMAIL" \
+       --agree-tos \
+       --no-eff-email
+if [ $? -ne 0 ] ; then
+	echo "error while getting certificate for $DOMAINS"
+	exit 1
+fi
+
+# fix permissions
+chgrp -R 101 "${PWD}/letsencrypt"
+chmod -R 750 "${PWD}/letsencrypt"
+
+echo "Certificate for $DOMAINS created !"

examples/certbot-cloudflare/certbot-renew.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# you should add it to your crontab like :
+# 0 0 * * * cd /your/folder && ./certbot-renew.sh
+
+# edit with your service name
+SERVICE="mywww"
+
+# ask for the renew
+# don't forget to first edit the cloudflare.ini file
+docker run --rm \
+       -v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
+       -v "${PWD}/letsencrypt:/etc/letsencrypt" \
+       certbot/dns-cloudflare \
+       renew
+if [ $? -ne 0 ] ; then
+	echo "error while getting certificate for $DOMAINS"
+	exit 1
+fi
+
+# fix permissions
+chgrp -R 101 "${PWD}/letsencrypt"
+chmod -R 750 "${PWD}/letsencrypt"
+
+# reload bunkerized-nginx
+docker-compose kill -s SIGHUP mywww
+
+echo "Certificate(s) renewed (if needed) !"

examples/certbot-cloudflare/cloudflare.ini

@@ -0,0 +1,5 @@
+# Cloudflare API token used by Certbot
+# More info :
+# https://certbot-dns-cloudflare.readthedocs.io/en/stable/index.html#credentials
+# https://developers.cloudflare.com/api/tokens/create
+dns_cloudflare_api_token = YOUR-API-TOKEN-HERE

examples/certbot-cloudflare/docker-compose.yml

@@ -0,0 +1,36 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    # bunkerized-nginx runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    volumes:
+      - ./web-files:/www:ro
+      - ./letsencrypt:/letsencrypt:ro
+    environment:
+      - SERVER_NAME=www.website.com # replace with your domain(s)
+      - USE_CUSTOM_HTTPS=yes
+      - CUSTOM_HTTPS_CERT=/letsencrypt/live/website.com/fullchain.pem # replace with your path
+      - CUSTOM_HTTPS_KEY=/letsencrypt/live/website.com/privkey.pem # replace with your path
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - PROXY_REAL_IP=yes
+      # networks from https://www.cloudflare.com/ips-v4/
+      # you should check if the networks listed are up to date
+      - PROXY_REAL_IP_FROM=173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 172.64.0.0/13 131.0.72.0/22 104.16.0.0/13 104.24.0.0/14
+      - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - REMOTE_PHP=myphp
+      - REMOTE_PHP_PATH=/app
+
+  myphp:
+    image: php:fpm
+    restart: always
+    volumes:
+      - ./web-files:/app

examples/certbot-cloudflare/web-files/index.php

@@ -0,0 +1,5 @@
+<?php
+
+echo "Hello World behind Cloudflare !";
+
+?>