- request and mount certs

- handle caddy challenge
- docker fixes
- pull nm-certs.sh

compose/docker-compose.yml

@@ -48,6 +48,8 @@ services:
     restart: unless-stopped
     volumes:
       - /root/Caddyfile:/etc/caddy/Caddyfile
+      - /root/fullchain.pem:/root/fullchain.pem
+      - /root/privkey.pem:/root/privkey.pem
       - caddy_data:/data
       - caddy_conf:/config
     ports:

docker/Caddyfile

@@ -1,42 +1,39 @@
-{
-        # ZeroSSL account
-        # acme_ca https://acme.zerossl.com/v2/DV90
-        email YOUR_EMAIL
-}
-
 # Dashboard
 https://dashboard.NETMAKER_BASE_DOMAIN {
-        # Apply basic security headers
-        header {
-                # Enable cross origin access to *.NETMAKER_BASE_DOMAIN
-                Access-Control-Allow-Origin *.NETMAKER_BASE_DOMAIN
-                # Enable HTTP Strict Transport Security (HSTS)
-                Strict-Transport-Security "max-age=31536000;"
-                # Enable cross-site filter (XSS) and tell browser to block detected attacks
-                X-XSS-Protection "1; mode=block"
-                # Disallow the site to be rendered within a frame on a foreign domain (clickjacking protection)
-                X-Frame-Options "SAMEORIGIN"
-                # Prevent search engines from indexing
-                X-Robots-Tag "none"
-                # Remove the server name
-                -Server
-        }
+	tls /root/fullchain.pem /root/privkey.pem
+	# Apply basic security headers
+	header {
+		# Enable cross origin access to *.NETMAKER_BASE_DOMAIN
+		Access-Control-Allow-Origin *.NETMAKER_BASE_DOMAIN
+		# Enable HTTP Strict Transport Security (HSTS)
+		Strict-Transport-Security "max-age=31536000;"
+		# Enable cross-site filter (XSS) and tell browser to block detected attacks
+		X-XSS-Protection "1; mode=block"
+		# Disallow the site to be rendered within a frame on a foreign domain (clickjacking protection)
+		X-Frame-Options "SAMEORIGIN"
+		# Prevent search engines from indexing
+		X-Robots-Tag "none"
+		# Remove the server name
+		-Server
+	}
 
-        reverse_proxy http://netmaker-ui
+	reverse_proxy http://netmaker-ui
 }
 
 # API
 https://api.NETMAKER_BASE_DOMAIN {
-        reverse_proxy http://netmaker:8081
+	tls /root/fullchain.pem /root/privkey.pem
+	reverse_proxy http://netmaker:8081
 }
 
 # STUN
 https://stun.NETMAKER_BASE_DOMAIN {
+	tls /root/fullchain.pem /root/privkey.pem
 	reverse_proxy netmaker:3478
 }
 
-
 # MQ
 wss://broker.NETMAKER_BASE_DOMAIN {
-        reverse_proxy ws://mq:8883 # For EMQX websockets use `reverse_proxy ws://mq:8083`
+	tls /root/fullchain.pem /root/privkey.pem
+	reverse_proxy ws://mq:8883 # For EMQX websockets use `reverse_proxy ws://mq:8083`
 }

scripts/nm-certs.sh

@@ -1,18 +1,47 @@
 #!/bin/bash
 
 CONFIG_FILE=netmaker.env
-
 source $CONFIG_FILE
+CERT_DIR=/etc/letsencrypt/live/stun.$DOMAIN/
+
+echo "Setting up SSL certificates..."
 
 # TODO check $DOMAIN, $EMAIL
 # TODO support EE domains
 
-wget -O https://github.com/zerossl/zerossl-bot/raw/master/zerossl-bot.sh
-chmod +x zerossl-bot.sh
+wget -qO /root/zerossl-bot.sh "https://github.com/zerossl/zerossl-bot/raw/master/zerossl-bot.sh"
+chmod +x /root/zerossl-bot.sh
 
+RESTART_CADDY=false
+if [ -n "$(docker ps | grep caddy)" ]; then
+	echo "Caddy is running, stopping for now..."
+	RESTART_CADDY=true
+	docker-compose -f /root/docker-compose.yml stop caddy
+fi
+
+# request certs
 ./zerossl-bot.sh certonly --standalone \
 	-m "$EMAIL" \
-	-d "stun.nm.$DOMAIN" \
-	-d "broker.nm.$DOMAIN" \
-	-d "dashboard.nm.$DOMAIN" \
-	-d "api.nm.$DOMAIN"
+	-d "stun.$DOMAIN" \
+	-d "broker.$DOMAIN" \
+	-d "dashboard.$DOMAIN" \
+	-d "api.$DOMAIN"
+
+# TODO fallback to letsencrypt
+
+# check if successful
+if [ ! -f "$CERT_DIR"/fullchain.pem ]; then
+	echo "SSL certificates failed"
+	exit 1
+fi
+
+# copy for mounting
+cp "$CERT_DIR"/fullchain.pem /root
+cp "$CERT_DIR"/privkey.pem /root
+
+echo "SSL certificates ready"
+
+if [ "$RESTART_CADDY" = true ]; then
+	echo "Starting Caddy..."
+	docker-compose -f /root/docker-compose.yml start caddy
+fi

scripts/nm-quick.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 
 CONFIG_FILE=netmaker.env
+# location of nm-quick.sh (usually `/root`)
+SCRIPT_DIR=$(dirname "$(realpath "$0")")
 LATEST=$(curl -s https://api.github.com/repos/gravitl/netmaker/releases/latest | grep "tag_name" | cut -d : -f 2,3 | tr -d [:space:],\")
 
 print_logo() { (
@@ -398,7 +400,8 @@ set_install_vars() {
 	fi
 
 	NETMAKER_BASE_DOMAIN=nm.$(echo $IP_ADDR | tr . -).nip.io
-	COREDNS_IP=$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p')
+	# TODO dead code?
+	# COREDNS_IP=$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p')
 	SERVER_PUBLIC_IP=$IP_ADDR
 	MASTER_KEY=$(
 		tr -dc A-Za-z0-9 </dev/urandom | head -c 30
@@ -437,9 +440,9 @@ set_install_vars() {
 	# update the config
 	touch $CONFIG_FILE
 	if grep -q "^DOMAIN=" $CONFIG_FILE; then
-			sed -i "s/DOMAIN=.*/DOMAIN=$NETMAKER_BASE_DOMAIN/" $CONFIG_FILE
+		sed -i "s/DOMAIN=.*/DOMAIN=$NETMAKER_BASE_DOMAIN/" $CONFIG_FILE
 	else
-			echo "DOMAIN=$NETMAKER_BASE_DOMAIN" >> $CONFIG_FILE
+		echo "DOMAIN=$NETMAKER_BASE_DOMAIN" >>$CONFIG_FILE
 	fi
 
 	wait_seconds 2
@@ -487,7 +490,7 @@ set_install_vars() {
 
 	# read the config file
 	if [ -f $CONFIG_FILE ]; then
-			source $CONFIG_FILE
+		source $CONFIG_FILE
 	fi
 
 	unset GET_EMAIL
@@ -499,6 +502,7 @@ set_install_vars() {
 		read -p "Email Address for Domain Registration (click 'enter' to use $EMAIL_SUGGESTED): " GET_EMAIL
 	fi
 	if [ -z "$GET_EMAIL" ]; then
+		# TODO detect when inheriting from the config
 		echo "using rand email"
 		EMAIL="$EMAIL_SUGGESTED"
 	else
@@ -508,9 +512,9 @@ set_install_vars() {
 	# update the config
 	touch $CONFIG_FILE
 	if grep -q "^EMAIL=" $CONFIG_FILE; then
-			sed -i "s/EMAIL=.*/EMAIL=$EMAIL/" $CONFIG_FILE
+		sed -i "s/EMAIL=.*/EMAIL=$EMAIL/" $CONFIG_FILE
 	else
-			echo "EMAIL=$EMAIL" >> $CONFIG_FILE
+		echo "EMAIL=$EMAIL" >>$CONFIG_FILE
 	fi
 
 	wait_seconds 1
@@ -595,14 +599,18 @@ install_netmaker() {
 
 	COMPOSE_URL="https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/compose/docker-compose.yml"
 	CADDY_URL="https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/docker/Caddyfile"
+	CERTS_URL="https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/scripts/nm-certs.sh"
 	if [ "$INSTALL_TYPE" = "ee" ]; then
 		COMPOSE_URL="https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/compose/docker-compose.ee.yml"
 		CADDY_URL="https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/docker/Caddyfile-EE"
+		CERTS_URL="https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/scripts/nm-certs.sh"
 	fi
 	if [ ! "$BUILD_TYPE" = "local" ]; then
-		# TODO debug only
-		# wget -O /root/docker-compose.yml $COMPOSE_URL && wget -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/docker/mosquitto.conf && wget -O /root/Caddyfile $CADDY_URL
-		wget -O /root/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/docker/wait.sh
+		wget -qO /root/docker-compose.yml $COMPOSE_URL
+		wget -qO /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/docker/mosquitto.conf
+		wget -qO /root/Caddyfile $CADDY_URL
+		wget -qO /root/nm-quick.sh $CERTS_URL
+		wget -qO /root/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/$BUILD_TAG/docker/wait.sh
 	fi
 
 	chmod +x /root/wait.sh
@@ -636,7 +644,12 @@ install_netmaker() {
 
 	echo "Starting containers..."
 
-	docker-compose -f /root/docker-compose.yml up -d
+	# increase the timeouts
+	export DOCKER_CLIENT_TIMEOUT=120
+	export COMPOSE_HTTP_TIMEOUT=120
+
+	# start docker and rebuild containers / networks
+	docker-compose -f /root/docker-compose.yml up -d --force-recreate
 
 	wait_seconds 2
 
@@ -722,7 +735,8 @@ set -e
 # 6. get user input for variables
 set_install_vars
 
-./nm-certs.sh
+# Fetch / update certs using certbot
+"$SCRIPT_DIR"/nm-certs.sh
 
 # 7. get and set config files, startup docker-compose
 install_netmaker