let caddy do certificate management (#2611)

* let caddy do certificate management

* rm certs dir

compose/docker-compose.yml

@@ -53,7 +53,6 @@ services:
       - "host.docker.internal:host-gateway"
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile
-      - ./certs:/root/certs
       - caddy_data:/data
       - caddy_conf:/config
     ports:

docker/Caddyfile

@@ -1,6 +1,5 @@
 # Dashboard
 https://dashboard.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	# Apply basic security headers
 	header {
 		# Enable cross origin access to *.{$NM_DOMAIN}
@@ -22,24 +21,20 @@ https://dashboard.{$NM_DOMAIN} {
 
 # API
 https://api.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy http://netmaker:8081
 }
 
 # TURN
 https://turn.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy host.docker.internal:3479
 }
 
 # TURN API
 https://turnapi.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy http://host.docker.internal:8089
 }
 
 # MQ
 wss://broker.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy ws://mq:8883 # For EMQX websockets use `reverse_proxy ws://mq:8083`
 }

docker/Caddyfile-pro

@@ -1,6 +1,5 @@
 # Dashboard
 https://dashboard.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	# Apply basic security headers
 	header {
 		# Enable cross origin access to *.{$NM_DOMAIN}
@@ -22,42 +21,35 @@ https://dashboard.{$NM_DOMAIN} {
 
 # Netmaker Exporter
 https://netmaker-exporter.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy http://netmaker-exporter:8085
 }
 
 # Prometheus
 https://prometheus.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy http://prometheus:9090
 }
 
 # Grafana
 https://grafana.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy http://grafana:3000
 }
 
 # API
 https://api.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy http://netmaker:8081
 }
 
 # TURN
 https://turn.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy host.docker.internal:3479
 }
 
 # TURN API
 https://turnapi.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy http://host.docker.internal:8089
 }
 
 # MQ
 wss://broker.{$NM_DOMAIN} {
-	tls /root/certs/fullchain.pem /root/certs/privkey.pem
 	reverse_proxy ws://mq:8883
 }

scripts/nm-certs.sh

@@ -1,113 +0,0 @@
-#!/bin/bash
-
-CONFIG_FILE=netmaker.env
-SCRIPT_DIR=$(dirname "$(realpath "$0")")
-
-# get and check the config
-if [ ! -f "$SCRIPT_DIR/$CONFIG_FILE" ]; then
-	echo "Config file missing"
-	exit 1
-fi
-source "$SCRIPT_DIR/$CONFIG_FILE"
-if [ -z "$NM_DOMAIN" ] || [ -z "$NM_EMAIL" ]; then
-	echo "Config not valid"
-	exit 1
-fi
-
-# TODO make sure this doesnt break, parse `certbot certificates` if yes
-CERT_DIR="$SCRIPT_DIR/letsencrypt/live/api.$NM_DOMAIN"
-
-echo "Setting up SSL certificates..."
-
-# preserve the env state
-RESTART_CADDY=false
-if [ -n "$(docker ps | grep caddy)" ]; then
-	echo "Caddy is running, stopping for now..."
-	RESTART_CADDY=true
-	docker-compose -f /root/docker-compose.yml stop caddy
-fi
-
-if [ "$INSTALL_TYPE" = "ce" ]; then
-	CERTBOT_PARAMS=$(cat <<EOF
-	certonly --standalone \
-		--non-interactive --agree-tos \
-		-m $NM_EMAIL \
-		-d api.$NM_DOMAIN \
-		-d broker.$NM_DOMAIN \
-		-d dashboard.$NM_DOMAIN \
-		-d turn.$NM_DOMAIN \
-		-d turnapi.$NM_DOMAIN
-EOF
-)
-elif [ "$INSTALL_TYPE" = "pro" ]; then
-	CERTBOT_PARAMS=$(cat <<EOF
-	certonly --standalone \
-		--non-interactive --expand --agree-tos \
-		-m $NM_EMAIL \
-		-d api.$NM_DOMAIN \
-		-d broker.$NM_DOMAIN \
-		-d dashboard.$NM_DOMAIN \
-		-d turn.$NM_DOMAIN \
-		-d turnapi.$NM_DOMAIN \
-		-d netmaker-exporter.$NM_DOMAIN \
-		-d grafana.$NM_DOMAIN \
-		-d prometheus.$NM_DOMAIN
-EOF
-)
-fi
-
-# generate an entrypoint for zerossl-certbot
-cat <<EOF >"$SCRIPT_DIR/certbot-entry.sh"
-#!/bin/sh
-# deps
-apk update
-apk add bash curl
-# zerossl
-wget -qO zerossl-bot.sh "https://github.com/zerossl/zerossl-bot/raw/master/zerossl-bot.sh"
-chmod +x zerossl-bot.sh
-# request the certs
-./zerossl-bot.sh "$CERTBOT_PARAMS"
-EOF
-
-chmod +x "$SCRIPT_DIR/certbot-entry.sh"
-
-# request certs
-sudo docker run -it --rm --name certbot \
-	-p 80:80 -p 443:443 \
-	-v "$SCRIPT_DIR/certbot-entry.sh:/opt/certbot/certbot-entry.sh" \
-	-v "$SCRIPT_DIR/letsencrypt:/etc/letsencrypt" \
-	--entrypoint "/opt/certbot/certbot-entry.sh" \
-	certbot/certbot
-
-# clean up
-rm "$SCRIPT_DIR/certbot-entry.sh"
-
-# check if successful
-if [ ! -f "$CERT_DIR"/fullchain.pem ]; then
-	# fallback to letsencrypt-certbot
-	sudo docker run -it --rm --name certbot \
-		-p 80:80 -p 443:443 \
-		-v "$SCRIPT_DIR/letsencrypt:/etc/letsencrypt" \
-		certbot/certbot $CERTBOT_PARAMS
-	if [ ! -f "$CERT_DIR"/fullchain.pem ]; then
-		echo "Missing file: $CERT_DIR/fullchain.pem"
-		echo "SSL certificates failed"
-		exit 1
-	fi
-fi
-
-# copy for mounting
-mkdir -p certs
-cp -L "$CERT_DIR/fullchain.pem" "$SCRIPT_DIR/certs/fullchain.pem"
-cp -L "$CERT_DIR/privkey.pem" "$SCRIPT_DIR/certs/privkey.pem"
-
-echo "SSL certificates ready"
-
-# preserve the env state
-if [ "$RESTART_CADDY" = true ]; then
-	echo "Starting Caddy..."
-	docker-compose -f /root/docker-compose.yml start caddy
-fi
-
-# install crontab
-ln -sfn "$SCRIPT_DIR"/nm-certs.sh /etc/cron.monthly/nm-certs.sh

scripts/nm-quick.sh

@@ -759,7 +759,6 @@ install_netmaker() {
 		wget -qO "$SCRIPT_DIR"/Caddyfile "$CADDY_URL"
 		wget -qO "$SCRIPT_DIR"/netmaker.default.env "$BASE_URL/scripts/netmaker.default.env"
 		wget -qO "$SCRIPT_DIR"/mosquitto.conf "$BASE_URL/docker/mosquitto.conf"
-		wget -qO "$SCRIPT_DIR"/nm-certs.sh "$BASE_URL/scripts/nm-certs.sh"
 		wget -qO "$SCRIPT_DIR"/wait.sh "$BASE_URL/docker/wait.sh"
 	fi
 
@@ -770,10 +769,6 @@ install_netmaker() {
 	ln -fs "$SCRIPT_DIR/netmaker.env" "$SCRIPT_DIR/.env"
 	save_config
 
-	# Fetch / update certs using certbot
-	chmod +x "$SCRIPT_DIR"/nm-certs.sh
-	"$SCRIPT_DIR"/nm-certs.sh
-
 	echo "Starting containers..."
 
 	# increase the timeouts