Add docker-compose certbot configurations with backward compatibility (#6702)

Co-authored-by: Your Name <you@example.com>

docker/certbot/README.md

@@ -0,0 +1,76 @@
+# Launching new servers with SSL certificates
+
+## Short description
+
+Docker-compose certbot configurations with Backward compatibility (without certbot container).  
+Use `docker-compose --profile certbot up` to use this features.
+
+## The simplest way for launching new servers with SSL certificates
+
+1. Get letsencrypt certs  
+   set `.env` values
+   ```properties
+   NGINX_SSL_CERT_FILENAME=fullchain.pem
+   NGINX_SSL_CERT_KEY_FILENAME=privkey.pem
+   NGINX_ENABLE_CERTBOT_CHALLENGE=true
+   CERTBOT_DOMAIN=your_domain.com
+   CERTBOT_EMAIL=example@your_domain.com
+   ```
+   excecute command:
+   ```shell
+   sudo docker network prune
+   sudo docker-compose --profile certbot up --force-recreate -d
+   ```
+   then after the containers launched:
+   ```shell
+   sudo docker-compose exec -it certbot /bin/sh /update-cert.sh
+   ```
+2. Edit `.env` file and `sudo docker-compose --profile certbot up` again.  
+   set `.env` value additionally
+   ```properties
+   NGINX_HTTPS_ENABLED=true
+   ```
+   excecute command:
+   ```shell
+   sudo docker-compose --profile certbot up -d --no-deps --force-recreate nginx
+   ```
+   Then you can access your serve with HTTPS.  
+   [https://your_domain.com](https://your_domain.com)
+
+## SSL certificates renewal
+
+For SSL certificates renewal, execute commands below:
+
+```shell
+sudo docker-compose exec -it certbot /bin/sh /update-cert.sh
+sudo docker-compose exec nginx nginx -s reload
+```
+
+## Options for certbot
+
+`CERTBOT_OPTIONS` key might be helpful for testing. i.e.,
+
+```properties
+CERTBOT_OPTIONS=--dry-run
+```
+
+To apply changes to `CERTBOT_OPTIONS`, regenerate the certbot container before updating the certificates.
+
+```shell
+sudo docker-compose --profile certbot up -d --no-deps --force-recreate certbot
+sudo docker-compose exec -it certbot /bin/sh /update-cert.sh
+```
+
+Then, reload the nginx container if necessary.
+
+```shell
+sudo docker-compose exec nginx nginx -s reload
+```
+
+## For legacy servers
+
+To use cert files dir `nginx/ssl` as before, simply launch containers WITHOUT `--profile certbot` option.
+
+```shell
+sudo docker-compose up -d
+```

docker/certbot/docker-entrypoint.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+printf '%s\n' "Docker entrypoint script is running"
+
+printf '%s\n' "\nChecking specific environment variables:"
+printf '%s\n' "CERTBOT_EMAIL: ${CERTBOT_EMAIL:-Not set}"
+printf '%s\n' "CERTBOT_DOMAIN: ${CERTBOT_DOMAIN:-Not set}"
+printf '%s\n' "CERTBOT_OPTIONS: ${CERTBOT_OPTIONS:-Not set}"
+
+printf '%s\n' "\nChecking mounted directories:"
+for dir in "/etc/letsencrypt" "/var/www/html" "/var/log/letsencrypt"; do
+    if [ -d "$dir" ]; then
+        printf '%s\n' "$dir exists. Contents:"
+        ls -la "$dir"
+    else
+        printf '%s\n' "$dir does not exist."
+    fi
+done
+
+printf '%s\n' "\nGenerating update-cert.sh from template"
+sed -e "s|\${CERTBOT_EMAIL}|$CERTBOT_EMAIL|g" \
+    -e "s|\${CERTBOT_DOMAIN}|$CERTBOT_DOMAIN|g" \
+    -e "s|\${CERTBOT_OPTIONS}|$CERTBOT_OPTIONS|g" \
+    /update-cert.template.txt > /update-cert.sh
+
+chmod +x /update-cert.sh
+
+printf '%s\n' "\nExecuting command:" "$@"
+exec "$@"

docker/certbot/update-cert.template.txt

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+DOMAIN="${CERTBOT_DOMAIN}"
+EMAIL="${CERTBOT_EMAIL}"
+OPTIONS="${CERTBOT_OPTIONS}"
+CERT_NAME="${DOMAIN}" # 証明書名をドメイン名と同じにする
+
+# Check if the certificate already exists
+if [ -f "/etc/letsencrypt/renewal/${CERT_NAME}.conf" ]; then
+  echo "Certificate exists. Attempting to renew..."
+  certbot renew --noninteractive --cert-name ${CERT_NAME} --webroot --webroot-path=/var/www/html --email ${EMAIL} --agree-tos --no-eff-email ${OPTIONS}
+else
+  echo "Certificate does not exist. Obtaining a new certificate..."
+  certbot certonly --noninteractive --webroot --webroot-path=/var/www/html --email ${EMAIL} --agree-tos --no-eff-email -d ${DOMAIN} ${OPTIONS}
+fi
+echo "Certificate operation successful"
+# Note: Nginx reload should be handled outside this container
+echo "Please ensure to reload Nginx to apply any certificate changes."