web: add builtin Let's Encrypt support

web/Dockerfile

@@ -2,7 +2,8 @@ FROM jitsi/base
 
 RUN \
 	apt-dpkg-wrap apt-get update && \
-	apt-dpkg-wrap apt-get install -y nginx-extras jitsi-meet-web && \
+	apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web && \
+	apt-dpkg-wrap apt-get install -y -t stretch-backports certbot && \
 	apt-cleanup && \
 	rm -f /etc/nginx/conf.d/default.conf && \
 	rm -f /usr/share/jitsi-meet/interface_config.js

web/rootfs/defaults/letsencrypt-renew

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# stop nginx
+s6-svc -u /var/run/s6/services/nginx
+
+# renew cert
+certbot -n renew >> /config/le-renew.log
+
+# start nginx
+s6-svc -u /var/run/s6/services/nginx

web/rootfs/defaults/ssl.conf

@@ -7,8 +7,13 @@ ssl_session_tickets off;
 ssl_dhparam /config/nginx/dhparams.pem;
 
 # ssl certs
+{{ if .Env.ENABLE_LETSENCRYPT }}
+ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem;
+{{ else }}
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;
+{{ end }}
 
 # protocols
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

web/rootfs/etc/cont-init.d/10-config

@@ -8,12 +8,26 @@ mkdir -p \
     /var/tmp/nginx
 
 # generate keys (maybe)
-if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
-	echo "using keys found in /config/keys"
+if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
+    if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
+        certbot certonly \
+            --noninteractive \
+            --standalone \
+            --preferred-challenges http \
+            -d $LETSENCRYPT_DOMAIN \
+            --agree-tos \
+            --email $LETSENCRYPT_EMAIL
+        cp /defaults/letsencrypt-renew /etc/cron.monthly/
+    fi
 else
-	echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
-	SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
-	openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
+    # use self-signed certs
+    if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
+        echo "using keys found in /config/keys"
+    else
+        echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
+        SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
+        openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
+    fi
 fi
 
 # copy config files
@@ -22,7 +36,7 @@ if [[ ! -f /config/nginx/nginx.conf ]]; then
 fi
 
 if [[ ! -f /config/nginx/ssl.conf ]]; then
-    cp /defaults/ssl.conf /config/nginx/ssl.conf
+    tpl /defaults/ssl.conf > /config/nginx/ssl.conf
 fi
 
 if [ ! -f "/config/nginx/dhparams.pem" ]; then

web/rootfs/etc/services.d/cron/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+exec cron -f

web/rootfs/etc/services.d/nginx/run

@@ -1,3 +1,3 @@
 #!/usr/bin/with-contenv bash
-nginx -c /config/nginx/nginx.conf
 
+exec nginx -c /config/nginx/nginx.conf