web: add builtin Let's Encrypt support

web/rootfs/defaults/letsencrypt-renew

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# stop nginx
+s6-svc -u /var/run/s6/services/nginx
+
+# renew cert
+certbot -n renew >> /config/le-renew.log
+
+# start nginx
+s6-svc -u /var/run/s6/services/nginx

web/rootfs/defaults/ssl.conf

@@ -7,8 +7,13 @@ ssl_session_tickets off;
 ssl_dhparam /config/nginx/dhparams.pem;
 
 # ssl certs
+{{ if .Env.ENABLE_LETSENCRYPT }}
+ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem;
+{{ else }}
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;
+{{ end }}
 
 # protocols
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;