-
Notifications
You must be signed in to change notification settings - Fork 0
/
docker_entrypoint.sh
executable file
·129 lines (102 loc) · 3.2 KB
/
docker_entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/bin/bash
set -eu
LURCH_DIR=${LURCH_DIR:-/etc/lurch}
# the nginx configuration template
TEMPLATE_PATH="$LURCH_DIR/nginx.conf.tmpl"
# the apps yaml config path if local
DEFAULT_APPS_CONFIG_PATH="$LURCH_DIR/apps.yaml"
# the user supplied apps yaml config path, defaults to local
APPS_CONFIG_PATH=${APPS_CONFIG_PATH:-${DEFAULT_APPS_CONFIG_PATH}}
# the path openresty will look for the nginx config
CONF_PATH="/usr/local/openresty/nginx/conf/nginx.conf"
APPS_CONFIG_YAML=${APPS_CONFIG_YAML:-}
# If config supplied as env then write the file locally
if [ -n "$APPS_CONFIG_YAML" ]; then
echo "$APPS_CONFIG_YAML" >"$DEFAULT_APPS_CONFIG_PATH"
fi
pidfile=/usr/local/openresty/nginx/logs/nginx.pid
ensure_self_signed() {
domain=$1
ssl_path="/usr/local/openresty/nginx/ssl/${domain}"
if [ ! -d "$ssl_path" ]; then
echo "generating self signed cert for $domain"
mkdir -p $ssl_path
country=SE
state=Kalmar
city=Kalmar
# This line generates a self signed SSL certificate and key without user intervention.
openssl req -x509 -newkey rsa:4096 -keyout "${ssl_path}/server.key" -out "${ssl_path}/server.crt" \
-days 365 -nodes -subj "/C=$country/ST=$state/L=$city/O=Internet/OU=./CN=$domain/emailAddress=postmaster@$domain"
fi
}
kill_child() {
pid="$(cat $pidfile 2>/dev/null || echo '')"
if [ -n "${pid:-}" ]; then
echo "killing child pid $pid"
kill -QUIT "$pid"
wait "$pid"
fi
}
trap 'echo kill signal received; kill_child' INT TERM QUIT
## Chown storage of ssl certs
mkdir -p /etc/resty-auto-ssl/storage
chown -R nobody /etc/resty-auto-ssl/storage
## Hopefully fix bug
rm -f auto-ssl-sockproc.pid
SYSTEM_RESOLVER=$(cat /etc/resolv.conf | grep -im 1 '^nameserver' | cut -d ' ' -f2)
export SYSTEM_RESOLVER
# template the nginx config, format it and test it, printing the config to stdout if there's an error
make_config() {
echo "templating..."
mv $CONF_PATH ${CONF_PATH}.old
/usr/local/bin/gomplate -d apps="$APPS_CONFIG_PATH" --file "$TEMPLATE_PATH" --out $CONF_PATH
# all good, ensure self signed cert exists for base url
domains=$(grep "# anchor::domain" "$CONF_PATH" | awk '{print $3}' | sort -u)
for domain in $domains; do
ensure_self_signed $domain
done
# Format it
echo "formatting..."
nginxfmt -v $CONF_PATH
# Test config
echo "testing config..."
if ! /usr/local/openresty/bin/openresty -c $CONF_PATH -t; then
cat --number $CONF_PATH
# restore prev config
mv ${CONF_PATH}.old $CONF_PATH
fi
}
# hack to wait for pid to appear
wait_file_changed() {
tail -fn0 "$1" | head -n1 >/dev/null 2>&1
}
reload_and_wait() {
# lock
if {
set -C
2>/dev/null >/tmp/lurchreload.lock
}; then
# have lock
pid="$(cat $pidfile 2>/dev/null || echo '')"
if [ -z "${pid:-}" ]; then
return
fi
make_config
echo "sending HUP..."
kill -HUP "$pid"
# release
rm /tmp/lurchreload.lock
echo "waiting on $pid"
wait "$pid"
fi
}
make_config
echo "staring daemon..."
/usr/local/openresty/bin/openresty -c $CONF_PATH -g "daemon off;" &
trap 'reload_and_wait' HUP
echo 'waiting for pid to appear...'
wait_file_changed $pidfile
pid="$(cat $pidfile)"
echo "master process pid found ($pid)"
echo "waiting on process"
wait $pid