Improve docker #92
Improve docker #92
Conversation
- $DOMAIN is no mandatory anymore - acme.sh is installed inside container directly - apply some docker best practices
- replace tabs by soft spaces - shellcheck compliant - generate cert only if not present or if cert is invalid
|
Thank you @nierdz! Do you accept a small donation from the general fund? |
Nope, I did it for myself and just wanted to share it for everyone.
I didn't see any major improvement using last version of mono but it's a good practice to stay up to date... |
ghost
mentioned this pull request
|
@nierdz about to give this a try as i had to hack |
|
|
||
| if [[ ! -f "/root/.acme.sh/${DOMAIN}/${DOMAIN}.cer" ]] || ! openssl x509 -checkend 0 -in "/root/.acme.sh/${DOMAIN}/${DOMAIN}.cer"; then | ||
| # Generate SSL cert | ||
| /root/.acme.sh/acme.sh --issue --standalone -d "${DOMAIN}" -d "www.${DOMAIN}" |
There was a problem hiding this comment.
Why would anyone want a cert on www for a proxy server? I think the second -d flag should be removed.
| rm -rf /var/lib/apt/lists/* && \ | ||
| git clone https://github.com/Neilpang/acme.sh.git /root/acme.sh && \ | ||
| cd /root/acme.sh && \ | ||
| git checkout 2.7.9 && \ |
There was a problem hiding this comment.
Please externalize version to ENV on next update and, ideally, pull from release tarball as opposed to using Git. Here's how you can pull release tarball:
- Using
latestversion meta from NPM: https://git.habd.as/comfusion/after-dark/src/commit/de243545c422d4190e441ffe8293bbbf5dfb4d4e/bin/install#L34-L38 - Using
wgetfrom GitHub without installinggit: https://git.habd.as/jhabdas/react-native-webpack-starter-kit/src/commit/6a19524e987052bb1bc171bdcaaa8664d43c946b/Dockerfile#L21-L26
A nice to have also is a multi-stage build where binary is compiled in mono then dropped into a busybox container or similar for a microcontainer end-result. Ideally the final binary would be moved into a scratch container but cron is necessary to keep the cert up-to-date (though I doubt this will always be the case).
This should make the whole thing take up very small amounts of resources and more suitable for deployment on ARMv7 and other ARM-based architectures following a compile using mono.
$DOMAINis not mandatory anymore, this means you can start this container even if you don't provide$DOMAINas environment variable. You'll only get a warning about it, thenserver.exewill be started.You can use docker-compose and maybe mount a volume with your own
certificate.pfxinstead.Let me know if something isn't clear or if you want me to modify something.