From cc4efa31e9d7929832ed5f9de03fb46edcf511a1 Mon Sep 17 00:00:00 2001
From: michelleDeko <83840564+michelleDeko@users.noreply.github.com>
Date: Fri, 21 Feb 2025 10:18:16 +0100
Subject: [PATCH] Added letsencrypt script for tenants

---
 init-letsencrypt-tenants.sh | 173 ++++++++++++++++++++++++++++++++++++
 init-letsencrypt.sh         |   2 +-
 2 files changed, 174 insertions(+), 1 deletion(-)
 create mode 100644 init-letsencrypt-tenants.sh

diff --git a/init-letsencrypt-tenants.sh b/init-letsencrypt-tenants.sh
new file mode 100644
index 0000000..6f9b84c
--- /dev/null
+++ b/init-letsencrypt-tenants.sh
@@ -0,0 +1,173 @@
+#!/bin/bash
+
+## Script based on https://github.com/wmnnd/nginx-certbot
+## https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
+
+if ! [ -x "$(command -v docker-compose | head -n 1)" ] && ! [ -x "$(command -v docker compose | head -n 1)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+if [[ ! -f ./.env ]]; then
+  echo ".env file does not exist on your filesystem."
+  exit 1
+fi
+
+# Local .env
+if [ -f .env ]; then
+    # Load Environment Variables
+    export $(cat .env | grep -v '#' | sed 's/\r$//' | awk '/=/ {print $1}' )
+fi
+
+if [[ -z "$LETSENCRYPT_EMAIL" ]]; then
+  echo "Setting up an email for letsencrypt certificates is strongly recommended (inside .env file)."
+  exit 1
+fi
+
+usage() {
+  echo -e "Initializes letsencrypt certificates for Nginx proxy container and Tenants\n"
+  echo -e "Usage: $0 [-z|-r|-h]\n"
+  echo "  -n|--non-interactive  Enable non interactive mode"
+  echo "  -r|--replace          Replace existing certificates without asking"
+  echo "  -h|--help             Show usage information"
+  exit 1
+}
+
+interactive=1
+replaceExisting=0
+
+while [[ $# -gt 0 ]]
+do
+    case "$1" in
+        -n|--non-interactive) interactive=0;shift;;
+        -r|--replace) replaceExisting=1;shift;;
+        -h|--help) usage;;
+        -*) echo "Unknown option: \"$1\"\n";usage;;
+        *) echo "Script does not accept arguments\n";usage;;
+    esac
+done
+
+# Tenants array (add all tenants you want certificates for)
+# Example: tenants=("tenant1" "tenant2" "tenant3")
+tenants=("test" "test2" "test3")
+domains=("$SL_HOST.$DOMAIN_NAME")
+
+for tenant in "${tenants[@]}"; do
+    domains+=("$tenant.$SL_HOST.$DOMAIN_NAME")
+done
+
+echo "Domains: ${domains[@]}"
+
+rsa_key_size=4096
+data_path="./data/certbot"
+email="$LETSENCRYPT_EMAIL" # Adding a valid address is strongly recommended.
+staging=${LETSENCRYPT_STAGING:-0}
+
+if [ -d "$data_path" ] && [ "$replaceExisting" -eq 0 ]; then
+    if [ "$interactive" -eq 0 ]; then
+      echo "Certificates already exist."
+      exit
+    fi
+
+    read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+    if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+      exit
+    fi
+fi
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+if [ -x "$(command -v docker-compose)" ]; then
+docker-compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:2048 -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+elif [ -x "$(command -v docker compose)" ]; then
+docker compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:2048 -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+fi
+
+echo "### Starting scalelite-proxy ..."
+if [ -x "$(command -v docker-compose)" ]; then
+docker-compose up --force-recreate -d scalelite-proxy
+echo
+elif [ -x "$(command -v docker compose)" ]; then
+docker compose up --force-recreate -d scalelite-proxy
+fi
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+if [ -x "$(command -v docker-compose)" ]; then
+docker-compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+elif [ -x "$(command -v docker compose)" ]; then
+docker compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+fi
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+if [ -x "$(command -v docker-compose)" ]; then
+docker-compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $([ "$interactive" -ne 1 ] && echo '--non-interactive') \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --debug-challenges \
+    --force-renewal" certbot
+echo
+elif [ -x "$(command -v docker compose)" ]; then
+docker compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $([ "$interactive" -ne 1 ] && echo '--non-interactive') \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --debug-challenges \
+    --force-renewal" certbot
+echo
+fi
+
+echo "### Reloading scalelite-proxy..."
+if [ -x "$(command -v docker-compose)" ]; then
+docker-compose exec $([ "$interactive" -ne 1 ] && echo "-T") scalelite-proxy nginx -s reload
+elif [ -x "$(command -v docker compose)" ]; then
+docker compose exec $([ "$interactive" -ne 1 ] && echo "-T") scalelite-proxy nginx -s reload
+fi
diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh
index a8ed8d3..74c5e9f 100755
--- a/init-letsencrypt.sh
+++ b/init-letsencrypt.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Scrip based on https://github.com/wmnnd/nginx-certbot
+## Script based on https://github.com/wmnnd/nginx-certbot
 ## https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
 
 if ! [ -x "$(command -v docker-compose | head -n 1)" ] && ! [ -x "$(command -v docker compose | head -n 1)" ]; then