Merge pull request #45 from racbart/master

Run a custom deploy hook script defined in DEPLOY_HOOK environment variable

Dockerfile

@@ -26,6 +26,7 @@ ENV CERTS_DIRS_MODE 0750
 ENV CERTS_FILES_MODE 0640
 ENV CERTS_USER_OWNER root
 ENV CERTS_GROUP_OWNER root
+ENV DEPLOY_HOOK ""
 
 # Install dependencies, certbot, lexicon, prepare for first start and clean
 RUN apk --no-cache --update add rsyslog git libffi libxml2 libxslt libstdc++ openssl docker ethtool \

README.md

@@ -17,6 +17,7 @@
 	* [Certificates reconfiguration at runtime](#certificates-reconfiguration-at-runtime)
 	* [Restart containers when a certificate is renewed](#restart-containers-when-a-certificate-is-renewed)
 	* [Call a reload command on containers when a certificate is renewed](#call-a-reload-command-on-containers-when-a-certificate-is-renewed)
+	* [Run a custom deploy hook script](#run-a-custom-deploy-hook-script)
 * [Miscellaneous and testing](#miscellaneous-and-testing)
 	* [Using ACME v1 servers](#using-acme-v1-servers)
 	* [Activate staging ACME servers](#activating-staging-acme-servers)
@@ -296,6 +297,46 @@ If the certificate `web.example.com` is renewed, command `apachectl graceful` wi
 
 _(Limitations on invokable commands) The option `autocmd-container` is intended to call a simple executable file with few potential arguments. It is not made to call some advanced bash script, and would likely fail if you do so. In fact, the command is not executed in a shell on the target, and variables will be resolved against the lets-encrypt container environment. If you want to operate advanced scripting, put an executable script in the target container, and use its path in `autocmd-container` option._
 
+### Run a custom deploy hook script
+
+You can specify a script or a command to execute after a certificate is created or renewed, by specifying `DEPLOY_HOOK` environment variable. This is useful if you want to copy certificates someplace else or need to reorganize file structure.
+
+All standard environment variables will be available in your script, as well as two new variables set by certbot:
+* `RENEWED_LINEAGE` - directory with certificate files (e.g. `/etc/letsencrypt/live/domain`)
+* `RENEWED_DOMAINS` - list of domains for the certificate, separated by space 
+
+Example: copying all new or renewed certificates to a single directory with `domain.crt` and `domain.key` filenames, making it easily usable with nginx:
+
+Create deploy-hook.sh file and make it executable. 
+
+```bash
+#!/bin/sh
+mkdir -p "/etc/nginx/certs"
+cd "/etc/nginx/certs"
+for domain in ${RENEWED_DOMAINS}; do
+    cp "${RENEWED_LINEAGE}/fullchain.pem" "${domain}.crt"
+    cp "${RENEWED_LINEAGE}/privkey.pem" "${domain}.key"
+    chown $CERTS_USER_OWNER:$CERTS_GROUP_OWNER "${domain}.*"
+    chmod $CERTS_FILES_MODE "${domain}.*"
+done
+```   
+
+Execute:
+```bash
+docker run \
+	--name letsencrypt-dns \
+	--volume /etc/letsencrypt/domains.conf:/etc/letsencrypt/domains.conf \
+	--volume /etc/letsencrypt/deploy-hook.sh:/usr/local/bin/create-nginx-certs \
+	--volume /var/docker-data/letsencrypt:/etc/letsencrypt \
+	--volume /var/docker-data/nginx:/etc/nginx/certs \
+	--env '[email protected]' \
+	--env 'LEXICON_PROVIDER=cloudflare' \
+	--env 'LEXICON_CLOUDFLARE_USERNAME=my_cloudflare_email' \
+	--env 'LEXICON_CLOUDFLARE_TOKEN=my_cloudflare_global_api_key' \
+	--env 'DEPLOY_HOOK=create-nginx-certs' \
+	adferrand/letsencrypt-dns
+```
+
 ## Miscellaneous and testing
 
 ### Using ACME v1 servers

files/deploy-hook.sh

@@ -14,3 +14,7 @@ fi
 find $RENEWED_LINEAGE ${RENEWED_LINEAGE/live/archive} -type d -exec chmod "$CERTS_DIRS_MODE" {} +
 find $RENEWED_LINEAGE ${RENEWED_LINEAGE/live/archive} -type f -exec chmod "$CERTS_FILES_MODE" {} +
 chown -R $CERTS_USER_OWNER:$CERTS_GROUP_OWNER $RENEWED_LINEAGE ${RENEWED_LINEAGE/live/archive}
+
+if [ ! -z "$DEPLOY_HOOK" ]; then
+    sh -c "${DEPLOY_HOOK}"
+fi