Update src/site.ts, views/nginx.conf.mustache, src/acme.ts, index.ts, views/entrypoint.sh files

45ff0a53 · nanahira · 98968f34 · 45ff0a53 · 45ff0a53 · 45ff0a53
Commit 45ff0a53 authored Oct 04, 2025 by nanahira
Showing with 73 additions and 14 deletions

index.ts index.ts +41 -10

src/acme.ts src/acme.ts +2 -2

src/site.ts src/site.ts +6 -1

views/entrypoint.sh views/entrypoint.sh +14 -1

views/nginx.conf.mustache views/nginx.conf.mustache +10 -0

No files found.
--- a/index.ts
+++ b/index.ts
@@ -2,19 +2,50 @@ import * as fs from 'fs';
 import Mustache from 'mustache';
 import path from 'path';
 import { getData } from './src/site';
+import { execFile as _execFile } from 'child_process';
+import { promisify } from 'util';
+
+const execFile = promisify(_execFile);
+
+async function reloadNginx() {
+  console.error('[nginx] Reloading...');
+  try {
+    const { stdout, stderr } = await execFile('nginx', ['-s', 'reload']);
+    if (stdout?.trim()) console.error('[nginx][stdout]', stdout.trim());
+    if (stderr?.trim()) console.error('[nginx][stderr]', stderr.trim());
+    console.error('[nginx] Reloaded.');
+  } catch (err: any) {
+    console.error('[nginx] Reload failed:', err?.stderr || err?.message || err);
+    throw err;
+  }
+}

 async function main() {
-  console.log(
-    Mustache.render(
-      fs.readFileSync(
+  try {
+    if (process.argv[2] === 'renewCert') {
+      console.error('[acme] Signing start');
+      await getData(process.env as any, 61000);
+      console.error('[acme] Signing done');
+      await reloadNginx();
+    } else {
+      console.error('[render] Nginx config render start');
+      const parsed = await getData(process.env as any);
+      console.error('[render] parsed');
+      const tpl = fs.readFileSync(
        path.join(__dirname, '..', 'views', 'nginx.conf.mustache'),
        'utf8',
-      ),
-      await getData(process.env),
-      undefined,
-      { escape: (v) => v },
-    ),
-  );
-  process.exit(0);
+      );
+      const rendered = Mustache.render(tpl, parsed, undefined, {
+        escape: (v) => v,
+      });
+      console.log(rendered);
+      console.error('[render] Nginx config render done');
+    }
+    process.exit(0);
+  } catch (e) {
+    console.error('[main] Error:', e);
+    process.exit(1);
+  }
 }
+
 main();
--- a/src/acme.ts
+++ b/src/acme.ts
@@ -20,7 +20,7 @@ export async function addSignCert(domains: string[], payload: string) {
  return domainsToBeSigned[0];
 }

-export async function runSignCert() {
+export async function runSignCert(signCertPort = 80) {
  if (!domainsToBeSigned.length) {
    return;
  }
@@ -61,7 +61,7 @@ export async function runSignCert() {
      `${req.socket.remoteAddress}: Serving token for ${token}: ${content}`,
    );
    res.end(content);
-  }).listen(80);
+  }).listen(signCertPort);
  const certDir = `/etc/nginx/certs/${domainsToBeSigned[0]}`;
  const accountFile = path.join(certDir, 'account.pem');
  const fullchainFile = path.join(certDir, 'fullchain.pem');

--- a/src/site.ts
+++ b/src/site.ts
@@ -29,6 +29,7 @@ export interface SiteRenderData {
  locationExtraPre?: string;
  htpasswd?: string;
  cors?: boolean;
+  acme?: boolean;
 }

 export interface ProxyRenderData extends SiteRenderData {
@@ -90,6 +91,7 @@ export interface RenderData {
  nginxExtra?: string;
  httpExtraPre?: string;
  nginxExtraPre?: string;
+  acme?: boolean,
 }

 export interface Upstream {
@@ -226,18 +228,20 @@ async function getSiteData(
      ? `/etc/nginx/generated/htpasswd-${domain}`
      : undefined,
    cors: parser.getBoolean('CORS'),
+    acme: httpsCert?.startsWith('acme://'),
    ...specificRenderData,
  };
 }

 export async function getData(
  input: Record<string, string> = process.env,
+  signCertPort = 80,
 ): Promise<RenderData> {
  const parser = new Parser('', input);
  const sites = await Promise.all(
    getSiteNames().map((domain) => getSiteData(domain, input)),
  );
-  await runSignCert();
+  await runSignCert(signCertPort);
  return {
    purgeAllowed: parser.getArray('PURGE_ALLOWED'),
    externalRealIp: parser.getBoolean('EXTERNAL_REAL_IP'),
@@ -256,5 +260,6 @@ export async function getData(
    nginxExtra: parser.getString('NGINX_EXTRA'),
    httpExtraPre: parser.getString('HTTP_EXTRA_PRE'),
    nginxExtraPre: parser.getString('NGINX_EXTRA_PRE'),
+    acme: sites.some(s => s.acme),
  };
 }
--- a/views/entrypoint.sh
+++ b/views/entrypoint.sh
 #!/bin/sh
+set -e

 node dist > /etc/nginx/nginx.conf

-"$@"
\ No newline at end of file
+if grep -q 'acme_required' /etc/nginx/nginx.conf; then
+  echo "[entrypoint] ACME required detected, scheduling daily renewCert task" >&2
+  (
+    while true; do
+      sleep 86400  # 24h
+      echo "[entrypoint] Running daily cert renewal..." >&2
+      node dist renewCert || echo "[entrypoint] renewCert failed" >&2
+      echo "[entrypoint] Daily cert renewal finished." >&2
+    done
+  ) &
+fi
+
+exec "$@"
--- a/views/nginx.conf.mustache
+++ b/views/nginx.conf.mustache
@@ -230,6 +230,12 @@ http {
     {{.}}
    {{/serverExtra}}

+    {{#acme}}
+      location /.well-known/acme-challenge/ {
+        proxy_pass http://localhost:61000;
+      }
+    {{/acme}}
+
    location / {
      {{#locationExtraPre}}
        {{.}}
@@ -343,3 +349,7 @@ stream {
 {{#nginxExtra}}
  {{.}}
 {{/nginxExtra}}
+
+{{#acme}}
+# acme_required
+{{/acme}}