Skip to content
name: Push images to dockerhub and ghcr.io
on:
push:
branches:
- "img_uploader"
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 4 * * 6'
jobs:
instance_start:
name: instance_start
runs-on: ubuntu-latest
steps:
- name: "install awccli"
run: |
sudo apt-get update
pip3 install awscli --upgrade --user
pip3 install boto3 --upgrade --user
export PATH=$PATH:$HOME/.local/bin
- name: "configure awccli"
run: |
aws --version
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }}
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws configure set default.region ${{ secrets.AWS_REGION }}
- name: "check instance status"
run: |
wget https://raw.githubusercontent.com/grindsa/aws_ec2_mgr/main/aws_ec_mgr.py
chmod a+rx ./aws_ec_mgr.py
python3 ./aws_ec_mgr.py -a state -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }} | grep -i "stopped"
- name: "start instance"
run: |
python3 ./aws_ec_mgr.py -a start -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }}
- name: "[ WAIT ] Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "check instance status"
run: |
python3 ./aws_ec_mgr.py -a state -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }} | grep -i "running"
build_and_upload_images_to_hub:
name: Push images to dockerhub and github
runs-on: ubuntu-latest
needs: instance_start
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "Get current version"
uses: oprypin/find-latest-tag@v1
with:
repository: ${{ github.repository }} # The repository to scan.
releases-only: true # We know that all relevant tags have a GitHub release for them.
id: acme2certifier_ver # The step ID to refer to later.
- name: Checkout code
uses: actions/checkout@v4
- name: "Retrieve version from version.py"
run: |
echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV
echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
echo BUILD_NAME=${{ matrix.websrv }}-${{ matrix.dbhandler }} >> $GITHUB_ENV
- name: "Retrieve 2nd last release tag"
run: |
VERSION=$(echo ${{ env.TAG_NAME }} | awk -F. '{print $2}')
PRE_VERSION=$(($VERSION - 1))
echo $PRE_VERSION
for row in $(curl https://api.github.com/repos/grindsa/acme2certifier/tags | jq .[].name);
do
if [[ $row =~ $PRE_VERSION ]]; then
echo OLD_TAG_NAME=$(echo $row | sed s/\"//g) >> $GITHUB_ENV
echo $row
break
fi
done
- run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}"
- run: echo "APP tag is ${{ env.APP_NAME }}"
- run: echo "Latest tag is ${{ env.TAG_NAME }}"
- run: echo "Old tag is ${{ env.OLD_TAG_NAME }}"
- run: echo "BUILD_NAME is ${{ env.BUILD_NAME}}"
- name: Checkout code for 2nd last release
uses: actions/checkout@v4
with:
ref: ${{ env.OLD_TAG_NAME }}
- name: "show version from version.py"
run: |
cat acme_srv/version.py
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: all
- uses: docker/setup-buildx-action@v3
with:
version: latest
buildkitd-flags: --debug
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USER }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Build with 2nd latest release tag
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: grindsa/acme2certifier:${{ env.OLD_TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}
file: examples/Docker/${{ matrix.websrv }}/${{ matrix.dbhandler }}/Dockerfile
platforms: linux/arm64, linux/amd64
- name: Push image to GHCR
run: |
docker buildx imagetools create \
--tag ghcr.io/grindsa/acme2certifier:${{ env.OLD_TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} \
grindsa/acme2certifier:${{ env.OLD_TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}
exit 1
#- name: Delete image from registry
# run: |
# docker images
# docker rmi $(docker images grindsa/acme2certifier -q) --force
- name: Checkout code for latest release
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: all
- uses: docker/setup-buildx-action@v3
with:
version: latest
buildkitd-flags: --debug
- name: Build with latest tag
uses: docker/build-push-action@v5
if: ${{ env.BUILD_NAME == 'apache2-wsgi'}}
with:
push: true
tags: grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }}, grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}, grindsa/acme2certifier:latest
file: examples/Docker/${{ matrix.websrv }}/${{ matrix.dbhandler }}/Dockerfile
platforms: linux/arm64, linux/amd64
- name: Build without latest tag
uses: docker/build-push-action@v5
if: ${{ env.BUILD_NAME != 'apache2-wsgi'}}
with:
push: true
tags: grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }}, grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}
file: examples/Docker/${{ matrix.websrv }}/${{ matrix.dbhandler }}/Dockerfile
platforms: linux/arm64, linux/amd64
- name: Push image with latest tag to GHCR
if: ${{ env.BUILD_NAME == 'apache2-wsgi'}}
run: |
docker buildx imagetools create \
--tag ghcr.io/grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} \
--tag ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} \
--tag ghcr.io/grindsa/acme2certifier:latest \
grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}
- name: Push image without latest tag to GHCR
if: ${{ env.BUILD_NAME != 'apache2-wsgi'}}
run: |
docker buildx imagetools create \
--tag ghcr.io/grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} \
--tag ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} \
grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}
amd64_pull_and_test:
name: amd64_pull_and_test
runs-on: ubuntu-latest
needs: build_and_upload_images_to_hub
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "Get current version"
uses: oprypin/find-latest-tag@v1
with:
repository: ${{ github.repository }} # The repository to scan.
releases-only: true # We know that all relevant tags have a GitHub release for them.
id: acme2certifier_ver # The step ID to refer to later.
- name: Checkout code
uses: actions/checkout@v4
- name: "Retrieve Version from version.py"
run: |
echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
- run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}"
- run: echo "Latest tag is ${{ env.TAG_NAME }}"
- name: "Prepare environment"
run: |
docker network create acme
sudo mkdir -p acme-sh
sudo mkdir -p certbot
sudo mkdir -p lego
- name: "Setup openssl ca_handler"
run: |
sudo mkdir -p examples/Docker/data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Pull images from dockerhub and setup container"
run: |
docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER
env:
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
TAG_NAME: ${{ env.TAG_NAME }}
- name: "[ WAIT ] Sleep for 5s"
uses: juliangruber/[email protected]
with:
time: 5s
- name: "Test if http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Prepare acme.sh container"
run: |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
- name: "Enroll via acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
ls -la *.pem
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "Revoke via acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
- name: "Register certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "Enroll certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
- name: "Revoke via certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot
- name: "Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
- name: "Revoke via lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke
- name: "Install syft"
run: |
sudo curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: "Retrieve SBOM repo"
run: |
git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom
env:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
- name: "Generate SBOMs for acme2certifier-${{ matrix.websrv }}-${{ matrix.dbhandler }}"
run: |
mkdir -p /tmp/sbom/sbom/acme2certifier
syft grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} > /tmp/sbom/sbom/acme2certifier/acme2certifier-${{ matrix.websrv }}-${{ matrix.dbhandler }}_sbom.txt
syft grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} -o json > /tmp/sbom/sbom/acme2certifier/acme2certifier-${{ matrix.websrv }}-${{ matrix.dbhandler }}_sbom.json
ls -la /tmp/sbom/sbom/acme2certifier
- name: "Upload Changes"
continue-on-error: true
run: |
cd /tmp/sbom
git config --global user.email "[email protected]"
git config --global user.name "SBOM Generator"
git add sbom/acme2certifier/
git commit -a -m "SBOM update"
git push
- name: "Delete images from local repository"
run: |
docker stop acme-srv
docker rmi $(docker images grindsa/acme2certifier -q) --no-prune --force
- name: "[ * ] collecting test data"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
# sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
cd examples/Docker
docker logs acme-srv > ${{ github.workspace }}/artifact/acme-srv.log 2>&1
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme-srv.log data # acme-sh
- name: "[ * ] uploading artifacts"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: amd64_pull_and_test-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
arm64_pull_and_test:
name: arm64_pull_and_test
runs-on: ubuntu-latest
needs: build_and_upload_images_to_hub
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "Get current version"
uses: oprypin/find-latest-tag@v1
with:
repository: ${{ github.repository }} # The repository to scan.
releases-only: true # We know that all relevant tags have a GitHub release for them.
id: acme2certifier_ver # The step ID to refer to later.
- name: Checkout code
uses: actions/checkout@v4
- name: "Retrieve Version from version.py"
run: |
echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
echo UUID=$(uuidgen) >> $GITHUB_ENV
- run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}"
- run: echo "UUID ${{ env.UUID }}"
- name: "Prepare ssh environment in ramdisk"
run: |
sudo mkdir -p /tmp/rd
sudo mount -t tmpfs -o size=5M none /tmp/rd
sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
sudo chmod 600 /tmp/rd/ak.tmp
sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
env:
SSH_KEY: ${{ secrets.AWS_SSH_KEY }}
KNOWN_HOSTS: ${{ secrets.AWS_SSH_KNOWN_HOSTS }}
- name: "Create working directory on remote host"
run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts mkdir -p /tmp/a2c/$UUID
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "Prepare and data package"
run: |
sudo mkdir -p /tmp/data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem /tmp/data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /tmp/data/acme_srv.cfg
sudo cp .github/acme2certifier.pem /tmp/data/acme2certifier.pem
sudo cp .github/django_settings.py /tmp/data/settings.py
sudo cp .github/acme2certifier_cert.pem /tmp/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem /tmp/data/acme2certifier_key.pem
- name: "Copy data package to remote host"
run: sudo scp -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts -r /tmp/data $SSH_USER@$SSH_HOST:/tmp/a2c/$UUID/
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
UUID: ${{ env.UUID }}
- run: echo "Image name - grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER"
env:
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
TAG_NAME: ${{ env.TAG_NAME }}
- name: "Pull images from dockerhub and setup container"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker network create $UUID"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -d --rm -id --network $UUID --name=acme-srv-$UUID -v "/tmp/a2c/$UUID/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
TAG_NAME: ${{ env.TAG_NAME }}
UUID: ${{ env.UUID }}
- name: "Sleep for 5s"
uses: juliangruber/[email protected]
with:
time: 5s
- name: "Test http://acme-srv/directory internally"
run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --network $UUID curlimages/curl -f http://acme-srv-$UUID/directory"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "Test if https://acme-srv/directory internally"
run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --network $UUID curlimages/curl --insecure -f https://acme-srv-$UUID/directory"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "acme.sh enroll"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "mkdir -p /tmp/a2c/$UUID/acme-sh"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run --rm -id -v /tmp/a2c/$UUID/acme-sh:/acme.sh --network $UUID --name=acme-sh-$UUID neilpang/acme.sh:latest daemon"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker exec -i acme-sh-$UUID acme.sh --server http://acme-srv-$UUID --accountemail '[email protected]' --issue -d acme-sh-$UUID --standalone --debug 3 --output-insecure --force"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "acme.sh revoke"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker exec -i acme-sh-$UUID acme.sh --server http://acme-srv-$UUID --revoke -d acme-sh-$UUID --standalone --debug 3 --output-insecure"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "Certbot enroll"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "mkdir -p /tmp/a2c/$UUID/certbot"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --name certbot-$UUID --network $UUID -v /tmp/a2c/$UUID/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv-$UUID --no-eff-email"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --name certbot-$UUID --network $UUID -v /tmp/a2c/$UUID/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv-$UUID --standalone --preferred-challenges http -d certbot-$UUID --cert-name certbot-$UUID"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "Certbot revoke"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --name certbot-$UUID --network $UUID -v /tmp/a2c/$UUID/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv-$UUID -d certbot-$UUID --cert-name certbot-$UUID"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "Lego enroll"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "mkdir -p /tmp/a2c/$UUID/lego"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i -v /tmp/a2c/$UUID/lego:/.lego/ --rm --name lego-$UUID --network $UUID goacme/lego -s http://acme-srv-$UUID/directory -a --email [email protected] -d lego-$UUID --http run"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "Lego revoke"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i -v /tmp/a2c/$UUID/lego:/.lego/ --rm --name lego-$UUID --network $UUID goacme/lego -s http://acme-srv-$UUID -a --email "[email protected]" -d lego-$UUID revoke"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
UUID: ${{ env.UUID }}
- name: "Cleanup on remote host"
run: |
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker stop acme-sh-$UUID"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker stop acme-srv-$UUID"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker network rm $UUID"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker image rm grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER"
sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "sudo rm -rf /tmp/a2c/$UUID"
env:
SSH_USER: ${{ secrets.AWS_SSH_USER }}
SSH_HOST: ${{ secrets.AWS_SSH_HOST }}
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
UUID: ${{ env.UUID }}
instance_stop:
name: instance_stop
runs-on: ubuntu-latest
needs: arm64_pull_and_test
steps:
- name: "install awccli"
run: |
sudo apt-get update
pip3 install awscli --upgrade --user
pip3 install boto3 --upgrade --user
export PATH=$PATH:$HOME/.local/bin
- name: "configure awccli"
run: |
aws --version
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }}
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws configure set default.region ${{ secrets.AWS_REGION }}
- name: "stop instance"
run: |
wget https://raw.githubusercontent.com/grindsa/aws_ec2_mgr/main/aws_ec_mgr.py
chmod a+rx ./aws_ec_mgr.py
python3 ./aws_ec_mgr.py -a stop -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }}
python3 ./aws_ec_mgr.py -a state -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }}