Added the pebble example and more or less finished the gateway example.

example/gateway/certbot/Fockerfile

@@ -0,0 +1,30 @@
+base: freebsd-latest
+
+steps:
+  - run:
+      - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg install py37-certbot python3
+      - mkdir -p /certbot/data
+      - mkdir -p /certbot/webroot
+      - mkdir -p /certbot/scripts
+      - chown -R nobody:nobody /certbot
+      - chmod 0750 /certbot
+  - copy:
+      - [ files/certbot.py,
+          /certbot/scripts/certbot.py ]
+      - [ files/crontab_nobody,
+          /root/crontab_nobody ]
+      - [ ../files/cookiecutter.json,
+          /certbot/data/metadata.json ]
+  - run:
+      - crontab -u nobody /root/crontab_nobody
+      - rm -v /root/crontab_nobody
+      - mkdir -p /usr/local/etc/letsencrypt
+      - mkdir -p /var/log/letsencrypt
+      - mkdir -p /var/db/letsencrypt
+      - chown nobody:nobody /var/log/letsencrypt
+      - chown nobody:nobody /var/db/letsencrypt
+  - run:
+      - sysrc sshd_enable=NO
+      - sysrc sendmail_enable=NONE
+      - sysrc clear_tmp_enable=YES
+      - sysrc syslogd_flags="-ss"

example/gateway/certbot/files/certbot.py

@@ -0,0 +1,24 @@
+import json
+import subprocess
+
+
+def main():
+    with open('/certbot/data/metadata.json', 'r') as f:
+        data = json.load(f)
+    ips = data['ips'][0]
+    domains = data['domains'][0]
+    for ds in domains:
+        cmd = [ '/usr/local/bin/certbot', 'certonly', '--webroot',
+            '-w', '/certbot/webroot', '--server', 'https://127.0.11.1:14000/dir',
+            '--email', 's.adaszewski@gmail.com', '--no-verify-ssl', '-n',
+            '--agree-tos', '--expand' ]
+        for d in ds:
+            cmd.append('-d')
+            cmd.append(d)
+        ret = subprocess.run(cmd)
+        if ret.returncode != 0:
+            raise RuntimeError('Failed certbot certonly for:', ' '.join(ds))
+
+
+if __name__ == '__main__':
+    main()

example/gateway/certbot/files/crontab_nobody

@@ -0,0 +1 @@
+@weekly /usr/local/bin/certbot renew --webroot -w /certbot/webroot --server https://127.0.11.1:14000 --no-verify-ssl -n --agree-tos >/dev/null 2>&1

example/gateway/focker-compose.yml

@@ -3,8 +3,16 @@ prebuild:
 
 
 volumes:
-  certbot-data: {}
-  certbot-webroot: {}
+  certbot-data:
+    chown: 65534:65534
+    chmod: 0750
+    zfs:
+      quota: 1G
+  certbot-webroot:
+    chown: 65534:65534
+    chmod: 0750
+    zfs:
+      quota: 1G
 
 
 images:
@@ -17,14 +25,20 @@ jails:
   nginx-http:
     image: nginx-http
     mounts:
-      certbot-webroot: /srv/certbot-webroot
+      certbot-webroot: /certbot/webroot
 
   certbot:
     image: certbot
     depend: nginx-http
     mounts:
-      certbot-data: /
+      certbot-data: /usr/local/etc/letsencrypt
+      certbot-webroot: /certbot/webroot
+    exec.start: |
+      ( /usr/bin/su -m nobody -c "python3 /certbot/scripts/certbot.py" && \
+      /bin/sh /etc/rc ) &
 
   nginx-https:
     image: nginx-https
     depend: certbot
+    mounts:
+      certbot-data: /usr/local/etc/letsencrypt

example/gateway/nginx-http/Fockerfile

@@ -19,4 +19,4 @@ steps:
       - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove
       - rm -rvf /root/nginx_template
       - rm -rvf ./nginx_conf
-      - mkdir -p /srv/certbot-webroot
+      - mkdir -p /certbot/webroot

example/gateway/nginx-https/Fockerfile

@@ -19,4 +19,10 @@ steps:
       - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove
       - rm -rvf /root/nginx_template
       - rm -rvf ./nginx_conf
-      - mkdir /certbot-data
+      - mkdir -p /usr/local/etc/letsencrypt
+      - mkdir -p /certbot/webroot
+  - run:
+      - sysrc sshd_enable=NO
+      - sysrc sendmail_enable=NONE
+      - sysrc clear_tmp_enable=YES
+      - sysrc syslogd_flags="-ss"

example/gateway/nginx-https/files/nginx.conf

@@ -12,11 +12,14 @@ http {
     server {
       listen 443 ssl;
       server_name {{ ' '.join(cookiecutter.domains[i]) }};
-      ssl_certificate /certbot-data/config/live/{{ cookiecutter.domains[i][0] }}/{{ cookiecutter.domains[i][0] }}.crt;
-      ssl_certificate_key /certbot-data/config/live/{{ cookiecutter.domains[i][0] }}/{{ cookiecutter.domains[i][0] }}.key;
+      ssl_certificate /usr/local/etc/letsencrypt/live/{{ cookiecutter.domains[i][0] }}/fullchain.pem;
+      ssl_certificate_key /usr/local/etc/letsencrypt/live/{{ cookiecutter.domains[i][0] }}/privkey.pem;
 
       location / {
-        proxy_pass http://{{ cookiecutter.ips[i] }}/;
+        proxy_pass http://{{ cookiecutter.ips[i] }};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_request_buffering off;
       }
     }
   {% endfor %}

example/pebble/Fockerfile

@@ -0,0 +1,15 @@
+base: freebsd-latest
+
+steps:
+  - run:
+      - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg install go git
+  - run:
+      - mkdir /go
+      - export GOPATH=/go
+      - go get -u github.com/letsencrypt/pebble/...
+      - cd $GOPATH/src/github.com/letsencrypt/pebble
+      - go install ./...
+  - run:
+      - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg remove go git
+      - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove
+

example/pebble/focker-compose.yml

@@ -0,0 +1,12 @@
+image:
+  pebble: .
+
+jails:
+  pebble:
+    image: pebble
+    ip4.addr: 127.0.11.1
+    exec.start: |
+      cd /go/src/github.com/letsencrypt/pebble && \
+      export PEBBLE_VA_ALWAYS_VALID=1 && \
+      nohup /go/bin/pebble -config test/config/pebble-config.json &
+