Move certbot to its own docker

certbot/Dockerfile

@@ -0,0 +1,9 @@
+FROM debian
+
+RUN apt update && apt install -y certbot cron
+
+ADD certbot.cron /etc/cron.d/certbot
+
+VOLUME ["/etc/letsencrypt"]
+
+CMD ["cron", "-f"]

certbot/certbot.cron

@@ -0,0 +1,11 @@
+# /etc/cron.d/certbot: crontab entries for the certbot package
+#
+# Upstream recommends attempting renewal twice a day
+#
+# Eventually, this will be an opportunity to validate certificates
+# haven't been revoked, etc.  Renewal will only occur if expiration
+# is within 30 days.
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+0 */12 * * * root perl -e 'sleep int(rand(3600))' && certbot -q renew

docker-compose.yml

@@ -8,6 +8,7 @@ volumes:
   vol_gitlab_logs:
   vol_gitlab_data:
   vol_letsencrypt:
+  vol_letsencrypt_html:
 
 services:
 
@@ -94,8 +95,7 @@ services:
 
   proxy:
     container_name: proxy
-    build: proxy
-    image: proxy
+    image: nginx
     ports:
       - 80:80
       - 443:443
@@ -108,4 +108,18 @@ services:
       - ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./proxy/nginx-conf.d:/etc/nginx/conf.d:ro
       - vol_letsencrypt:/etc/letsencrypt
+      - vol_letsencrypt_html:/var/www/html
+    restart: always
+
+  # ---------------------------------------------------------------------------
+  # Certbot container running a cron job to renew certificates.
+  # ---------------------------------------------------------------------------
+
+  certbot:
+    container_name: certbot
+    build: certbot
+    image: certbot
+    volumes:
+      - vol_letsencrypt:/etc/letsencrypt
+      - vol_letsencrypt_html:/var/www/html
     restart: always

proxy/Dockerfile

@@ -1,6 +0,0 @@
-FROM nginx
-
-RUN apt update && apt install -y certbot
-RUN mkdir -p /var/www/html
-
-VOLUME ["/etc/letsencrypt"]