renewer certbot certs after launch/load env from file/listen on socket/disable http in AIO mode

Signed-off-by: Zoey <zoey@z0ey.de>

.github/workflows/shellcheck.yml

@@ -14,4 +14,4 @@ jobs:
         with:
           check_together: 'yes'
         env:
-          SHELLCHECK_OPTS: --shell sh -e SC2153
+          SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153

README.md

@@ -9,6 +9,7 @@ running at home or otherwise, including free TLS, without having to know too muc
 
 
 **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
+**Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>
 **Note: NO armv7 support.** <br>
 **Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>

backend/templates/_listen.conf

@@ -1,3 +1,5 @@
+  listen unix:/run/nginx.sock;
+
   listen 80;
   listen [::]:80;
 

backend/templates/certbot-request.conf

@@ -1,6 +1,8 @@
 {% include "_header_comment.conf" %}
 
 server {
+  listen unix:/run/nginx.sock;
+
   listen 80;
   listen [::]:80;
 

backend/templates/default.conf

@@ -2,6 +2,8 @@
 # Default Site
 # ------------------------------------------------------------
 server {
+  listen unix:/run/nginx.sock default_server;
+
   listen 80 default_server;
   listen [::]:80 default_server;
   

rootfs/bin/cbr.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+while [ "$(healthcheck.sh)" != "OK" ]; do sleep 10s; done
+certbot --logs-dir /tmp/certbot-log --work-dir /tmp/certbot-work --config-dir /data/tls/certbot renew --quiet --config "/data/tls/certbot/config.ini" --preferred-challenges "dns,http" --no-random-sleep-on-renew

rootfs/bin/launch.sh

@@ -38,5 +38,6 @@ fi
 
 if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
 if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
+cbr.sh &
 aio.sh &
 index.js

rootfs/bin/start.sh

@@ -15,6 +15,10 @@ if [ ! -d /data ]; then
 fi
 
 
+touch /data/.env
+. /data/.env
+
+
 if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z/]\+$"; then
     echo "TZ is unset or invalid."
     sleep inf
@@ -138,11 +142,16 @@ if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then
 fi
 
 
+if [ "$NC_AIO" = "true" ]; then
+    export DISABLE_HTTP="true"
+fi
+
 if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
     export NPM_IPV4_BINDING="127.0.0.1"
     export NPM_IPV6_BINDING="[::1]"
 fi
 
+
 if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ]; then
     apk add --no-cache fcgi
 fi

rootfs/usr/local/nginx/conf/conf.d/include/default.conf

@@ -2,6 +2,8 @@
 # Default Site
 # ------------------------------------------------------------
 server {
+    listen unix:/run/nginx.sock default_server;
+
     listen 80 default_server;
     listen [::]:80 default_server;
 

rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf

@@ -1,4 +1,6 @@
 server {
+    listen unix:/run/nginx.sock;
+
     listen 80;
     listen [::]:80;