mirror of https://github.com/wg-easy/wg-easy
Browse Source
This plugin verifies the existence of Let's Encrypt IP certificate files at startup, logs renewal updates, and activates HTTPS in the Nitro server.pull/2552/head
committed by
GitHub
1 changed files with 57 additions and 0 deletions
@ -0,0 +1,57 @@ |
|||
/** |
|||
* tls.ts — Nitro server plugin for Let's Encrypt IP certificate support |
|||
* |
|||
* When LEGO_ENABLED=true and INSECURE!=true, this plugin: |
|||
* - Verifies certificate files exist at startup (placed by entrypoint.sh via lego) |
|||
* - Watches the cert file for renewal updates and logs them |
|||
* - Nitro's HTTPS is activated via the `https` key in nuxt.config.ts nitro block |
|||
*/ |
|||
import fs from 'node:fs'; |
|||
|
|||
const CERT_PATH = '/root/cert/ip/fullchain.pem'; |
|||
const KEY_PATH = '/root/cert/ip/privkey.pem'; |
|||
|
|||
export default defineNitroPlugin((nitroApp) => { |
|||
const legoEnabled = process.env.LEGO_ENABLED === 'true'; |
|||
const insecure = process.env.INSECURE === 'true'; |
|||
|
|||
if (!legoEnabled || insecure) { |
|||
console.log('[tls] Running in HTTP mode (LEGO_ENABLED != true or INSECURE=true)'); |
|||
return; |
|||
} |
|||
|
|||
// Verify certs exist — entrypoint.sh should have placed them before Node starts
|
|||
if (!fs.existsSync(CERT_PATH) || !fs.existsSync(KEY_PATH)) { |
|||
console.error( |
|||
'[tls] ERROR: Certificate files not found!\n' + |
|||
`Expected: ${CERT_PATH}\n` + |
|||
`${KEY_PATH}\n` + |
|||
' Make sure LEGO_IP and LEGO_EMAIL are set correctly.' |
|||
); |
|||
// Don't crash — Nitro will still start but without TLS if cert is missing
|
|||
return; |
|||
} |
|||
|
|||
// Read cert info for logging
|
|||
try { |
|||
const stat = fs.statSync(CERT_PATH); |
|||
console.log(`[tls] Certificate loaded: ${CERT_PATH} (modified: ${stat.mtime.toISOString()})`); |
|||
console.log(`[tls] HTTPS enabled for IP: ${process.env.LEGO_IP || process.env.HOST}`); |
|||
} catch { |
|||
// Non-fatal
|
|||
} |
|||
|
|||
// Watch for cert renewal (lego-renew.sh replaces symlink targets every ~5 days)
|
|||
fs.watchFile(CERT_PATH, { interval: 60_000, persistent: false }, (curr, prev) => { |
|||
if (curr.mtime !== prev.mtime) { |
|||
console.log( |
|||
`[tls] Certificate renewed at ${curr.mtime.toISOString()} — ` + |
|||
'new connections will use the updated cert automatically.' |
|||
); |
|||
} |
|||
}); |
|||
|
|||
nitroApp.hooks.hook('close', () => { |
|||
fs.unwatchFile(CERT_PATH); |
|||
}); |
|||
}); |
|||
Loading…
Reference in new issue