diff --git a/scripts/21-le-deploy-hook.sh b/scripts/21-le-deploy-hook.sh index c6b4809..0182b56 100644 --- a/scripts/21-le-deploy-hook.sh +++ b/scripts/21-le-deploy-hook.sh @@ -2,6 +2,7 @@ set -euo pipefail source ./lib.sh +# Persistente Installer-Variablen (werden vom Wrapper gelesen) install -d -m 0755 /etc/mailwolt cat >/etc/mailwolt/installer.env </usr/local/sbin/mw-deploy.sh <<'WRAP' #!/usr/bin/env bash set -euo pipefail -# Installer-Variablen laden (UI_HOST, WEBMAIL_HOST, MAIL_HOSTNAME, optional LE_EMAIL etc.) +# Installer-Variablen laden set +u [ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env set -u @@ -28,37 +29,46 @@ UI_HOST="${UI_HOST:-}" WEBMAIL_HOST="${WEBMAIL_HOST:-}" MAIL_HOSTNAME="${MAIL_HOSTNAME:-}" -link_if() { +# --- Kopieren statt Symlinks (damit Laravel lesen kann) --------------------- +copy_cert() { local le_base="$1" target_dir="$2" local cert="${le_base}/fullchain.pem" local key="${le_base}/privkey.pem" + [[ -s "$cert" && -s "$key" ]] || return 0 + + # Zielordner sicherstellen install -d -m 0755 "$target_dir" - ln -sf "$cert" "${target_dir}/fullchain.pem" - ln -sf "$key" "${target_dir}/privkey.pem" - chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true - chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true - echo "[+] Linked ${target_dir} -> ${le_base}" + + # Falls vorher Symlinks existieren → entfernen, sonst würde "install" das Ziel des Links überschreiben + [ -L "${target_dir}/fullchain.pem" ] && rm -f "${target_dir}/fullchain.pem" + [ -L "${target_dir}/privkey.pem" ] && rm -f "${target_dir}/privkey.pem" + + # KOPIEREN mit sauberen Rechten (Chain world-readable, Key nur root) + install -m 0644 "$cert" "${target_dir}/fullchain.pem" + install -m 0600 "$key" "${target_dir}/privkey.pem" + + echo "[+] Copied ${target_dir}/fullchain.pem und privkey.pem ← ${le_base}" } -# Nur für Domains arbeiten, die im aktuellen Lauf erneuert/ausgestellt wurden +# Nur für Domains arbeiten, die in diesem Lauf betroffen sind RDOMS=" ${RENEWED_DOMAINS:-} " # UI if [[ -n "$UI_HOST" && "$RDOMS" == *" ${UI_HOST} "* ]]; then - link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui" + copy_cert "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui" fi # Webmail if [[ -n "$WEBMAIL_HOST" && "$RDOMS" == *" ${WEBMAIL_HOST} "* ]]; then - link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail" + copy_cert "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail" fi # MX if [[ -n "$MAIL_HOSTNAME" && "$RDOMS" == *" ${MAIL_HOSTNAME} "* ]]; then - link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail" + copy_cert "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail" fi -# Optional: TLSA via Laravel, falls App schon vorhanden (sonst still überspringen) -if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then +# Optional: TLSA via Laravel (still tolerant, falls App noch nicht gebaut) +if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ] && [ -f /var/www/mailwolt/artisan ]; then (cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true fi @@ -69,7 +79,7 @@ fi WRAP chmod +x /usr/local/sbin/mw-deploy.sh -# 2) Certbot-Deploy-Hooks einrichten (ruft nur den Wrapper auf) +# 2) Certbot-Deploy-Hook: ruft den Wrapper bei jeder erfolgreichen Ausstellung/Renew auf install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' #!/usr/bin/env bash @@ -79,6 +89,87 @@ chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh log "[✓] MailWolt Deploy-Hook eingerichtet" +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#install -d -m 0755 /etc/mailwolt +#cat >/etc/mailwolt/installer.env </usr/local/sbin/mw-deploy.sh <<'WRAP' +##!/usr/bin/env bash +#set -euo pipefail +# +## Installer-Variablen laden (UI_HOST, WEBMAIL_HOST, MAIL_HOSTNAME, optional LE_EMAIL etc.) +#set +u +#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env +#set -u +# +#UI_HOST="${UI_HOST:-}" +#WEBMAIL_HOST="${WEBMAIL_HOST:-}" +#MAIL_HOSTNAME="${MAIL_HOSTNAME:-}" +# +#link_if() { +# local le_base="$1" target_dir="$2" +# local cert="${le_base}/fullchain.pem" +# local key="${le_base}/privkey.pem" +# [[ -s "$cert" && -s "$key" ]] || return 0 +# install -d -m 0755 "$target_dir" +# ln -sf "$cert" "${target_dir}/fullchain.pem" +# ln -sf "$key" "${target_dir}/privkey.pem" +# chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true +# chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true +# echo "[+] Linked ${target_dir} -> ${le_base}" +#} +# +## Nur für Domains arbeiten, die im aktuellen Lauf erneuert/ausgestellt wurden +#RDOMS=" ${RENEWED_DOMAINS:-} " +# +## UI +#if [[ -n "$UI_HOST" && "$RDOMS" == *" ${UI_HOST} "* ]]; then +# link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui" +#fi +## Webmail +#if [[ -n "$WEBMAIL_HOST" && "$RDOMS" == *" ${WEBMAIL_HOST} "* ]]; then +# link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail" +#fi +## MX +#if [[ -n "$MAIL_HOSTNAME" && "$RDOMS" == *" ${MAIL_HOSTNAME} "* ]]; then +# link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail" +#fi +# +## Optional: TLSA via Laravel, falls App schon vorhanden (sonst still überspringen) +#if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then +# (cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true +#fi +# +## Nginx nur neu laden, wenn aktiv +#if systemctl is-active --quiet nginx; then +# systemctl reload nginx || true +#fi +#WRAP +#chmod +x /usr/local/sbin/mw-deploy.sh +# +## 2) Certbot-Deploy-Hooks einrichten (ruft nur den Wrapper auf) +#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy +#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' +##!/usr/bin/env bash +#exec /usr/local/sbin/mw-deploy.sh +#HOOK +#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh +# +#log "[✓] MailWolt Deploy-Hook eingerichtet" + ##!/usr/bin/env bash #set -euo pipefail #source ./lib.sh