diff --git a/scripts/21-le-deploy-hook.sh b/scripts/21-le-deploy-hook.sh index ee5091b..4417bc2 100644 --- a/scripts/21-le-deploy-hook.sh +++ b/scripts/21-le-deploy-hook.sh @@ -4,39 +4,50 @@ source ./lib.sh install -d /etc/letsencrypt/renewal-hooks/deploy -# --- 50: Symlink-Hook (setzt stabile /etc/ssl/{ui,webmail,mail}) --- -cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh </etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' #!/usr/bin/env bash set -euo pipefail +# Env aus dem Installer laden (falls vorhanden), aber unbound vermeiden +set +u +[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env +set -u + UI_SSL_DIR="/etc/ssl/ui" WEBMAIL_SSL_DIR="/etc/ssl/webmail" MAIL_SSL_DIR="/etc/ssl/mail" -UI_HOST="${UI_HOST}" -WEBMAIL_HOST="${WEBMAIL_HOST}" -MX_HOST="${MAIL_HOSTNAME}" +# Falls Variablen nicht gesetzt sind → leere Defaults (vermeidet unbound) +UI_HOST="${UI_HOST:-}" +WEBMAIL_HOST="${WEBMAIL_HOST:-}" +MX_HOST="${MAIL_HOSTNAME:-}" + +UI_LE="/etc/letsencrypt/live/${UI_HOST}" +WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}" +MX_LE="/etc/letsencrypt/live/${MX_HOST}" link_if() { - local host="\$1" target_dir="\$2" - [[ -z "\$host" ]] && return 0 - local le="/etc/letsencrypt/live/\${host}" - local cert="\${le}/fullchain.pem" - local key="\${le}/privkey.pem" - [[ -f "\$cert" && -f "\$key" ]] || return 0 - install -d -m 0755 "\$target_dir" - ln -sf "\$cert" "\${target_dir}/fullchain.pem" - ln -sf "\$key" "\${target_dir}/privkey.pem" - echo "[+] Linked \${target_dir} -> \${le}" + local le_base="$1" target_dir="$2" + local cert="${le_base}/fullchain.pem" + local key="${le_base}/privkey.pem" + if [ -f "$cert" ] && [ -f "$key" ]; then + install -d -m 0755 "$target_dir" + ln -sf "$cert" "${target_dir}/fullchain.pem" + ln -sf "$key" "${target_dir}/privkey.pem" + echo "[+] Linked ${target_dir} -> ${le_base}" + fi } -link_if "${UI_HOST}" "\${UI_SSL_DIR}" -link_if "${WEBMAIL_HOST}" "\${WEBMAIL_SSL_DIR}" -link_if "${MX_HOST}" "\${MAIL_SSL_DIR}" +# Nur linken, wenn Hostnamen vorhanden sind +[ -n "$UI_HOST" ] && link_if "$UI_LE" "$UI_SSL_DIR" +[ -n "$WEBMAIL_HOST" ] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR" +[ -n "$MX_HOST" ] && link_if "$MX_LE" "$MAIL_SSL_DIR" +# Dienste neu laden systemctl reload nginx || true systemctl reload postfix dovecot || true HOOK + chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh # --- 60: TLSA-Hook (bei jedem Renew für MX neu berechnen – falls Key doch rotiert) ---