#!/usr/bin/env bash set -euo pipefail source ./lib.sh log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …" # 1) Wrapper-Skript, das Symlinks setzt und Nginx reloaded cat >/usr/local/sbin/mw-deploy.sh <<'WRAP' #!/usr/bin/env bash set -euo pipefail link_if() { local le_base="$1" target_dir="$2" local cert="${le_base}/fullchain.pem" local key="${le_base}/privkey.pem" [[ -s "$cert" && -s "$key" ]] || return 0 install -d -m 0755 "$target_dir" ln -sf "$cert" "${target_dir}/fullchain.pem" ln -sf "$key" "${target_dir}/privkey.pem" chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true echo "[+] Linked ${target_dir} -> ${le_base}" } UI_HOST="${UI_HOST:-}" WEBMAIL_HOST="${WEBMAIL_HOST:-}" MAIL_HOSTNAME="${MAIL_HOSTNAME:-}" [[ -n "$UI_HOST" ]] && link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui" [[ -n "$WEBMAIL_HOST" ]] && link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail" [[ -n "$MAIL_HOSTNAME" ]] && link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail" if systemctl is-active --quiet nginx; then systemctl reload nginx || true fi WRAP chmod +x /usr/local/sbin/mw-deploy.sh # 2) Certbot Deploy-Hook-Verzeichnis + Symlink für Renewals install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' #!/usr/bin/env bash exec /usr/local/sbin/mw-deploy.sh HOOK chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh log "[✓] MailWolt Deploy-Hook eingerichtet" ##!/usr/bin/env bash #set -euo pipefail #source ./lib.sh # ## ──────────────────────────────────────────────────────────────────────────── ## 21-le-deploy-hook.sh ## • legt /etc/mailwolt/installer.env an (falls fehlt) ## • erzeugt Deploy-Hooks: ## - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail} ## - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew ## • KEIN Reload von Postfix/Dovecot (kommt später im Installer) ## ──────────────────────────────────────────────────────────────────────────── # ## 0) Hostnamen persistent speichern (für spätere Deploys) #install -d -m 0755 /etc/mailwolt #if [[ ! -f /etc/mailwolt/installer.env ]]; then # cat >/etc/mailwolt/installer.env </etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh </dev/null || true # chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true # echo "[+] Linked \${target_dir} -> \${le_base}" #} # ## Verlinken (nur wenn Host konfiguriert) #[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR" #[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR" #[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR" # ## Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst) #if systemctl is-active --quiet nginx; then # systemctl reload nginx || true #fi #HOOK #chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh # ## ──────────────────────────────────────────────────────────────────────────── ## 3) 60-mailwolt-tlsa.sh ## → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL. ## → schreibt nur, wenn sich der Hash geändert hat (idempotent) ## ──────────────────────────────────────────────────────────────────────────── #cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK' ##!/usr/bin/env bash #set -euo pipefail # ## installer.env lesen #set +u #[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env #set -u # #APP_ENV_VAL="${APP_ENV:-production}" #BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}" # #case "$APP_ENV_VAL" in # local|dev|development) exit 0 ;; #esac #[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0 # #MX_HOST="${MAIL_HOSTNAME:-}" #SERVICE="_25._tcp" #DNS_DIR="/etc/mailwolt/dns" #OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt" # ## Nur reagieren, wenn MX-Zertifikat betroffen war #case " ${RENEWED_DOMAINS:-} " in # *" ${MX_HOST} "*) ;; # *) exit 0 ;; #esac # #CERT="${RENEWED_LINEAGE}/fullchain.pem" #[ -s "$CERT" ] || exit 0 # ## Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent) #if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then # cd /var/www/mailwolt || exit 0 # php artisan dns:tlsa:refresh || true # exit 0 #fi # ## Fallback: nur Datei aktualisieren, wenn Hash sich ändert #HASH="$(openssl x509 -in "$CERT" -noout -pubkey \ # | openssl pkey -pubin -outform DER \ # | openssl dgst -sha256 | sed 's/^.*= //')" #NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}" # #mkdir -p "$DNS_DIR" # #if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then # if grep -q "$HASH" "$OUT_FILE"; then # echo "[TLSA] Unverändert – kein Update nötig." # exit 0 # fi #fi # #echo "$NEW_LINE" > "$OUT_FILE" #echo "[TLSA] Aktualisiert: $NEW_LINE" #HOOK #chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh # ## ──────────────────────────────────────────────────────────────────────────── #echo "[✓] Deploy-Hooks installiert."