#!/usr/bin/env bash set -euo pipefail source ./lib.sh # ----------------------------------------------------------------------------- # 21-le-deploy-hook.sh # - Legt /etc/mailwolt/installer.env (falls fehlt) an # - Erzeugt LE-Deploy-Hooks: # * 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail} # * 60-mailwolt-tlsa.sh → schreibt TLSA (3 1 1) für MX nach jedem Renew # ----------------------------------------------------------------------------- # 1) Sicherstellen, dass die Hosts persistent verfügbar sind if [[ ! -f /etc/mailwolt/installer.env ]]; then install -d -m 0755 /etc/mailwolt cat >/etc/mailwolt/installer.env </etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' #!/usr/bin/env bash set -euo pipefail # Env aus dem Installer laden (falls vorhanden), aber unbound vermeiden set +u [ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env set -u UI_SSL_DIR="/etc/ssl/ui" WEBMAIL_SSL_DIR="/etc/ssl/webmail" MAIL_SSL_DIR="/etc/ssl/mail" # Falls Variablen nicht gesetzt sind → leere Defaults (vermeidet unbound) UI_HOST="${UI_HOST:-}" WEBMAIL_HOST="${WEBMAIL_HOST:-}" MX_HOST="${MAIL_HOSTNAME:-}" UI_LE="/etc/letsencrypt/live/${UI_HOST}" WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}" MX_LE="/etc/letsencrypt/live/${MX_HOST}" link_if() { local le_base="$1" target_dir="$2" local cert="${le_base}/fullchain.pem" local key="${le_base}/privkey.pem" if [[ -f "$cert" && -f "$key" ]]; then install -d -m 0755 "$target_dir" ln -sf "$cert" "${target_dir}/fullchain.pem" ln -sf "$key" "${target_dir}/privkey.pem" echo "[+] Linked ${target_dir} -> ${le_base}" fi } # Nur linken, wenn Hostnamen vorhanden sind [[ -n "$UI_HOST" ]] && link_if "$UI_LE" "$UI_SSL_DIR" [[ -n "$WEBMAIL_HOST" ]] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR" [[ -n "$MX_HOST" ]] && link_if "$MX_LE" "$MAIL_SSL_DIR" # sinnvolle Rechte (Key nur für root lesbar, Chain world-readable) chmod 640 "${UI_SSL_DIR}/privkey.pem" 2>/dev/null || true chmod 640 "${WEBMAIL_SSL_DIR}/privkey.pem" 2>/dev/null || true chmod 640 "${MAIL_SSL_DIR}/privkey.pem" 2>/dev/null || true chmod 644 "${UI_SSL_DIR}/fullchain.pem" 2>/dev/null || true chmod 644 "${WEBMAIL_SSL_DIR}/fullchain.pem" 2>/dev/null || true chmod 644 "${MAIL_SSL_DIR}/fullchain.pem" 2>/dev/null || true # Nur Nginx neu laden – Postfix/Dovecot startet später im Installer systemctl reload nginx || true HOOK chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh # 4) Hook: TLSA (3 1 1) für MX nach jedem Renew/Issue generieren cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK' #!/usr/bin/env bash set -euo pipefail # MAIL_HOSTNAME kommt von certbot via Environment nicht automatisch, # daher direkt aus installer.env lesen, falls gesetzt. set +u [ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env set -u MX_HOST="${MAIL_HOSTNAME:-}" [[ -n "$MX_HOST" ]] || exit 0 # Nur reagieren, wenn das MX-Zert in diesem Run drin war case " ${RENEWED_DOMAINS:-} " in *" ${MX_HOST} "*) ;; # ok *) exit 0 ;; esac CERT="${RENEWED_LINEAGE}/fullchain.pem" if [[ -s "$CERT" ]]; then HASH="$(openssl x509 -in "$CERT" -noout -pubkey \ | openssl pkey -pubin -outform DER \ | openssl dgst -sha256 | sed 's/^.*= //')" TLSA_LINE="_25._tcp.${MX_HOST}. IN TLSA 3 1 1 ${HASH}" install -d -m 0755 /etc/mailwolt/dns echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MX_HOST}.tlsa.txt" echo "[TLSA] ${TLSA_LINE}" fi HOOK chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh