boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt-installer/scripts/21-le-deploy-hook.sh

183 lines
7.2 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
# 1) Wrapper-Skript, das Symlinks setzt und Nginx reloaded
cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
#!/usr/bin/env bash
set -euo pipefail
link_if() {
local le_base="$1" target_dir="$2"
local cert="${le_base}/fullchain.pem"
local key="${le_base}/privkey.pem"
[[ -s "$cert" && -s "$key" ]] || return 0
install -d -m 0755 "$target_dir"
ln -sf "$cert" "${target_dir}/fullchain.pem"
ln -sf "$key" "${target_dir}/privkey.pem"
chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true
chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true
echo "[+] Linked ${target_dir} -> ${le_base}"
}
UI_HOST="${UI_HOST:-}"
WEBMAIL_HOST="${WEBMAIL_HOST:-}"
MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
[[ -n "$UI_HOST" ]] && link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
[[ -n "$WEBMAIL_HOST" ]] && link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
[[ -n "$MAIL_HOSTNAME" ]] && link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
if systemctl is-active --quiet nginx; then
systemctl reload nginx || true
fi
WRAP
chmod +x /usr/local/sbin/mw-deploy.sh
# 2) Certbot Deploy-Hook-Verzeichnis + Symlink für Renewals
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash
exec /usr/local/sbin/mw-deploy.sh
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
log "[✓] MailWolt Deploy-Hook eingerichtet"
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
## ────────────────────────────────────────────────────────────────────────────
## 21-le-deploy-hook.sh
## • legt /etc/mailwolt/installer.env an (falls fehlt)
## • erzeugt Deploy-Hooks:
## - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
## - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
## • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
## ────────────────────────────────────────────────────────────────────────────
#
## 0) Hostnamen persistent speichern (für spätere Deploys)
#install -d -m 0755 /etc/mailwolt
#if [[ ! -f /etc/mailwolt/installer.env ]]; then
# cat >/etc/mailwolt/installer.env <<EOF
#UI_HOST=${UI_HOST}
#WEBMAIL_HOST=${WEBMAIL_HOST}
#MAIL_HOSTNAME=${MAIL_HOSTNAME}
#EOF
# echo "[+] /etc/mailwolt/installer.env erstellt."
#fi
#
## 1) Deploy-Hooks-Verzeichnis anlegen
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#
## ────────────────────────────────────────────────────────────────────────────
## 2) 50-mailwolt-symlinks.sh
## ────────────────────────────────────────────────────────────────────────────
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
##!/usr/bin/env bash
#set -euo pipefail
#
#UI_LE="/etc/letsencrypt/live/${UI_HOST}"
#WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
#MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
#
#UI_SSL_DIR="/etc/ssl/ui"
#WEBMAIL_SSL_DIR="/etc/ssl/webmail"
#MAIL_SSL_DIR="/etc/ssl/mail"
#
## Zielverzeichnisse anlegen (einmalig)
#install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
#
#link_if() {
# local le_base="\$1" target_dir="\$2"
# local cert="\${le_base}/fullchain.pem"
# local key="\${le_base}/privkey.pem"
# [[ -s "\$cert" && -s "\$key" ]] || return 0
# ln -sf "\$cert" "\${target_dir}/fullchain.pem"
# ln -sf "\$key" "\${target_dir}/privkey.pem"
# chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true
# chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true
# echo "[+] Linked \${target_dir} -> \${le_base}"
#}
#
## Verlinken (nur wenn Host konfiguriert)
#[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR"
#[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR"
#[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR"
#
## Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
#if systemctl is-active --quiet nginx; then
# systemctl reload nginx || true
#fi
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
#
## ────────────────────────────────────────────────────────────────────────────
## 3) 60-mailwolt-tlsa.sh
## → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
## → schreibt nur, wenn sich der Hash geändert hat (idempotent)
## ────────────────────────────────────────────────────────────────────────────
#cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
##!/usr/bin/env bash
#set -euo pipefail
#
## installer.env lesen
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#APP_ENV_VAL="${APP_ENV:-production}"
#BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}"
#
#case "$APP_ENV_VAL" in
# local|dev|development) exit 0 ;;
#esac
#[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0
#
#MX_HOST="${MAIL_HOSTNAME:-}"
#SERVICE="_25._tcp"
#DNS_DIR="/etc/mailwolt/dns"
#OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt"
#
## Nur reagieren, wenn MX-Zertifikat betroffen war
#case " ${RENEWED_DOMAINS:-} " in
# *" ${MX_HOST} "*) ;;
# *) exit 0 ;;
#esac
#
#CERT="${RENEWED_LINEAGE}/fullchain.pem"
#[ -s "$CERT" ] || exit 0
#
## Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent)
#if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
# cd /var/www/mailwolt || exit 0
# php artisan dns:tlsa:refresh || true
# exit 0
#fi
#
## Fallback: nur Datei aktualisieren, wenn Hash sich ändert
#HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
# | openssl pkey -pubin -outform DER \
# | openssl dgst -sha256 | sed 's/^.*= //')"
#NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
#
#mkdir -p "$DNS_DIR"
#
#if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then
# if grep -q "$HASH" "$OUT_FILE"; then
# echo "[TLSA] Unverändert kein Update nötig."
# exit 0
# fi
#fi
#
#echo "$NEW_LINE" > "$OUT_FILE"
#echo "[TLSA] Aktualisiert: $NEW_LINE"
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
#
## ────────────────────────────────────────────────────────────────────────────
#echo "[✓] Deploy-Hooks installiert."
Reference in New Issue View Git Blame Copy Permalink