mailwolt-installer/scripts/21-le-deploy-hook.sh

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

# -----------------------------------------------------------------------------
# 21-le-deploy-hook.sh
#  - Legt /etc/mailwolt/installer.env (falls fehlt) an
#  - Erzeugt LE-Deploy-Hooks:
#      * 50-mailwolt-symlinks.sh  → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
#      * 60-mailwolt-tlsa.sh      → schreibt TLSA (3 1 1) für MX nach jedem Renew
# -----------------------------------------------------------------------------

# 1) Sicherstellen, dass die Hosts persistent verfügbar sind
if [[ ! -f /etc/mailwolt/installer.env ]]; then
  install -d -m 0755 /etc/mailwolt
  cat >/etc/mailwolt/installer.env <<EOF
UI_HOST=${UI_HOST}
WEBMAIL_HOST=${WEBMAIL_HOST}
MAIL_HOSTNAME=${MAIL_HOSTNAME}
EOF
  echo "[+] /etc/mailwolt/installer.env erstellt."
fi

# 2) Deploy-Hooks-Verzeichnis anlegen
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy

# 3) Hook: LE-Zertifikate nach /etc/ssl/* verlinken und Nginx reloaden
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail

# Env aus dem Installer laden (falls vorhanden), aber unbound vermeiden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u

UI_SSL_DIR="/etc/ssl/ui"
WEBMAIL_SSL_DIR="/etc/ssl/webmail"
MAIL_SSL_DIR="/etc/ssl/mail"

# Falls Variablen nicht gesetzt sind → leere Defaults (vermeidet unbound)
UI_HOST="${UI_HOST:-}"
WEBMAIL_HOST="${WEBMAIL_HOST:-}"
MX_HOST="${MAIL_HOSTNAME:-}"

UI_LE="/etc/letsencrypt/live/${UI_HOST}"
WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
MX_LE="/etc/letsencrypt/live/${MX_HOST}"

link_if() {
  local le_base="$1" target_dir="$2"
  local cert="${le_base}/fullchain.pem"
  local key="${le_base}/privkey.pem"
  if [[ -f "$cert" && -f "$key" ]]; then
    install -d -m 0755 "$target_dir"
    ln -sf "$cert" "${target_dir}/fullchain.pem"
    ln -sf "$key"  "${target_dir}/privkey.pem"
    echo "[+] Linked ${target_dir} -> ${le_base}"
  fi
}

# Nur linken, wenn Hostnamen vorhanden sind
[[ -n "$UI_HOST"      ]] && link_if "$UI_LE"      "$UI_SSL_DIR"
[[ -n "$WEBMAIL_HOST" ]] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
[[ -n "$MX_HOST"      ]] && link_if "$MX_LE"      "$MAIL_SSL_DIR"

# sinnvolle Rechte (Key nur für root lesbar, Chain world-readable)
chmod 640 "${UI_SSL_DIR}/privkey.pem"      2>/dev/null || true
chmod 640 "${WEBMAIL_SSL_DIR}/privkey.pem" 2>/dev/null || true
chmod 640 "${MAIL_SSL_DIR}/privkey.pem"    2>/dev/null || true
chmod 644 "${UI_SSL_DIR}/fullchain.pem"      2>/dev/null || true
chmod 644 "${WEBMAIL_SSL_DIR}/fullchain.pem" 2>/dev/null || true
chmod 644 "${MAIL_SSL_DIR}/fullchain.pem"    2>/dev/null || true

# Nur Nginx neu laden – Postfix/Dovecot startet später im Installer
systemctl reload nginx || true
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh

# 4) Hook: TLSA (3 1 1) für MX nach jedem Renew/Issue generieren
cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail

# MAIL_HOSTNAME kommt von certbot via Environment nicht automatisch,
# daher direkt aus installer.env lesen, falls gesetzt.
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
MX_HOST="${MAIL_HOSTNAME:-}"

[[ -n "$MX_HOST" ]] || exit 0

# Nur reagieren, wenn das MX-Zert in diesem Run drin war
case " ${RENEWED_DOMAINS:-} " in
  *" ${MX_HOST} "*) ;;    # ok
  *) exit 0 ;;
esac

CERT="${RENEWED_LINEAGE}/fullchain.pem"
if [[ -s "$CERT" ]]; then
  HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
    | openssl pkey -pubin -outform DER \
    | openssl dgst -sha256 | sed 's/^.*= //')"
  TLSA_LINE="_25._tcp.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
  install -d -m 0755 /etc/mailwolt/dns
  echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MX_HOST}.tlsa.txt"
  echo "[TLSA] ${TLSA_LINE}"
fi
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh