boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt-installer/scripts/21-le-deploy-hook.sh

254 lines
9.6 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
# 1) Wrapper, den Certbot bei Issue/Renew aufruft
cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
#!/usr/bin/env bash
set -euo pipefail
# Installer-Variablen laden (UI_HOST, WEBMAIL_HOST, MAIL_HOSTNAME, optional LE_EMAIL etc.)
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
UI_HOST="${UI_HOST:-}"
WEBMAIL_HOST="${WEBMAIL_HOST:-}"
MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
link_if() {
local le_base="$1" target_dir="$2"
local cert="${le_base}/fullchain.pem"
local key="${le_base}/privkey.pem"
[[ -s "$cert" && -s "$key" ]] || return 0
install -d -m 0755 "$target_dir"
ln -sf "$cert" "${target_dir}/fullchain.pem"
ln -sf "$key" "${target_dir}/privkey.pem"
chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true
chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true
echo "[+] Linked ${target_dir} -> ${le_base}"
}
# Nur für Domains arbeiten, die im aktuellen Lauf erneuert/ausgestellt wurden
RDOMS=" ${RENEWED_DOMAINS:-} "
# UI
if [[ -n "$UI_HOST" && "$RDOMS" == *" ${UI_HOST} "* ]]; then
link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
fi
# Webmail
if [[ -n "$WEBMAIL_HOST" && "$RDOMS" == *" ${WEBMAIL_HOST} "* ]]; then
link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
fi
# MX
if [[ -n "$MAIL_HOSTNAME" && "$RDOMS" == *" ${MAIL_HOSTNAME} "* ]]; then
link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
fi
# Optional: TLSA via Laravel, falls App schon vorhanden (sonst still überspringen)
if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
(cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true
fi
# Nginx nur neu laden, wenn aktiv
if systemctl is-active --quiet nginx; then
systemctl reload nginx || true
fi
WRAP
chmod +x /usr/local/sbin/mw-deploy.sh
# 2) Certbot-Deploy-Hooks einrichten (ruft nur den Wrapper auf)
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash
exec /usr/local/sbin/mw-deploy.sh
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
log "[✓] MailWolt Deploy-Hook eingerichtet"
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
#
## 1) Wrapper-Skript, das Symlinks setzt und Nginx reloaded
#cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
##!/usr/bin/env bash
#set -euo pipefail
#
#link_if() {
# local le_base="$1" target_dir="$2"
# local cert="${le_base}/fullchain.pem"
# local key="${le_base}/privkey.pem"
# [[ -s "$cert" && -s "$key" ]] || return 0
# install -d -m 0755 "$target_dir"
# ln -sf "$cert" "${target_dir}/fullchain.pem"
# ln -sf "$key" "${target_dir}/privkey.pem"
# chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true
# chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true
# echo "[+] Linked ${target_dir} -> ${le_base}"
#}
#
#UI_HOST="${UI_HOST:-}"
#WEBMAIL_HOST="${WEBMAIL_HOST:-}"
#MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
#
#[[ -n "$UI_HOST" ]] && link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
#[[ -n "$WEBMAIL_HOST" ]] && link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
#[[ -n "$MAIL_HOSTNAME" ]] && link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
#
#if systemctl is-active --quiet nginx; then
# systemctl reload nginx || true
#fi
#WRAP
#
#chmod +x /usr/local/sbin/mw-deploy.sh
#
## 2) Certbot Deploy-Hook-Verzeichnis + Symlink für Renewals
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
##!/usr/bin/env bash
#exec /usr/local/sbin/mw-deploy.sh
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
#
#log "[✓] MailWolt Deploy-Hook eingerichtet"
#
###!/usr/bin/env bash
##set -euo pipefail
##source ./lib.sh
##
### ────────────────────────────────────────────────────────────────────────────
### 21-le-deploy-hook.sh
### • legt /etc/mailwolt/installer.env an (falls fehlt)
### • erzeugt Deploy-Hooks:
### - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
### - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
### • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
### ────────────────────────────────────────────────────────────────────────────
##
### 0) Hostnamen persistent speichern (für spätere Deploys)
##install -d -m 0755 /etc/mailwolt
##if [[ ! -f /etc/mailwolt/installer.env ]]; then
## cat >/etc/mailwolt/installer.env <<EOF
##UI_HOST=${UI_HOST}
##WEBMAIL_HOST=${WEBMAIL_HOST}
##MAIL_HOSTNAME=${MAIL_HOSTNAME}
##EOF
## echo "[+] /etc/mailwolt/installer.env erstellt."
##fi
##
### 1) Deploy-Hooks-Verzeichnis anlegen
##install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
##
### ────────────────────────────────────────────────────────────────────────────
### 2) 50-mailwolt-symlinks.sh
### ────────────────────────────────────────────────────────────────────────────
##cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
###!/usr/bin/env bash
##set -euo pipefail
##
##UI_LE="/etc/letsencrypt/live/${UI_HOST}"
##WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
##MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
##
##UI_SSL_DIR="/etc/ssl/ui"
##WEBMAIL_SSL_DIR="/etc/ssl/webmail"
##MAIL_SSL_DIR="/etc/ssl/mail"
##
### Zielverzeichnisse anlegen (einmalig)
##install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
##
##link_if() {
## local le_base="\$1" target_dir="\$2"
## local cert="\${le_base}/fullchain.pem"
## local key="\${le_base}/privkey.pem"
## [[ -s "\$cert" && -s "\$key" ]] || return 0
## ln -sf "\$cert" "\${target_dir}/fullchain.pem"
## ln -sf "\$key" "\${target_dir}/privkey.pem"
## chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true
## chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true
## echo "[+] Linked \${target_dir} -> \${le_base}"
##}
##
### Verlinken (nur wenn Host konfiguriert)
##[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR"
##[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR"
##[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR"
##
### Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
##if systemctl is-active --quiet nginx; then
## systemctl reload nginx || true
##fi
##HOOK
##chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
##
### ────────────────────────────────────────────────────────────────────────────
### 3) 60-mailwolt-tlsa.sh
### → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
### → schreibt nur, wenn sich der Hash geändert hat (idempotent)
### ────────────────────────────────────────────────────────────────────────────
##cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
###!/usr/bin/env bash
##set -euo pipefail
##
### installer.env lesen
##set +u
##[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
##set -u
##
##APP_ENV_VAL="${APP_ENV:-production}"
##BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}"
##
##case "$APP_ENV_VAL" in
## local|dev|development) exit 0 ;;
##esac
##[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0
##
##MX_HOST="${MAIL_HOSTNAME:-}"
##SERVICE="_25._tcp"
##DNS_DIR="/etc/mailwolt/dns"
##OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt"
##
### Nur reagieren, wenn MX-Zertifikat betroffen war
##case " ${RENEWED_DOMAINS:-} " in
## *" ${MX_HOST} "*) ;;
## *) exit 0 ;;
##esac
##
##CERT="${RENEWED_LINEAGE}/fullchain.pem"
##[ -s "$CERT" ] || exit 0
##
### Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent)
##if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
## cd /var/www/mailwolt || exit 0
## php artisan dns:tlsa:refresh || true
## exit 0
##fi
##
### Fallback: nur Datei aktualisieren, wenn Hash sich ändert
##HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
## | openssl pkey -pubin -outform DER \
## | openssl dgst -sha256 | sed 's/^.*= //')"
##NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
##
##mkdir -p "$DNS_DIR"
##
##if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then
## if grep -q "$HASH" "$OUT_FILE"; then
## echo "[TLSA] Unverändert kein Update nötig."
## exit 0
## fi
##fi
##
##echo "$NEW_LINE" > "$OUT_FILE"
##echo "[TLSA] Aktualisiert: $NEW_LINE"
##HOOK
##chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
##
### ────────────────────────────────────────────────────────────────────────────
##echo "[✓] Deploy-Hooks installiert."
Reference in New Issue View Git Blame Copy Permalink