boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt-installer/scripts/21-le-deploy-hook.sh

134 lines
5.5 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
# ────────────────────────────────────────────────────────────────────────────
# 21-le-deploy-hook.sh
# • legt /etc/mailwolt/installer.env an (falls fehlt)
# • erzeugt Deploy-Hooks:
# - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
# - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
# • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
# ────────────────────────────────────────────────────────────────────────────
# 0) Hostnamen persistent speichern (für spätere Deploys)
install -d -m 0755 /etc/mailwolt
if [[ ! -f /etc/mailwolt/installer.env ]]; then
cat >/etc/mailwolt/installer.env <<EOF
UI_HOST=${UI_HOST}
WEBMAIL_HOST=${WEBMAIL_HOST}
MAIL_HOSTNAME=${MAIL_HOSTNAME}
EOF
echo "[+] /etc/mailwolt/installer.env erstellt."
fi
# 1) Deploy-Hooks-Verzeichnis anlegen
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
# ────────────────────────────────────────────────────────────────────────────
# 2) 50-mailwolt-symlinks.sh
# ────────────────────────────────────────────────────────────────────────────
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
#!/usr/bin/env bash
set -euo pipefail
UI_LE="/etc/letsencrypt/live/${UI_HOST}"
WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
UI_SSL_DIR="/etc/ssl/ui"
WEBMAIL_SSL_DIR="/etc/ssl/webmail"
MAIL_SSL_DIR="/etc/ssl/mail"
# Zielverzeichnisse anlegen (einmalig)
install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
link_if() {
local le_base="\$1" target_dir="\$2"
local cert="\${le_base}/fullchain.pem"
local key="\${le_base}/privkey.pem"
[[ -s "\$cert" && -s "\$key" ]] || return 0
ln -sf "\$cert" "\${target_dir}/fullchain.pem"
ln -sf "\$key" "\${target_dir}/privkey.pem"
chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true
chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true
echo "[+] Linked \${target_dir} -> \${le_base}"
}
# Verlinken (nur wenn Host konfiguriert)
[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR"
[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR"
[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR"
# Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
if systemctl is-active --quiet nginx; then
systemctl reload nginx || true
fi
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
# ────────────────────────────────────────────────────────────────────────────
# 3) 60-mailwolt-tlsa.sh
# → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
# → schreibt nur, wenn sich der Hash geändert hat (idempotent)
# ────────────────────────────────────────────────────────────────────────────
cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail
# installer.env lesen
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
APP_ENV_VAL="${APP_ENV:-production}"
BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}"
case "$APP_ENV_VAL" in
local|dev|development) exit 0 ;;
esac
[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0
MX_HOST="${MAIL_HOSTNAME:-}"
SERVICE="_25._tcp"
DNS_DIR="/etc/mailwolt/dns"
OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt"
# Nur reagieren, wenn MX-Zertifikat betroffen war
case " ${RENEWED_DOMAINS:-} " in
*" ${MX_HOST} "*) ;;
*) exit 0 ;;
esac
CERT="${RENEWED_LINEAGE}/fullchain.pem"
[ -s "$CERT" ] || exit 0
# Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent)
if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
cd /var/www/mailwolt || exit 0
php artisan dns:tlsa:refresh || true
exit 0
fi
# Fallback: nur Datei aktualisieren, wenn Hash sich ändert
HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 | sed 's/^.*= //')"
NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
mkdir -p "$DNS_DIR"
if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then
if grep -q "$HASH" "$OUT_FILE"; then
echo "[TLSA] Unverändert kein Update nötig."
exit 0
fi
fi
echo "$NEW_LINE" > "$OUT_FILE"
echo "[TLSA] Aktualisiert: $NEW_LINE"
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
# ────────────────────────────────────────────────────────────────────────────
echo "[✓] Deploy-Hooks installiert."
Reference in New Issue View Git Blame Copy Permalink