76 lines
2.3 KiB
Bash
76 lines
2.3 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
install -d /etc/letsencrypt/renewal-hooks/deploy
|
||
|
||
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
|
||
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
# Env aus dem Installer laden (falls vorhanden), aber unbound vermeiden
|
||
set +u
|
||
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
set -u
|
||
|
||
UI_SSL_DIR="/etc/ssl/ui"
|
||
WEBMAIL_SSL_DIR="/etc/ssl/webmail"
|
||
MAIL_SSL_DIR="/etc/ssl/mail"
|
||
|
||
# Falls Variablen nicht gesetzt sind → leere Defaults (vermeidet unbound)
|
||
UI_HOST="${UI_HOST:-}"
|
||
WEBMAIL_HOST="${WEBMAIL_HOST:-}"
|
||
MX_HOST="${MAIL_HOSTNAME:-}"
|
||
|
||
UI_LE="/etc/letsencrypt/live/${UI_HOST}"
|
||
WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
|
||
MX_LE="/etc/letsencrypt/live/${MX_HOST}"
|
||
|
||
link_if() {
|
||
local le_base="$1" target_dir="$2"
|
||
local cert="${le_base}/fullchain.pem"
|
||
local key="${le_base}/privkey.pem"
|
||
if [ -f "$cert" ] && [ -f "$key" ]; then
|
||
install -d -m 0755 "$target_dir"
|
||
ln -sf "$cert" "${target_dir}/fullchain.pem"
|
||
ln -sf "$key" "${target_dir}/privkey.pem"
|
||
echo "[+] Linked ${target_dir} -> ${le_base}"
|
||
fi
|
||
}
|
||
|
||
# Nur linken, wenn Hostnamen vorhanden sind
|
||
[ -n "$UI_HOST" ] && link_if "$UI_LE" "$UI_SSL_DIR"
|
||
[ -n "$WEBMAIL_HOST" ] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
|
||
[ -n "$MX_HOST" ] && link_if "$MX_LE" "$MAIL_SSL_DIR"
|
||
|
||
# Dienste neu laden
|
||
systemctl reload nginx || true
|
||
systemctl reload postfix dovecot || true
|
||
HOOK
|
||
|
||
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
|
||
|
||
# --- 60: TLSA-Hook (bei jedem Renew für MX neu berechnen – falls Key doch rotiert) ---
|
||
cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<HOOK
|
||
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
MX_HOST="${MAIL_HOSTNAME}"
|
||
|
||
# Nur reagieren, wenn das MX-Zert erneuert wurde
|
||
case " \${RENEWED_DOMAINS:-} " in
|
||
*" \${MX_HOST} "*) ;;
|
||
*) exit 0 ;;
|
||
esac
|
||
|
||
CERT="\${RENEWED_LINEAGE}/fullchain.pem"
|
||
if [[ -s "\$CERT" ]]; then
|
||
HASH="\$(openssl x509 -in "\$CERT" -noout -pubkey \
|
||
| openssl pkey -pubin -outform DER \
|
||
| openssl dgst -sha256 | sed 's/^.*= //')"
|
||
TLSA_LINE="_25._tcp.\${MX_HOST}. IN TLSA 3 1 1 \${HASH}"
|
||
install -d -m 0755 /etc/mailwolt/dns
|
||
echo "\${TLSA_LINE}" > "/etc/mailwolt/dns/\${MX_HOST}.tlsa.txt"
|
||
echo "[TLSA] \${TLSA_LINE}"
|
||
fi
|
||
HOOK
|
||
chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh |