2020-10-21 16:16:32 +00:00
|
|
|
|
#! /bin/bash
|
2022-02-21 10:56:57 +00:00
|
|
|
|
|
2021-11-20 20:33:49 +00:00
|
|
|
|
# TODO: Adapt for compatibility with LDAP
|
|
|
|
|
|
# Only the cert renewal change detection may be relevant for LDAP?
|
2017-10-10 06:15:18 +00:00
|
|
|
|
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
# CHKSUM_FILE global is imported from this file:
|
2022-02-21 10:56:57 +00:00
|
|
|
|
# shellcheck source=./helpers/index.sh
|
|
|
|
|
|
source /usr/local/bin/helpers/index.sh
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
|
2022-04-02 17:39:15 +00:00
|
|
|
|
# This script requires some environment variables to be properly set. This
|
|
|
|
|
|
# includes POSTMASTER_ADDRESS (for alias (re-)generation), HOSTNAME and
|
|
|
|
|
|
# DOMAINNAME (in ssl.sh).
|
|
|
|
|
|
# shellcheck source=/dev/null
|
|
|
|
|
|
source /etc/dms-settings
|
|
|
|
|
|
|
|
|
|
|
|
_log_with_date 'debug' 'Starting changedetector'
|
|
|
|
|
|
|
|
|
|
|
|
# TODO in the future, when we do not use HOSTNAME but DMS_HOSTNAME everywhere,
|
|
|
|
|
|
# TODO we can delete this call as we needn't calculate the names twice
|
|
|
|
|
|
# ATTENTION: Do not remove!
|
|
|
|
|
|
# This script requies HOSTNAME and DOMAINNAME
|
|
|
|
|
|
# to be properly set.
|
|
|
|
|
|
_obtain_hostname_and_domainname
|
2020-06-30 20:43:22 +00:00
|
|
|
|
|
2022-04-02 17:39:15 +00:00
|
|
|
|
if ! cd /tmp/docker-mailserver &>/dev/null
|
|
|
|
|
|
then
|
2022-04-19 19:09:25 +00:00
|
|
|
|
_exit_with_error "Could not change into '/tmp/docker-mailserver/' directory" 0
|
2022-04-02 17:39:15 +00:00
|
|
|
|
fi
|
2017-10-10 06:15:18 +00:00
|
|
|
|
|
2021-01-16 09:16:05 +00:00
|
|
|
|
# check postfix-accounts.cf exist else break
|
2020-09-05 14:19:12 +00:00
|
|
|
|
if [[ ! -f postfix-accounts.cf ]]
|
|
|
|
|
|
then
|
2022-04-19 19:09:25 +00:00
|
|
|
|
_exit_with_error "'/tmp/docker-mailserver/postfix-accounts.cf' is missing" 0
|
2019-08-01 07:58:22 +00:00
|
|
|
|
fi
|
|
|
|
|
|
|
2021-01-16 09:16:05 +00:00
|
|
|
|
# verify checksum file exists; must be prepared by start-mailserver.sh
|
2020-09-06 10:27:40 +00:00
|
|
|
|
if [[ ! -f ${CHKSUM_FILE} ]]
|
2020-09-05 14:19:12 +00:00
|
|
|
|
then
|
2022-06-04 23:59:54 +00:00
|
|
|
|
_exit_with_error "'${CHKSUM_FILE}' is missing" 0
|
2019-08-01 07:58:22 +00:00
|
|
|
|
fi
|
2017-10-10 06:15:18 +00:00
|
|
|
|
|
2022-02-18 10:29:51 +00:00
|
|
|
|
REGEX_NEVER_MATCH="(?\!)"
|
|
|
|
|
|
|
2022-04-02 17:39:15 +00:00
|
|
|
|
_log_with_date 'trace' "Using postmaster address '${POSTMASTER_ADDRESS}'"
|
|
|
|
|
|
|
2021-11-03 20:28:40 +00:00
|
|
|
|
# Change detection delayed during startup to avoid conflicting writes
|
2019-08-01 17:39:25 +00:00
|
|
|
|
sleep 10
|
2018-11-01 19:17:07 +00:00
|
|
|
|
|
2022-04-02 17:39:15 +00:00
|
|
|
|
_log_with_date 'debug' "Chagedetector is ready"
|
2021-11-03 20:28:40 +00:00
|
|
|
|
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
function _check_for_changes
|
|
|
|
|
|
{
|
2020-09-05 14:19:12 +00:00
|
|
|
|
# get chksum and check it, no need to lock config yet
|
|
|
|
|
|
_monitored_files_checksums >"${CHKSUM_FILE}.new"
|
2021-08-28 23:16:34 +00:00
|
|
|
|
cmp --silent -- "${CHKSUM_FILE}" "${CHKSUM_FILE}.new"
|
2022-02-08 22:21:45 +00:00
|
|
|
|
|
2021-08-28 23:16:34 +00:00
|
|
|
|
# cmp return codes
|
|
|
|
|
|
# 0 – files are identical
|
|
|
|
|
|
# 1 – files differ
|
|
|
|
|
|
# 2 – inaccessible or missing argument
|
2021-12-19 10:56:22 +00:00
|
|
|
|
if [[ ${?} -eq 1 ]]
|
2020-09-05 14:19:12 +00:00
|
|
|
|
then
|
2022-04-02 17:39:15 +00:00
|
|
|
|
_log_with_date 'info' 'Change detected'
|
2022-02-21 10:56:57 +00:00
|
|
|
|
_create_lock # Shared config safety lock
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
local CHANGED
|
2021-08-28 23:16:34 +00:00
|
|
|
|
CHANGED=$(grep -Fxvf "${CHKSUM_FILE}" "${CHKSUM_FILE}.new" | sed 's/^[^ ]\+ //')
|
|
|
|
|
|
|
2022-02-08 22:21:45 +00:00
|
|
|
|
# TODO Perform updates below conditionally too
|
2021-08-28 23:16:34 +00:00
|
|
|
|
# Also note that changes are performed in place and are not atomic
|
|
|
|
|
|
# We should fix that and write to temporary files, stop, swap and start
|
|
|
|
|
|
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
# _setup_ssl is required for:
|
|
|
|
|
|
# manual - copy to internal DMS_TLS_PATH (/etc/dms/tls) that Postfix and Dovecot are configured to use.
|
|
|
|
|
|
# acme.json - presently uses /etc/letsencrypt/live/<FQDN> instead of DMS_TLS_PATH,
|
|
|
|
|
|
# path may change requiring Postfix/Dovecot config update.
|
2022-02-18 10:29:51 +00:00
|
|
|
|
if [[ ${SSL_TYPE} == 'manual' ]]
|
|
|
|
|
|
then
|
|
|
|
|
|
# only run the SSL setup again if certificates have really changed.
|
|
|
|
|
|
if [[ ${CHANGED} =~ ${SSL_CERT_PATH:-${REGEX_NEVER_MATCH}} ]] \
|
|
|
|
|
|
|| [[ ${CHANGED} =~ ${SSL_KEY_PATH:-${REGEX_NEVER_MATCH}} ]] \
|
|
|
|
|
|
|| [[ ${CHANGED} =~ ${SSL_ALT_CERT_PATH:-${REGEX_NEVER_MATCH}} ]] \
|
|
|
|
|
|
|| [[ ${CHANGED} =~ ${SSL_ALT_KEY_PATH:-${REGEX_NEVER_MATCH}} ]]
|
|
|
|
|
|
then
|
2022-04-02 17:39:15 +00:00
|
|
|
|
_log_with_date 'debug' 'Manual certificates have changed - extracting certificates'
|
2022-02-18 10:29:51 +00:00
|
|
|
|
_setup_ssl
|
|
|
|
|
|
fi
|
2021-12-18 22:25:15 +00:00
|
|
|
|
# `acme.json` is only relevant to Traefik, and is where it stores the certificates it manages.
|
|
|
|
|
|
# When a change is detected it's assumed to be a possible cert renewal that needs to be
|
|
|
|
|
|
# extracted for `docker-mailserver` services to adjust to.
|
2022-02-18 10:29:51 +00:00
|
|
|
|
elif [[ ${CHANGED} =~ /etc/letsencrypt/acme.json ]]
|
2021-12-18 22:25:15 +00:00
|
|
|
|
then
|
2022-04-02 17:39:15 +00:00
|
|
|
|
_log_with_date 'debug' "'/etc/letsencrypt/acme.json' has changed - extracting certificates"
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
_setup_ssl
|
2021-12-18 22:25:15 +00:00
|
|
|
|
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
# Prevent an unnecessary change detection from the newly extracted cert files by updating their hashes in advance:
|
|
|
|
|
|
local CERT_DOMAIN
|
2022-05-05 08:28:38 +00:00
|
|
|
|
CERT_DOMAIN=$(_find_letsencrypt_domain)
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
ACME_CERT_DIR="/etc/letsencrypt/live/${CERT_DOMAIN}"
|
|
|
|
|
|
|
|
|
|
|
|
sed -i "\|${ACME_CERT_DIR}|d" "${CHKSUM_FILE}.new"
|
|
|
|
|
|
sha512sum "${ACME_CERT_DIR}"/*.pem >> "${CHKSUM_FILE}.new"
|
2021-12-18 22:25:15 +00:00
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
# If monitored certificate files in /etc/letsencrypt/live have changed and no `acme.json` is in use,
|
|
|
|
|
|
# They presently have no special handling other than to trigger a change that will restart Postfix/Dovecot.
|
2021-08-28 23:16:34 +00:00
|
|
|
|
|
|
|
|
|
|
# regenerate postfix accounts
|
2021-11-20 20:33:49 +00:00
|
|
|
|
[[ ${SMTP_ONLY} -ne 1 ]] && _create_accounts
|
2021-08-28 23:16:34 +00:00
|
|
|
|
|
2021-11-20 20:33:49 +00:00
|
|
|
|
_rebuild_relayhost
|
2021-06-15 12:03:41 +00:00
|
|
|
|
|
2021-11-20 20:33:49 +00:00
|
|
|
|
# regenerate postix aliases
|
|
|
|
|
|
_create_aliases
|
2019-08-01 17:39:25 +00:00
|
|
|
|
|
2021-11-20 20:33:49 +00:00
|
|
|
|
# regenerate /etc/postfix/vhost
|
|
|
|
|
|
# NOTE: If later adding support for LDAP with change detection and this method is called,
|
|
|
|
|
|
# be sure to mimic `setup-stack.sh:_setup_ldap` which appends to `/tmp/vhost.tmp`.
|
|
|
|
|
|
_create_postfix_vhost
|
2020-10-01 23:19:41 +00:00
|
|
|
|
|
2021-08-28 23:16:34 +00:00
|
|
|
|
if find /var/mail -maxdepth 3 -a \( \! -user 5000 -o \! -group 5000 \) | read -r
|
|
|
|
|
|
then
|
|
|
|
|
|
chown -R 5000:5000 /var/mail
|
2021-08-16 07:21:29 +00:00
|
|
|
|
fi
|
2021-06-15 12:03:41 +00:00
|
|
|
|
|
2022-04-02 17:39:15 +00:00
|
|
|
|
_log_with_date 'debug' 'Restarting services due to detected changes'
|
2021-11-03 20:28:40 +00:00
|
|
|
|
|
2021-08-28 23:16:34 +00:00
|
|
|
|
supervisorctl restart postfix
|
|
|
|
|
|
|
|
|
|
|
|
# prevent restart of dovecot when smtp_only=1
|
|
|
|
|
|
[[ ${SMTP_ONLY} -ne 1 ]] && supervisorctl restart dovecot
|
2021-09-13 08:09:01 +00:00
|
|
|
|
|
2022-02-21 10:56:57 +00:00
|
|
|
|
_remove_lock
|
2022-04-02 17:39:15 +00:00
|
|
|
|
_log_with_date 'debug' 'Completed handling of detected change'
|
2020-09-05 14:19:12 +00:00
|
|
|
|
fi
|
2017-10-10 06:15:18 +00:00
|
|
|
|
|
2021-08-28 23:16:34 +00:00
|
|
|
|
# mark changes as applied
|
|
|
|
|
|
mv "${CHKSUM_FILE}.new" "${CHKSUM_FILE}"
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
}
|
2021-06-15 12:03:41 +00:00
|
|
|
|
|
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods
This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).
As these methods should now return a string value, the `return 1` after a panic is now dropped.
* chore: Update comments
The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.
* refactor: Defer most logic to helper/ssl.sh
The loop is no longer required, extraction is delegated to `_setup_ssl` now.
For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.
`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.
Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.
* fix: Correctly match wildcard results
Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`, which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.
Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.
Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.
* tests(letsencrypt): Enable remaining tests
These will now pass. Adjusted comments accordingly.
Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 10:52:50 +00:00
|
|
|
|
while true
|
|
|
|
|
|
do
|
|
|
|
|
|
_check_for_changes
|
2022-02-08 22:21:45 +00:00
|
|
|
|
sleep 2
|
2017-10-10 06:15:18 +00:00
|
|
|
|
done
|
2021-02-24 16:28:59 +00:00
|
|
|
|
|
|
|
|
|
|
exit 0
|