2019-09-10 23:17:04 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
case $1 in
|
|
|
|
# Renew certificates, trust in certbot's algorithms
|
2019-10-11 15:55:05 +00:00
|
|
|
renew) /usr/bin/certbot renew --quiet --agree-tos ;;
|
2019-09-10 23:17:04 +00:00
|
|
|
bootstrap)
|
2019-09-13 21:33:46 +00:00
|
|
|
for site in ${SUTTY} api.${SUTTY}; do
|
|
|
|
test -d "/etc/letsencrypt/live/${site}" && exit 0
|
2019-09-10 23:17:04 +00:00
|
|
|
|
2019-09-13 21:33:46 +00:00
|
|
|
# Get the certificate for the domain, the webserver will need
|
|
|
|
# access to this directory
|
|
|
|
/usr/bin/certbot certonly --email "certbot@${SUTTY}" \
|
|
|
|
--webroot \
|
|
|
|
--agree-tos \
|
|
|
|
--webroot-path /var/lib/letsencrypt \
|
|
|
|
-d "${site}"
|
2019-10-07 18:57:11 +00:00
|
|
|
|
|
|
|
cd /etc/letsencrypt/live
|
|
|
|
ln -s ${SUTTY} default
|
2019-09-13 21:33:46 +00:00
|
|
|
done ;;
|
2019-09-10 23:17:04 +00:00
|
|
|
# Generate certificates
|
|
|
|
*)
|
|
|
|
# Save headers here
|
|
|
|
headers=/tmp/headers
|
|
|
|
# Gets ETag from previous headers
|
|
|
|
test -f "${headers}" \
|
|
|
|
&& etag="$(grep "^ Etag: " "${headers}" | cut -d : -f 2)"
|
|
|
|
|
|
|
|
# Get site list from the API and transform to a list. Save headers
|
|
|
|
# for next run. Use ETag to avoid running when nothing changed
|
|
|
|
wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \
|
|
|
|
--header="If-None-Match:${etag}" -qSO - \
|
|
|
|
"https://api.${SUTTY}/v1/sites.json" \
|
|
|
|
2>"${headers}" \
|
|
|
|
| jq --raw-output .[] \
|
|
|
|
| while read name; do
|
|
|
|
# If the site name doesn't end with a dot, it's a subdomain
|
2019-09-13 20:10:50 +00:00
|
|
|
domain="$(echo "${name}" | sed "s/[^\.]$/&.${SUTTY}/")"
|
2019-09-10 23:17:04 +00:00
|
|
|
domain="${domain%.}"
|
|
|
|
|
2019-10-01 18:28:14 +00:00
|
|
|
# Generate a certificate for www also
|
|
|
|
for d in ${domain} www.${domain}; do
|
|
|
|
# Skip already existing domains
|
|
|
|
test -d "/etc/letsencrypt/live/${d}" && continue
|
2019-09-10 23:17:04 +00:00
|
|
|
|
2020-09-07 21:06:50 +00:00
|
|
|
# Ignore non local domains
|
|
|
|
nslookup "${d}" 8.8.8.8 | grep -q "${SUTTY_ADDRESS}" || continue
|
|
|
|
|
2019-10-01 18:28:14 +00:00
|
|
|
# Get the certificate for the domain, the webserver will need
|
|
|
|
# access to this directory
|
|
|
|
/usr/bin/certbot certonly --email "certbot@${SUTTY}" \
|
|
|
|
--webroot \
|
|
|
|
--agree-tos \
|
|
|
|
--webroot-path /var/lib/letsencrypt \
|
|
|
|
-d "${d}"
|
|
|
|
done
|
2019-09-10 23:17:04 +00:00
|
|
|
done
|
|
|
|
esac
|
2020-09-07 21:06:50 +00:00
|
|
|
|
|
|
|
# Fix permissions, users in group ssl have read access
|
|
|
|
find /etc/letsencrypt -type d | xargs -r chmod 2750
|
|
|
|
find /etc/letsencrypt -type f | xargs -r chmod 640
|
|
|
|
chgrp -R ssl /etc/letsencrypt
|
|
|
|
|
|
|
|
# Push certificates to nodes, we use SSH as a secure transport
|
|
|
|
# but this means we're synchronizing from container to host which is
|
2020-09-07 23:16:49 +00:00
|
|
|
# awkward. A restricted rsync treats / as the remote location for the
|
|
|
|
# certificates.
|
2020-09-07 21:06:50 +00:00
|
|
|
for NODE in ${NODES}; do
|
2020-09-07 23:16:49 +00:00
|
|
|
rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/
|
2020-09-07 21:06:50 +00:00
|
|
|
done
|