[DOKER][MAIL][BOOTSTRAP] Make bootstrap generate separate certificates for the web root and the mail server

This commit is contained in:
Hugo Sales 2021-03-24 11:48:45 +00:00
parent b824a0425e
commit b3623329e3
Signed by: someonewithpc
GPG Key ID: 7D0C7EAFC9D835A0
2 changed files with 55 additions and 49 deletions

16
bin/configure vendored
View File

@ -248,6 +248,12 @@ if echo "${DOCKER}" | grep -Fvq '"mail"'; then
3>&1 1>&2 2>&3)
validate_exit $?
if [ -z "${MAIL_SUBDOMAIN}" ]; then
MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
else
MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
fi
while true; do
MAIL_SENDER_USER=$(${WHIPTAIL} --title 'GNU social mail sender user' --clear --backtitle 'GNU social' \
--inputbox "\nEnter the user emails should be sent from" 0 0 \
@ -280,8 +286,9 @@ fi
mkdir -p "${INSTALL_DIR}/docker/bootstrap"
cat > "${INSTALL_DIR}/docker/bootstrap/bootstrap.env" <<EOF
#!/bin/sh
DOMAIN=${DOMAIN}
DOMAIN_ROOT=${DOMAIN_ROOT}
WEB_DOMAIN=${DOMAIN}
MAIL_DOMAIN=${MAIL_DOMAIN}
SIGNED=${LE_CERT}
EOF
[ -n "${EMAIL}" ] && echo EMAIL="${EMAIL}" >> "${INSTALL_DIR}/docker/bootstrap/bootstrap.env"
@ -340,13 +347,6 @@ EOF
# --------------- Write mail configuration, and setup ----------------------
mkdir -p "${INSTALL_DIR}/docker/mail"
if [ -z "${MAIL_SUBDOMAIN}" ]; then
MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
else
MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
fi
cat > "${INSTALL_DIR}/docker/mail/mail.env" <<EOF
MAIL_DOMAIN=${MAIL_DOMAIN}
MAIL_USER=${MAIL_SENDER_USER}

View File

@ -1,56 +1,62 @@
#!/bin/sh
# This script is intended to run inside the bootstrap container. It
# should work outside, but that use case is not tested.
. bootstrap.env
sed -ri "s/%hostname%/${DOMAIN}/" /etc/nginx/conf.d/challenge.conf
nginx
rsa_key_size=4096
certbot_path="/var/www/certbot"
lets_path="/etc/letsencrypt"
# TODO Expose these in the configuration utility
RSA_KEY_SIZE=4096
PREFIX="/etc/letsencrypt"
SELF_SIGNED_CERTIFICATE_TTL=365
echo "Starting bootstrap"
if [ ! -e "${lets_path}/live/${DOMAIN}/options-ssl-nginx.conf" ] || [ ! -e "$lets_path/live/ssl-dhparams.pem" ];then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "${lets_path}/live/${DOMAIN}"
obtain_certificates () {
DOMAIN="$1"
if [ ! -e "${PREFIX}/live/${DOMAIN}" ] || [ ! -e "${PREFIX}/live/ssl-dhparams.pem" ];then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "${PREFIX}/live/${DOMAIN}"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${PREFIX}/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"${PREFIX}/ssl-dhparams.pem"
if [ ${SIGNED} -eq 0 ]; then
echo "### Creating self signed certificate for ${DOMAIN} ..."
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
-keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
-out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
if [ ${SIGNED} -eq 0 ]; then
echo "### Creating self signed certificate for ${DOMAIN} ..."
openssl req -x509 -nodes -newkey "rsa:${RSA_KEY_SIZE}" -days "${SELF_SIGNED_CERTIFICATE_TTL}" \
-keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
-out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
else
echo "### Creating dummy certificate for ${DOMAIN} ..."
openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
-keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
-out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
nginx -s reload
rm -Rf "${PREFIX}/live/${DOMAIN}"
rm -Rf "${PREFIX}/archive/${DOMAIN}"
rm -Rf "${PREFIX}/renewal/${DOMAIN}.conf"
echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..."
# Ask Let's Encrypt to create certificates, if challenge passes
certbot certonly --webroot -w "/var/www/certbot" \
--email "${EMAIL}" \
-d "${DOMAIN}" \
--non-interactive \
--rsa-key-size "${RSA_KEY_SIZE}" \
--agree-tos \
--force-renewal
fi
else
echo "### Creating dummy certificate for ${DOMAIN} ..."
openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
-keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
-out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
nginx -s reload
rm -Rf "${lets_path}/live/${DOMAIN}"
rm -Rf "${lets_path}/archive/${DOMAIN}"
rm -Rf "${lets_path}/renewal/${DOMAIN}.conf"
echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..."
# Format domain_args with the cartesian product of `domain_root` and `subdomains`
# if [ "${DOMAIN_ROOT}" = "${DOMAIN}" ]; then domain_arg="-d ${DOMAIN_ROOT}"; else domain_arg="-d ${DOMAIN_ROOT} -d ${DOMAIN}"; fi
# ${domain_arg} \
# Ask Let's Encrypt to create certificates, if challenge passed
certbot certonly --webroot -w "${certbot_path}" \
--email "${EMAIL}" \
-d "${DOMAIN}" \
--non-interactive \
--rsa-key-size "${rsa_key_size}" \
--agree-tos \
--force-renewal
echo "Certificate related files exists, exiting"
fi
else
echo "Certificate related files exists, exiting"
fi
}
obtain_certificates "${WEB_DOMAIN}"
obtain_certificates "${MAIL_DOMAIN}"