[DOKER][MAIL][BOOTSTRAP] Make bootstrap generate separate certificates for the web root and the mail server

bin/configure

@@ -248,6 +248,12 @@ if echo "${DOCKER}" | grep -Fvq '"mail"'; then
                                  3>&1 1>&2 2>&3)
     validate_exit $?
 
+    if [ -z "${MAIL_SUBDOMAIN}" ]; then
+        MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
+    else
+        MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
+    fi
+
     while true; do
         MAIL_SENDER_USER=$(${WHIPTAIL} --title 'GNU social mail sender user' --clear --backtitle 'GNU social' \
                                        --inputbox "\nEnter the user emails should be sent from" 0 0 \
@@ -280,8 +286,9 @@ fi
 mkdir -p "${INSTALL_DIR}/docker/bootstrap"
 cat > "${INSTALL_DIR}/docker/bootstrap/bootstrap.env" <<EOF
 #!/bin/sh
-DOMAIN=${DOMAIN}
 DOMAIN_ROOT=${DOMAIN_ROOT}
+WEB_DOMAIN=${DOMAIN}
+MAIL_DOMAIN=${MAIL_DOMAIN}
 SIGNED=${LE_CERT}
 EOF
 [ -n "${EMAIL}" ] && echo EMAIL="${EMAIL}" >> "${INSTALL_DIR}/docker/bootstrap/bootstrap.env"
@@ -340,13 +347,6 @@ EOF
 # --------------- Write mail configuration, and setup ----------------------
 mkdir -p "${INSTALL_DIR}/docker/mail"
 
-if [ -z "${MAIL_SUBDOMAIN}" ]; then
-    MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
-else
-    MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
-fi
-
-
 cat > "${INSTALL_DIR}/docker/mail/mail.env" <<EOF
 MAIL_DOMAIN=${MAIL_DOMAIN}
 MAIL_USER=${MAIL_SENDER_USER}

docker/bootstrap/bootstrap.sh

@@ -1,56 +1,62 @@
 #!/bin/sh
 
+# This script is intended to run inside the bootstrap container. It
+# should work outside, but that use case is not tested.
+
 . bootstrap.env
 
 sed -ri "s/%hostname%/${DOMAIN}/" /etc/nginx/conf.d/challenge.conf
 
 nginx
 
-rsa_key_size=4096
+# TODO Expose these in the configuration utility
-certbot_path="/var/www/certbot"
+RSA_KEY_SIZE=4096
-lets_path="/etc/letsencrypt"
+PREFIX="/etc/letsencrypt"
+SELF_SIGNED_CERTIFICATE_TTL=365
 
 echo "Starting bootstrap"
 
-if [ ! -e "${lets_path}/live/${DOMAIN}/options-ssl-nginx.conf" ] ||  [ ! -e "$lets_path/live/ssl-dhparams.pem" ];then
+obtain_certificates () {
+    DOMAIN="$1"
+    if [ ! -e "${PREFIX}/live/${DOMAIN}" ] ||  [ ! -e "${PREFIX}/live/ssl-dhparams.pem" ];then
         echo "### Downloading recommended TLS parameters ..."
-    mkdir -p "${lets_path}/live/${DOMAIN}"
+        mkdir -p "${PREFIX}/live/${DOMAIN}"
 
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
+        curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${PREFIX}/options-ssl-nginx.conf"
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
+        curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"${PREFIX}/ssl-dhparams.pem"
 
         if [ ${SIGNED} -eq 0 ]; then
             echo "### Creating self signed certificate for ${DOMAIN} ..."
-        openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
+            openssl req -x509 -nodes -newkey "rsa:${RSA_KEY_SIZE}" -days "${SELF_SIGNED_CERTIFICATE_TTL}" \
-                -keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
+                    -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
-                -out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
+                    -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
         else
             echo "### Creating dummy certificate for ${DOMAIN} ..."
             openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
-                -keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
+                    -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
-                -out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
+                    -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
 
             nginx -s reload
 
-        rm -Rf "${lets_path}/live/${DOMAIN}"
+            rm -Rf "${PREFIX}/live/${DOMAIN}"
-        rm -Rf "${lets_path}/archive/${DOMAIN}"
+            rm -Rf "${PREFIX}/archive/${DOMAIN}"
-        rm -Rf "${lets_path}/renewal/${DOMAIN}.conf"
+            rm -Rf "${PREFIX}/renewal/${DOMAIN}.conf"
 
             echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..."
-        # Format domain_args with the cartesian product of `domain_root` and `subdomains`
 
-        # if [ "${DOMAIN_ROOT}" = "${DOMAIN}" ]; then domain_arg="-d ${DOMAIN_ROOT}"; else domain_arg="-d ${DOMAIN_ROOT} -d ${DOMAIN}"; fi
+            # Ask Let's Encrypt to create certificates, if challenge passes
-        # ${domain_arg} \
+            certbot certonly --webroot -w "/var/www/certbot" \
-
-        # Ask Let's Encrypt to create certificates, if challenge passed
-        certbot certonly --webroot -w "${certbot_path}" \
                     --email "${EMAIL}" \
                     -d "${DOMAIN}" \
                     --non-interactive \
-                --rsa-key-size "${rsa_key_size}" \
+                    --rsa-key-size "${RSA_KEY_SIZE}" \
                     --agree-tos \
                     --force-renewal
         fi
-else
+    else
         echo "Certificate related files exists, exiting"
-fi
+    fi
+}
+
+obtain_certificates "${WEB_DOMAIN}"
+obtain_certificates "${MAIL_DOMAIN}"