[DOKER][MAIL][BOOTSTRAP] Make bootstrap generate separate certificates for the web root and the mail server
This commit is contained in:
parent
b824a0425e
commit
b3623329e3
16
bin/configure
vendored
16
bin/configure
vendored
@ -248,6 +248,12 @@ if echo "${DOCKER}" | grep -Fvq '"mail"'; then
|
||||
3>&1 1>&2 2>&3)
|
||||
validate_exit $?
|
||||
|
||||
if [ -z "${MAIL_SUBDOMAIN}" ]; then
|
||||
MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
|
||||
else
|
||||
MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
|
||||
fi
|
||||
|
||||
while true; do
|
||||
MAIL_SENDER_USER=$(${WHIPTAIL} --title 'GNU social mail sender user' --clear --backtitle 'GNU social' \
|
||||
--inputbox "\nEnter the user emails should be sent from" 0 0 \
|
||||
@ -280,8 +286,9 @@ fi
|
||||
mkdir -p "${INSTALL_DIR}/docker/bootstrap"
|
||||
cat > "${INSTALL_DIR}/docker/bootstrap/bootstrap.env" <<EOF
|
||||
#!/bin/sh
|
||||
DOMAIN=${DOMAIN}
|
||||
DOMAIN_ROOT=${DOMAIN_ROOT}
|
||||
WEB_DOMAIN=${DOMAIN}
|
||||
MAIL_DOMAIN=${MAIL_DOMAIN}
|
||||
SIGNED=${LE_CERT}
|
||||
EOF
|
||||
[ -n "${EMAIL}" ] && echo EMAIL="${EMAIL}" >> "${INSTALL_DIR}/docker/bootstrap/bootstrap.env"
|
||||
@ -340,13 +347,6 @@ EOF
|
||||
# --------------- Write mail configuration, and setup ----------------------
|
||||
mkdir -p "${INSTALL_DIR}/docker/mail"
|
||||
|
||||
if [ -z "${MAIL_SUBDOMAIN}" ]; then
|
||||
MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
|
||||
else
|
||||
MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
|
||||
fi
|
||||
|
||||
|
||||
cat > "${INSTALL_DIR}/docker/mail/mail.env" <<EOF
|
||||
MAIL_DOMAIN=${MAIL_DOMAIN}
|
||||
MAIL_USER=${MAIL_SENDER_USER}
|
||||
|
@ -1,56 +1,62 @@
|
||||
#!/bin/sh
|
||||
|
||||
# This script is intended to run inside the bootstrap container. It
|
||||
# should work outside, but that use case is not tested.
|
||||
|
||||
. bootstrap.env
|
||||
|
||||
sed -ri "s/%hostname%/${DOMAIN}/" /etc/nginx/conf.d/challenge.conf
|
||||
|
||||
nginx
|
||||
|
||||
rsa_key_size=4096
|
||||
certbot_path="/var/www/certbot"
|
||||
lets_path="/etc/letsencrypt"
|
||||
# TODO Expose these in the configuration utility
|
||||
RSA_KEY_SIZE=4096
|
||||
PREFIX="/etc/letsencrypt"
|
||||
SELF_SIGNED_CERTIFICATE_TTL=365
|
||||
|
||||
echo "Starting bootstrap"
|
||||
|
||||
if [ ! -e "${lets_path}/live/${DOMAIN}/options-ssl-nginx.conf" ] || [ ! -e "$lets_path/live/ssl-dhparams.pem" ];then
|
||||
obtain_certificates () {
|
||||
DOMAIN="$1"
|
||||
if [ ! -e "${PREFIX}/live/${DOMAIN}" ] || [ ! -e "${PREFIX}/live/ssl-dhparams.pem" ];then
|
||||
echo "### Downloading recommended TLS parameters ..."
|
||||
mkdir -p "${lets_path}/live/${DOMAIN}"
|
||||
mkdir -p "${PREFIX}/live/${DOMAIN}"
|
||||
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${PREFIX}/options-ssl-nginx.conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"${PREFIX}/ssl-dhparams.pem"
|
||||
|
||||
if [ ${SIGNED} -eq 0 ]; then
|
||||
echo "### Creating self signed certificate for ${DOMAIN} ..."
|
||||
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
|
||||
-keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
|
||||
-out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
|
||||
openssl req -x509 -nodes -newkey "rsa:${RSA_KEY_SIZE}" -days "${SELF_SIGNED_CERTIFICATE_TTL}" \
|
||||
-keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
|
||||
-out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
|
||||
else
|
||||
echo "### Creating dummy certificate for ${DOMAIN} ..."
|
||||
openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
|
||||
-keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
|
||||
-out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
|
||||
-keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
|
||||
-out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
|
||||
|
||||
nginx -s reload
|
||||
|
||||
rm -Rf "${lets_path}/live/${DOMAIN}"
|
||||
rm -Rf "${lets_path}/archive/${DOMAIN}"
|
||||
rm -Rf "${lets_path}/renewal/${DOMAIN}.conf"
|
||||
rm -Rf "${PREFIX}/live/${DOMAIN}"
|
||||
rm -Rf "${PREFIX}/archive/${DOMAIN}"
|
||||
rm -Rf "${PREFIX}/renewal/${DOMAIN}.conf"
|
||||
|
||||
echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..."
|
||||
# Format domain_args with the cartesian product of `domain_root` and `subdomains`
|
||||
|
||||
# if [ "${DOMAIN_ROOT}" = "${DOMAIN}" ]; then domain_arg="-d ${DOMAIN_ROOT}"; else domain_arg="-d ${DOMAIN_ROOT} -d ${DOMAIN}"; fi
|
||||
# ${domain_arg} \
|
||||
|
||||
# Ask Let's Encrypt to create certificates, if challenge passed
|
||||
certbot certonly --webroot -w "${certbot_path}" \
|
||||
# Ask Let's Encrypt to create certificates, if challenge passes
|
||||
certbot certonly --webroot -w "/var/www/certbot" \
|
||||
--email "${EMAIL}" \
|
||||
-d "${DOMAIN}" \
|
||||
--non-interactive \
|
||||
--rsa-key-size "${rsa_key_size}" \
|
||||
--rsa-key-size "${RSA_KEY_SIZE}" \
|
||||
--agree-tos \
|
||||
--force-renewal
|
||||
fi
|
||||
else
|
||||
else
|
||||
echo "Certificate related files exists, exiting"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
obtain_certificates "${WEB_DOMAIN}"
|
||||
obtain_certificates "${MAIL_DOMAIN}"
|
||||
|
Loading…
Reference in New Issue
Block a user