From b3623329e358ddf4098235e4e0d0d31358d59f02 Mon Sep 17 00:00:00 2001
From: Hugo Sales <hugo@hsal.es>
Date: Wed, 24 Mar 2021 11:48:45 +0000
Subject: [PATCH] [DOKER][MAIL][BOOTSTRAP] Make bootstrap generate separate
 certificates for the web root and the mail server

---
 bin/configure                 | 16 +++----
 docker/bootstrap/bootstrap.sh | 88 +++++++++++++++++++----------------
 2 files changed, 55 insertions(+), 49 deletions(-)

diff --git a/bin/configure b/bin/configure
index 2ebb2356d8..0316f34b44 100755
--- a/bin/configure
+++ b/bin/configure
@@ -248,6 +248,12 @@ if echo "${DOCKER}" | grep -Fvq '"mail"'; then
                                  3>&1 1>&2 2>&3)
     validate_exit $?
 
+    if [ -z "${MAIL_SUBDOMAIN}" ]; then
+        MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
+    else
+        MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
+    fi
+
     while true; do
         MAIL_SENDER_USER=$(${WHIPTAIL} --title 'GNU social mail sender user' --clear --backtitle 'GNU social' \
                                        --inputbox "\nEnter the user emails should be sent from" 0 0 \
@@ -280,8 +286,9 @@ fi
 mkdir -p "${INSTALL_DIR}/docker/bootstrap"
 cat > "${INSTALL_DIR}/docker/bootstrap/bootstrap.env" <<EOF
 #!/bin/sh
-DOMAIN=${DOMAIN}
 DOMAIN_ROOT=${DOMAIN_ROOT}
+WEB_DOMAIN=${DOMAIN}
+MAIL_DOMAIN=${MAIL_DOMAIN}
 SIGNED=${LE_CERT}
 EOF
 [ -n "${EMAIL}" ] && echo EMAIL="${EMAIL}" >> "${INSTALL_DIR}/docker/bootstrap/bootstrap.env"
@@ -340,13 +347,6 @@ EOF
 # --------------- Write mail configuration, and setup ----------------------
 mkdir -p "${INSTALL_DIR}/docker/mail"
 
-if [ -z "${MAIL_SUBDOMAIN}" ]; then
-    MAIL_DOMAIN="${MAIL_DOMAIN_ROOT}"
-else
-    MAIL_DOMAIN="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
-fi
-
-
 cat > "${INSTALL_DIR}/docker/mail/mail.env" <<EOF
 MAIL_DOMAIN=${MAIL_DOMAIN}
 MAIL_USER=${MAIL_SENDER_USER}
diff --git a/docker/bootstrap/bootstrap.sh b/docker/bootstrap/bootstrap.sh
index 27d66fda39..a9117fed57 100755
--- a/docker/bootstrap/bootstrap.sh
+++ b/docker/bootstrap/bootstrap.sh
@@ -1,56 +1,62 @@
 #!/bin/sh
 
+# This script is intended to run inside the bootstrap container. It
+# should work outside, but that use case is not tested.
+
 . bootstrap.env
 
 sed -ri "s/%hostname%/${DOMAIN}/" /etc/nginx/conf.d/challenge.conf
 
 nginx
 
-rsa_key_size=4096
-certbot_path="/var/www/certbot"
-lets_path="/etc/letsencrypt"
+# TODO Expose these in the configuration utility
+RSA_KEY_SIZE=4096
+PREFIX="/etc/letsencrypt"
+SELF_SIGNED_CERTIFICATE_TTL=365
 
 echo "Starting bootstrap"
 
-if [ ! -e "${lets_path}/live/${DOMAIN}/options-ssl-nginx.conf" ] ||  [ ! -e "$lets_path/live/ssl-dhparams.pem" ];then
-    echo "### Downloading recommended TLS parameters ..."
-    mkdir -p "${lets_path}/live/${DOMAIN}"
+obtain_certificates () {
+    DOMAIN="$1"
+    if [ ! -e "${PREFIX}/live/${DOMAIN}" ] ||  [ ! -e "${PREFIX}/live/ssl-dhparams.pem" ];then
+        echo "### Downloading recommended TLS parameters ..."
+        mkdir -p "${PREFIX}/live/${DOMAIN}"
 
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
+        curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${PREFIX}/options-ssl-nginx.conf"
+        curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"${PREFIX}/ssl-dhparams.pem"
 
-    if [ ${SIGNED} -eq 0 ]; then
-        echo "### Creating self signed certificate for ${DOMAIN} ..."
-        openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
-                -keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
-                -out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
+        if [ ${SIGNED} -eq 0 ]; then
+            echo "### Creating self signed certificate for ${DOMAIN} ..."
+            openssl req -x509 -nodes -newkey "rsa:${RSA_KEY_SIZE}" -days "${SELF_SIGNED_CERTIFICATE_TTL}" \
+                    -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
+                    -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}"
+        else
+            echo "### Creating dummy certificate for ${DOMAIN} ..."
+            openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
+                    -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
+                    -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
+
+            nginx -s reload
+
+            rm -Rf "${PREFIX}/live/${DOMAIN}"
+            rm -Rf "${PREFIX}/archive/${DOMAIN}"
+            rm -Rf "${PREFIX}/renewal/${DOMAIN}.conf"
+
+            echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..."
+
+            # Ask Let's Encrypt to create certificates, if challenge passes
+            certbot certonly --webroot -w "/var/www/certbot" \
+                    --email "${EMAIL}" \
+                    -d "${DOMAIN}" \
+                    --non-interactive \
+                    --rsa-key-size "${RSA_KEY_SIZE}" \
+                    --agree-tos \
+                    --force-renewal
+        fi
     else
-        echo "### Creating dummy certificate for ${DOMAIN} ..."
-        openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
-                -keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \
-                -out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost'
-
-        nginx -s reload
-
-        rm -Rf "${lets_path}/live/${DOMAIN}"
-        rm -Rf "${lets_path}/archive/${DOMAIN}"
-        rm -Rf "${lets_path}/renewal/${DOMAIN}.conf"
-
-        echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..."
-        # Format domain_args with the cartesian product of `domain_root` and `subdomains`
-
-        # if [ "${DOMAIN_ROOT}" = "${DOMAIN}" ]; then domain_arg="-d ${DOMAIN_ROOT}"; else domain_arg="-d ${DOMAIN_ROOT} -d ${DOMAIN}"; fi
-        # ${domain_arg} \
-
-        # Ask Let's Encrypt to create certificates, if challenge passed
-        certbot certonly --webroot -w "${certbot_path}" \
-                --email "${EMAIL}" \
-                -d "${DOMAIN}" \
-                --non-interactive \
-                --rsa-key-size "${rsa_key_size}" \
-                --agree-tos \
-                --force-renewal
+        echo "Certificate related files exists, exiting"
     fi
-else
-    echo "Certificate related files exists, exiting"
-fi
+}
+
+obtain_certificates "${WEB_DOMAIN}"
+obtain_certificates "${MAIL_DOMAIN}"