kvmd-certbot

1 files changed, 105 insertions, 0 deletions

diff --git a/scripts/kvmd-certbot b/scripts/kvmd-certbot
new file mode 100755
index 00000000..937a6fb0
--- /dev/null
+++ b/scripts/kvmd-certbot
@@ -0,0 +1,105 @@
+#!/bin/bash
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main PiKVM daemon.                                           #
+#                                                                            #
+#    Copyright (C) 2018-2022  Maxim Devaev <[email protected]>               #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+set -e
+export LC_ALL=C
+
+if [ "$(whoami)" != root ]; then
+	echo "Only root can do that"
+	exit 1
+fi
+
+user=kvmd-certbot
+web=/run/kvmd-certbot/webroot
+pstbase=/var/lib/kvmd/pst/data/certbot
+cur="$pstbase/runroot"
+new="$pstbase/runroot.new"
+tmp=/tmp/kvmd-certbot/runroot
+
+function cleanup() {
+	rm -rf "$tmp"
+}
+
+function create_tmp() {
+	mkdir "$tmp" # Acts as a lock
+	chown "$user:" "$tmp"
+	trap cleanup EXIT
+}
+
+if [ "$1" == "renew" ]; then
+	create_tmp
+	cp -a "$cur"/{config,work,logs} "$tmp"
+	sed -s -i -e "s| = $cur/| = $tmp/|g" "$tmp/config/renewal/"*
+	shift
+	sudo -u "$user" certbot renew "$@" \
+		--config-dir="$tmp/config" \
+		--work-dir="$tmp/work" \
+		--logs-dir="$tmp/logs" \
+		--deploy-hook="/usr/bin/touch '$tmp/updated'"
+	if [ -f "$tmp/updated" ]; then
+		sudo -u "$user" kvmd-pstrun -- bash -c "
+			set -ex
+			rm -rf '$new'
+			cp -a '$tmp' '$new'
+			rm '$new/updated'
+			chmod 640 '$new'/config/archive/*/privkey*.pem
+			sed -s -i -e 's| = $tmp/| = $cur/|g' '$new/config/renewal/'*
+			sync
+			kvmd-helper-swapfiles '$new' '$cur'
+			rm -rf '$new'
+		"
+		echo "Reloading KVMD-Nginx ..."
+		systemctl reload kvmd-nginx || true
+	fi
+
+else
+	create_tmp
+	if [ ! -d "$cur" ]; then
+		kvmd-pstrun -- bash -c "
+			set -ex
+			mkdir -p '$cur'
+			chown '$user:' '$cur'
+		"
+	fi
+	if [ "$1" == "certonly-webroot" ]; then
+		shift
+		sudo -u "$user" kvmd-pstrun -- certbot certonly "$@" \
+			--config-dir="$cur/config" \
+			--work-dir="$cur/work" \
+			--logs-dir="$cur/logs" \
+			--webroot \
+			--webroot-path="$web" \
+			--deploy-hook="/usr/bin/bash -c '
+				set -ex
+				cd \"\$RENEWED_LINEAGE\"
+				chmod 640 privkey.pem
+				ln -s fullchain.pem server.crt
+				ln -s privkey.pem server.key
+			'"
+	else
+		sudo -u "$user" kvmd-pstrun -- certbot "$@" \
+			--config-dir="$cur/config" \
+			--work-dir="$cur/work" \
+			--logs-dir="$cur/logs"
+	fi
+fi