#!/bin/bash # ========================================================================== # # # # KVMD - The main PiKVM daemon. # # # # Copyright (C) 2018-2022 Maxim Devaev # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # # ========================================================================== # set -e export LC_ALL=C if [ "$(whoami)" != root ]; then echo "Only root can do that" exit 1 fi user=kvmd-certbot web=/run/kvmd-certbot/webroot pstbase=/var/lib/kvmd/pst/data/certbot cur="$pstbase/runroot" new="$pstbase/runroot.new" tmp=/tmp/kvmd-certbot/runroot function cleanup() { rm -rf "$tmp" } function create_tmp() { mkdir "$tmp" # Acts as a lock chown "$user:" "$tmp" trap cleanup EXIT } function ensure_runroot() { if [ ! -d "$cur" ]; then kvmd-pstrun -- bash -c " set -ex mkdir -p '$cur' chown '$user:' '$cur' " fi } function restart_if_running() { if systemctl is-active --quiet "$2"; then echo "=> systemctl $1 $2" systemctl "$1" "$2" || true fi } function restart_if_running_nginx() { restart_if_running reload kvmd-nginx } function restart_if_running_vnc() { restart_if_running restart kvmd-vnc } case "$1" in -h|--help|help) sudo -u "$user" certbot "$@" \ --config-dir="$cur/config" \ --work-dir="$cur/work" \ --logs-dir="$cur/logs" ;; certonly) create_tmp ensure_runroot sudo -u "$user" kvmd-pstrun -- certbot "$@" \ --config-dir="$cur/config" \ --work-dir="$cur/work" \ --logs-dir="$cur/logs" \ --webroot \ --webroot-path="$web" \ --deploy-hook="/usr/bin/bash -c ' set -ex chmod 750 '$cur/config/'{archive,live} cd \"\$RENEWED_LINEAGE\" chmod 640 privkey.pem ln -s fullchain.pem server.crt ln -s privkey.pem server.key '" ;; renew) shift create_tmp cp -a "$cur"/{config,work,logs} "$tmp" sed -s -i -e "s| = $cur/| = $tmp/|g" "$tmp/config/renewal/"* sudo -u "$user" certbot renew "$@" \ --config-dir="$tmp/config" \ --work-dir="$tmp/work" \ --logs-dir="$tmp/logs" \ --deploy-hook="/usr/bin/touch '$tmp/updated'" if [ -f "$tmp/updated" ]; then sudo -u "$user" kvmd-pstrun -- bash -c " set -ex rm -rf '$new' cp -a '$tmp' '$new' rm '$new/updated' chmod 755 '$new/config/'{archive,live} chmod 640 '$new'/config/archive/*/privkey*.pem sed -s -i -e 's| = $tmp/| = $cur/|g' '$new/config/renewal/'* sync kvmd-helper-swapfiles '$new' '$cur' rm -rf '$new' " restart_if_running_nginx restart_if_running_vnc fi ;; install) case "$2" in nginx|vnc) if [ -z "$2" ]; then echo "Usage: kvmd-certbot install " exit 1 fi set -x rm -f "/etc/kvmd/$2/ssl/server."{crt,key} ln -s "$cur/config/live/$3/server."{crt,key} "/etc/kvmd/$2/ssl/" "restart_if_running_$2" ;; *) echo "Usage: kvmd-certbot install " exit 1 ;; esac ;; --) shift create_tmp ensure_runroot sudo -u "$user" kvmd-pstrun -- certbot "$@" \ --config-dir="$cur/config" \ --work-dir="$cur/work" \ --logs-dir="$cur/logs" ;; *) echo "This command is not implemented by kvmd-certbot." echo "To pass it into certbot under PST context use '--'." echo "For example: kvmd-certbot -- $*" exit 1 ;; esac