blob: 72adb8e2ee296e5fd51156a8a5b51c7407cacaee (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
#!/bin/bash
# ========================================================================== #
# #
# KVMD - The main PiKVM daemon. #
# #
# Copyright (C) 2018-2022 Maxim Devaev <[email protected]> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <https://www.gnu.org/licenses/>. #
# #
# ========================================================================== #
set -e
export LC_ALL=C
if [ "$(whoami)" != root ]; then
echo "Only root can do that"
exit 1
fi
user=kvmd-certbot
web=/run/kvmd-certbot/webroot
pstbase=/var/lib/kvmd/pst/data/certbot
cur="$pstbase/runroot"
new="$pstbase/runroot.new"
tmp=/tmp/kvmd-certbot/runroot
function cleanup() {
rm -rf "$tmp"
}
function create_tmp() {
mkdir "$tmp" # Acts as a lock
chown "$user:" "$tmp"
trap cleanup EXIT
}
if [ "$1" == "renew" ]; then
create_tmp
cp -a "$cur"/{config,work,logs} "$tmp"
sed -s -i -e "s| = $cur/| = $tmp/|g" "$tmp/config/renewal/"*
shift
sudo -u "$user" certbot renew "$@" \
--config-dir="$tmp/config" \
--work-dir="$tmp/work" \
--logs-dir="$tmp/logs" \
--deploy-hook="/usr/bin/touch '$tmp/updated'"
if [ -f "$tmp/updated" ]; then
sudo -u "$user" kvmd-pstrun -- bash -c "
set -ex
rm -rf '$new'
cp -a '$tmp' '$new'
rm '$new/updated'
chmod 750 '$new/config/'{archive,live}
chmod 640 '$new'/config/archive/*/privkey*.pem
sed -s -i -e 's| = $tmp/| = $cur/|g' '$new/config/renewal/'*
sync
kvmd-helper-swapfiles '$new' '$cur'
rm -rf '$new'
"
echo "Reloading KVMD-Nginx ..."
systemctl reload kvmd-nginx || true
fi
else
create_tmp
if [ ! -d "$cur" ]; then
kvmd-pstrun -- bash -c "
set -ex
mkdir -p '$cur'
chown '$user:' '$cur'
"
fi
if [ "$1" == "certonly-webroot" ]; then
shift
sudo -u "$user" kvmd-pstrun -- certbot certonly "$@" \
--config-dir="$cur/config" \
--work-dir="$cur/work" \
--logs-dir="$cur/logs" \
--webroot \
--webroot-path="$web" \
--deploy-hook="/usr/bin/bash -c '
set -ex
chmod 750 '$cur/config/'{archive,live}
cd \"\$RENEWED_LINEAGE\"
chmod 640 privkey.pem
ln -s fullchain.pem server.crt
ln -s privkey.pem server.key
'"
else
sudo -u "$user" kvmd-pstrun -- certbot "$@" \
--config-dir="$cur/config" \
--work-dir="$cur/work" \
--logs-dir="$cur/logs"
fi
fi
|
