Added SNI config generation for Dovecot

autotest/get_previous_versions

 #!/bin/bash
 
 # If we're not on master, then install the already public versions
-if [ "$( git describe --all)" != "remotes/origin/master" ]; then
+if [[ ! $( git describe --all ) == *master ]] ; then
 
   echo "--install-recommends sympl-core"
 
 else
 
   if [ "$1" == "" ]; then
-    echo "Error: need a distro name, such as 'stretch-testing'"
+    echo "Error: need a distro name, such as 'stretch-testing'" > /dev/stderr
     exit 1
   fi
 
@@ -21,21 +21,22 @@ else
 
     # Sleep for a bit if it's not the first time
     if [ -s .install-ver ]; then
-      echo -n '.'
       sleep 10
     fi
 
     # Pull the list of packages
+    # Using £ is untidy, but means you don't have to use GNU sed
     wget -q -O - "http://packages.mythic-beasts.com/mythic/dists/$1/main/source/Sources.gz" \
     | gunzip \
     | grep -A 2 '^Package: sympl' \
     | grep -v ^Binary \
     | sed -e 's|^Package: ||' -e 's|^Version: ||' \
     | tr '\n' ' ' \
-    | sed -e 's| -- |\n|g' \
+    | sed -e 's| -- |£|g' \
+    | tr '£' '\n' \
     > .packages
 
-    # Get the newest version of each package
+    # Get the newest version of each package, other than duplicates
     cat .packages .built \
     | sort -r \
     | uniq -u \
@@ -46,12 +47,19 @@ else
     rm .install-ver
     for package in $( find . -type f -name 'changelog' | sed -e 's|^\./||' -e 's|/.*||' | tr '\n' ' ' ); do
       grep "^sympl-${package} " .install >> .install-ver
-    done  
+    done
+
+    # Check for any versions to be installed which match the ones we built, force a retry if so
+    retry=false
+    cat .built | while read line; do
+      if [ $( grep -c "$line" .install-ver ) != 0 ]; then retry=true; fi
+    done
+    if [ $retry == true ]; then echo invalid > .install-ver ; fi
 
   done
 
-  cat .install-ver | tr ' ' '=' | tr '\n' ' '
+cat .install-ver | tr ' ' '=' | tr '\n' ' '
 
-  rm .install-ver .install .packages .built
+rm .install-ver .install .packages .built
 
 fi

core/debian/changelog

+sympl-core (9.0.190620.0) stable; urgency=medium
+
+  * Added cron for sympl-ssl, making sure it runs first
+
+ -- Paul Cammish <sympl@kelduum.net>  Thu, 20 Jun 2019 12:12:00 +0100
+
 sympl-core (9.0.190619.0) stable; urgency=medium
 
   * Removed backward compatibility for /etc/symbiosis

core/debian/links

-usr/bin/sympl-encrypt-password usr/bin/symbiosis-encrypt-password
-usr/bin/sympl-ip usr/bin/symbiosis-ip
-usr/bin/sympl-ssl usr/bin/symbiosis-ssl
-usr/bin/sympl-test usr/bin/symbiosis-test
-usr/sbin/sympl-configure-ips usr/sbin/symbiosis-configure-ips
-usr/sbin/sympl-generate-dhparams usr/sbin/symbiosis-generate-dhparams
-usr/sbin/sympl-password-test usr/sbin/symbiosis-password-test
-usr/sbin/sympl-configure-ips etc/network/if-up.d/sympl-configure-ips
-usr/sbin/sympl-configure-ips etc/cron.hourly/sympl-configure-ips
+usr/bin/sympl-encrypt-password    usr/bin/symbiosis-encrypt-password
+usr/bin/sympl-ip                  usr/bin/symbiosis-ip
+usr/bin/sympl-ssl                 usr/bin/symbiosis-ssl
+usr/bin/sympl-test                usr/bin/symbiosis-test
+usr/sbin/sympl-configure-ips      usr/sbin/symbiosis-configure-ips
+usr/sbin/sympl-generate-dhparams  usr/sbin/symbiosis-generate-dhparams
+usr/sbin/sympl-password-test      usr/sbin/symbiosis-password-test
+usr/sbin/sympl-configure-ips      etc/network/if-up.d/sympl-configure-ips
+usr/sbin/sympl-configure-ips      etc/cron.hourly/sympl-configure-ips
+usr/sbin/sympl-ssl                etc/cron.hourly/00-sympl-ssl

mail/debian/install

@@ -2,6 +2,6 @@ exim4/                     etc/
 dovecot/                   etc/
 sbin/                      usr/
 sympl/firewall         etc/sympl
-sympl/ssl-hooks.d      usr/share/sympl/ssl-hooks/
+sympl/ssl-hooks.d/*      usr/share/sympl/ssl-hooks.d/
 sympl/test.d           etc/sympl
 sympl/monit.d/*        usr/share/sympl/monit/checks/

mail/debian/links

 usr/share/sympl/ssl-hooks.d/sympl-mail   etc/sympl/ssl-hooks.d/sympl-mail
+usr/sbin/sympl-mail-dovecot-sni          etc/cron.hourly/sympl-mail-dovecot-sni

mail/sbin/sympl-mail-dovecot-sni

+#/bin/bash
+
+set -e
+ 
+for certificate in $( find -L /srv/*/config/ssl/current -name 'ssl.crt' -print ); do
+  certpath="$( echo $certificate | sed 's|/config/ssl/current/.*$|/config/ssl/current|' )"
+  # Ensure there is a matching key file, and the path doesnt include an underscore
+  if [ -f "${certpath}/ssl.key" ] && [ "$certpath" != "*_*" ] ; then
+    # Go through the certs, listing all the domains, and filter them, one cert per domain.
+    openssl x509 -noout -text -in "$certificate" \
+    | grep 'Subject: CN\|DNS:' \
+    | sed -e 's|, DNS:|\n|g' -e 's|DNS:|\n|g' -e 's|.*Subject: CN = ||' \
+    | grep ^[a-zA-Z0-9] \
+    | sort | uniq \
+    | while read domain; do echo "$certpath $certificate $domain"; done
+  fi
+done | sort -k 3,3 | uniq -f 2 > /dev/shm/sympl-mail-dovecot-sni.data
+
+# Write the config snippet to /dev/shm
+echo "# Auto generated SNI configuration by sympl-mail-dovecot-sni." > /dev/shm/sympl-mail-dovecot-sni.config
+cat /dev/shm/sympl-mail-dovecot-sni.data | while read certpath certificate domain; do
+  echo "# Enable SNI for $domain"
+  echo "local_name $domain {"
+  echo "  ssl_cert = <$certificate"
+  echo "  ssl_key  = <$certpath/ssl.key"
+  echo "}"
+  echo
+done >> /dev/shm/sympl-mail-dovecot-sni.config
+
+# Compare it with what's there already.
+if [ -f "/etc/dovecot/sympl.d/10-main/60-sni" ]; then
+  if diff /dev/shm/sympl-mail-dovecot-sni.config /etc/dovecot/sympl.d/10-main/60-sni > /dev/null ; then
+    # Config has not changed, exiting.
+    exit 0
+  fi
+fi
+
+# Move the new config into place, make it and start it up
+mv /dev/shm/sympl-mail-dovecot-sni.config /etc/dovecot/sympl.d/10-main/60-sni
+cd /etc/dovecot 
+sudo make test
+
+sudo make > /dev/null
+sudo /usr/sbin/service dovecot reload
+
+if [ -f /dev/shm/sympl-mail-dovecot-sni.data ]; then rm /dev/shm/sympl-mail-dovecot-sni.data; fi
+
+exit 0

mail/sympl/ssl-hooks.d/sympl-mail

-#!/bin/sh -eu
+#!/bin/bash -eu
 
 if ! [ "$1" = "live-update" ] ; then
   echo "I: $0: Ignoring unknown hook action $1"
@@ -6,6 +6,6 @@ if ! [ "$1" = "live-update" ] ; then
 fi
 
 #
-# Only dovecot needs reloading following a certificate change
+# Rebuild Dovecot SNI Certificates and reload on cert change.
 #
-exec /usr/bin/sudo /usr/sbin/service dovecot reload
+sudo /usr/sbin/sympl-mail-dovecot-sni