Commit 8d417a99 authored by Paul Cammish's avatar Paul Cammish
Browse files

Added SNI config generation for Dovecot

parent 1e3dcb5c
#!/bin/bash
# If we're not on master, then install the already public versions
if [ "$( git describe --all)" != "remotes/origin/master" ]; then
if [[ ! $( git describe --all ) == *master ]] ; then
echo "--install-recommends sympl-core"
else
if [ "$1" == "" ]; then
echo "Error: need a distro name, such as 'stretch-testing'"
echo "Error: need a distro name, such as 'stretch-testing'" > /dev/stderr
exit 1
fi
......@@ -21,21 +21,22 @@ else
# Sleep for a bit if it's not the first time
if [ -s .install-ver ]; then
echo -n '.'
sleep 10
fi
# Pull the list of packages
# Using £ is untidy, but means you don't have to use GNU sed
wget -q -O - "http://packages.mythic-beasts.com/mythic/dists/$1/main/source/Sources.gz" \
| gunzip \
| grep -A 2 '^Package: sympl' \
| grep -v ^Binary \
| sed -e 's|^Package: ||' -e 's|^Version: ||' \
| tr '\n' ' ' \
| sed -e 's| -- |\n|g' \
| sed -e 's| -- |£|g' \
| tr '£' '\n' \
> .packages
# Get the newest version of each package
# Get the newest version of each package, other than duplicates
cat .packages .built \
| sort -r \
| uniq -u \
......@@ -46,12 +47,19 @@ else
rm .install-ver
for package in $( find . -type f -name 'changelog' | sed -e 's|^\./||' -e 's|/.*||' | tr '\n' ' ' ); do
grep "^sympl-${package} " .install >> .install-ver
done
done
# Check for any versions to be installed which match the ones we built, force a retry if so
retry=false
cat .built | while read line; do
if [ $( grep -c "$line" .install-ver ) != 0 ]; then retry=true; fi
done
if [ $retry == true ]; then echo invalid > .install-ver ; fi
done
cat .install-ver | tr ' ' '=' | tr '\n' ' '
cat .install-ver | tr ' ' '=' | tr '\n' ' '
rm .install-ver .install .packages .built
rm .install-ver .install .packages .built
fi
sympl-core (9.0.190620.0) stable; urgency=medium
* Added cron for sympl-ssl, making sure it runs first
-- Paul Cammish <sympl@kelduum.net> Thu, 20 Jun 2019 12:12:00 +0100
sympl-core (9.0.190619.0) stable; urgency=medium
* Removed backward compatibility for /etc/symbiosis
......
usr/bin/sympl-encrypt-password usr/bin/symbiosis-encrypt-password
usr/bin/sympl-ip usr/bin/symbiosis-ip
usr/bin/sympl-ssl usr/bin/symbiosis-ssl
usr/bin/sympl-test usr/bin/symbiosis-test
usr/sbin/sympl-configure-ips usr/sbin/symbiosis-configure-ips
usr/sbin/sympl-generate-dhparams usr/sbin/symbiosis-generate-dhparams
usr/sbin/sympl-password-test usr/sbin/symbiosis-password-test
usr/sbin/sympl-configure-ips etc/network/if-up.d/sympl-configure-ips
usr/sbin/sympl-configure-ips etc/cron.hourly/sympl-configure-ips
usr/bin/sympl-encrypt-password usr/bin/symbiosis-encrypt-password
usr/bin/sympl-ip usr/bin/symbiosis-ip
usr/bin/sympl-ssl usr/bin/symbiosis-ssl
usr/bin/sympl-test usr/bin/symbiosis-test
usr/sbin/sympl-configure-ips usr/sbin/symbiosis-configure-ips
usr/sbin/sympl-generate-dhparams usr/sbin/symbiosis-generate-dhparams
usr/sbin/sympl-password-test usr/sbin/symbiosis-password-test
usr/sbin/sympl-configure-ips etc/network/if-up.d/sympl-configure-ips
usr/sbin/sympl-configure-ips etc/cron.hourly/sympl-configure-ips
usr/sbin/sympl-ssl etc/cron.hourly/00-sympl-ssl
......@@ -2,6 +2,6 @@ exim4/ etc/
dovecot/ etc/
sbin/ usr/
sympl/firewall etc/sympl
sympl/ssl-hooks.d usr/share/sympl/ssl-hooks/
sympl/ssl-hooks.d/* usr/share/sympl/ssl-hooks.d/
sympl/test.d etc/sympl
sympl/monit.d/* usr/share/sympl/monit/checks/
usr/share/sympl/ssl-hooks.d/sympl-mail etc/sympl/ssl-hooks.d/sympl-mail
usr/sbin/sympl-mail-dovecot-sni etc/cron.hourly/sympl-mail-dovecot-sni
#/bin/bash
set -e
for certificate in $( find -L /srv/*/config/ssl/current -name 'ssl.crt' -print ); do
certpath="$( echo $certificate | sed 's|/config/ssl/current/.*$|/config/ssl/current|' )"
# Ensure there is a matching key file, and the path doesnt include an underscore
if [ -f "${certpath}/ssl.key" ] && [ "$certpath" != "*_*" ] ; then
# Go through the certs, listing all the domains, and filter them, one cert per domain.
openssl x509 -noout -text -in "$certificate" \
| grep 'Subject: CN\|DNS:' \
| sed -e 's|, DNS:|\n|g' -e 's|DNS:|\n|g' -e 's|.*Subject: CN = ||' \
| grep ^[a-zA-Z0-9] \
| sort | uniq \
| while read domain; do echo "$certpath $certificate $domain"; done
fi
done | sort -k 3,3 | uniq -f 2 > /dev/shm/sympl-mail-dovecot-sni.data
# Write the config snippet to /dev/shm
echo "# Auto generated SNI configuration by sympl-mail-dovecot-sni." > /dev/shm/sympl-mail-dovecot-sni.config
cat /dev/shm/sympl-mail-dovecot-sni.data | while read certpath certificate domain; do
echo "# Enable SNI for $domain"
echo "local_name $domain {"
echo " ssl_cert = <$certificate"
echo " ssl_key = <$certpath/ssl.key"
echo "}"
echo
done >> /dev/shm/sympl-mail-dovecot-sni.config
# Compare it with what's there already.
if [ -f "/etc/dovecot/sympl.d/10-main/60-sni" ]; then
if diff /dev/shm/sympl-mail-dovecot-sni.config /etc/dovecot/sympl.d/10-main/60-sni > /dev/null ; then
# Config has not changed, exiting.
exit 0
fi
fi
# Move the new config into place, make it and start it up
mv /dev/shm/sympl-mail-dovecot-sni.config /etc/dovecot/sympl.d/10-main/60-sni
cd /etc/dovecot
sudo make test
sudo make > /dev/null
sudo /usr/sbin/service dovecot reload
if [ -f /dev/shm/sympl-mail-dovecot-sni.data ]; then rm /dev/shm/sympl-mail-dovecot-sni.data; fi
exit 0
#!/bin/sh -eu
#!/bin/bash -eu
if ! [ "$1" = "live-update" ] ; then
echo "I: $0: Ignoring unknown hook action $1"
......@@ -6,6 +6,6 @@ if ! [ "$1" = "live-update" ] ; then
fi
#
# Only dovecot needs reloading following a certificate change
# Rebuild Dovecot SNI Certificates and reload on cert change.
#
exec /usr/bin/sudo /usr/sbin/service dovecot reload
sudo /usr/sbin/sympl-mail-dovecot-sni
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment