mirror of
https://github.com/mofeng-git/One-KVM.git
synced 2025-12-12 01:00:29 +08:00
5863004441
Second pull request for this bug. Apparently, in bash `cp -a <dir>/*` ignores dotfiles, which are often how authfiles get named, notably as per the documentation for SSL cert management for certbot plugins in the PiKVM Wiki. Using `cp -a <dir>/.` instead should catch dotfiles and all files and subdirectories correctly.
158 lines
4.6 KiB
Bash
Executable File
158 lines
4.6 KiB
Bash
Executable File
#!/bin/bash
|
|
# ========================================================================== #
|
|
# #
|
|
# KVMD - The main PiKVM daemon. #
|
|
# #
|
|
# Copyright (C) 2018-2022 Maxim Devaev <mdevaev@gmail.com> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <https://www.gnu.org/licenses/>. #
|
|
# #
|
|
# ========================================================================== #
|
|
|
|
|
|
set -e
|
|
export LC_ALL=C
|
|
|
|
if [ "$(whoami)" != root ]; then
|
|
echo "Only root can do that"
|
|
exit 1
|
|
fi
|
|
|
|
user=kvmd-certbot
|
|
web=/run/kvmd-certbot/webroot
|
|
cur=/var/lib/kvmd/pst/data/certbot/runroot
|
|
new=/var/lib/kvmd/pst/data/certbot/runroot.new
|
|
tmp=/tmp/kvmd-certbot/runroot
|
|
|
|
cur_opts=("--config-dir=$cur/config" "--work-dir=$cur/work" "--logs-dir=$cur/logs")
|
|
|
|
|
|
function cleanup() {
|
|
rm -rf "$tmp"
|
|
}
|
|
|
|
function create_tmp() {
|
|
mkdir "$tmp" # Acts as a lock
|
|
chown "$user:" "$tmp"
|
|
trap cleanup EXIT
|
|
}
|
|
|
|
function ensure_runroot() {
|
|
kvmd-pstrun -- bash -c "
|
|
set -ex
|
|
mkdir -p '$cur'
|
|
chown -R '$user:' '$cur/..'
|
|
"
|
|
}
|
|
|
|
function restart_if_running() {
|
|
if systemctl is-active --quiet "$2"; then
|
|
echo "=> systemctl $1 $2"
|
|
systemctl "$1" "$2" || true
|
|
fi
|
|
}
|
|
|
|
function restart_if_running_nginx() {
|
|
restart_if_running reload kvmd-nginx
|
|
}
|
|
|
|
function restart_if_running_cloud() {
|
|
restart_if_running reload kvmd-nginx
|
|
}
|
|
|
|
function restart_if_running_vnc() {
|
|
restart_if_running restart kvmd-vnc
|
|
}
|
|
|
|
case "$1" in
|
|
-h|--help|help)
|
|
create_tmp
|
|
sudo --preserve-env -u "$user" certbot "$@" "${cur_opts[@]}"
|
|
;;
|
|
|
|
--)
|
|
shift
|
|
create_tmp
|
|
ensure_runroot
|
|
sudo --preserve-env -u "$user" kvmd-pstrun -- certbot "$@" "${cur_opts[@]}"
|
|
;;
|
|
|
|
certonly|certonly_webroot)
|
|
webroot_opts=()
|
|
if [ "$1" == certonly_webroot ]; then
|
|
webroot_opts=(--webroot "--webroot-path=$web")
|
|
fi
|
|
shift
|
|
create_tmp
|
|
ensure_runroot
|
|
sudo --preserve-env -u "$user" kvmd-pstrun -- certbot certonly "$@" "${cur_opts[@]}" \
|
|
"${webroot_opts[@]}" \
|
|
--deploy-hook="/usr/bin/bash -c '
|
|
set -ex
|
|
chmod 755 '$cur/config/'{archive,live}
|
|
chmod 640 \"\$RENEWED_LINEAGE/privkey.pem\"
|
|
'"
|
|
;;
|
|
|
|
renew)
|
|
shift
|
|
create_tmp
|
|
cp -a "$cur"/. "$tmp"
|
|
chown -R "$user:" "$tmp"
|
|
sed -s -i -e "s| = $cur/| = $tmp/|g" "$tmp/config/renewal/"*
|
|
sudo --preserve-env -u "$user" certbot renew "$@" \
|
|
--config-dir="$tmp/config" \
|
|
--work-dir="$tmp/work" \
|
|
--logs-dir="$tmp/logs" \
|
|
--deploy-hook="/usr/bin/touch '$tmp/updated'" || true
|
|
if [ -f "$tmp/updated" ]; then
|
|
sudo --preserve-env -u "$user" kvmd-pstrun -- bash -c "
|
|
set -ex
|
|
rm -rf '$new'
|
|
cp -a '$tmp'/. '$new'
|
|
rm '$new/updated'
|
|
chmod 755 '$new/config/'{archive,live}
|
|
chmod 640 '$new'/config/archive/*/privkey*.pem
|
|
sed -s -i -e 's| = $tmp/| = $cur/|g' '$new/config/renewal/'*
|
|
rm -rf '$new/logs/'*.log.* '$new/config/'{csr,keys}
|
|
sync
|
|
kvmd-helper-swapfiles '$new' '$cur'
|
|
rm -rf '$new'
|
|
"
|
|
restart_if_running_nginx
|
|
restart_if_running_vnc
|
|
fi
|
|
;;
|
|
|
|
install_nginx|install_vnc|install_cloud)
|
|
target="${1/install_/}"
|
|
if [ -z "$2" ]; then
|
|
echo "Usage: kvmd-certbot $1 <domain>"
|
|
exit 1
|
|
fi
|
|
set -x
|
|
rm -f "/etc/kvmd/$target/ssl/server."{crt,key}
|
|
ln -s "$cur/config/live/$2/fullchain.pem" "/etc/kvmd/$target/ssl/server.crt"
|
|
ln -s "$cur/config/live/$2/privkey.pem" "/etc/kvmd/$target/ssl/server.key"
|
|
"restart_if_running_$target"
|
|
;;
|
|
|
|
*)
|
|
echo "This command is not implemented by kvmd-certbot."
|
|
echo "To pass it into certbot under PST context use '--'."
|
|
echo "For example: kvmd-certbot -- $*"
|
|
exit 1
|
|
;;
|
|
esac
|