#!/bin/sh set -e ACTION=$1; shift REALM=$(cat /etc/local-ORG/realm) # resolve hostnames of service installed and registered with Redpill servicehosts() { SERVICE=$1; shift for binary in "$@"; do > /dev/null which -- "$binary" || exit done cat "/etc/local-REDPILL/$REALM/${SERVICE}host" \ "/etc/local-REDPILL/$REALM/${SERVICE}althosts" \ 2> /dev/null \ | perl -0777 -pe 's/\s*\#.*//gm;s/^\s+//;s/\s+$//;s/\s+/|/g' } MAILHOSTS=$(servicehosts mail postconf) CHATHOSTS=$(servicehosts chat ejabberdctl) cert_fix() { DOMAIN="$1"; KEYFILE="$2"; FULLCHAINFILE="$4" case "$DOMAIN" in "$MAILHOSTS") set -x cat "$FULLCHAINFILE" > "/etc/dovecot/$DOMAIN.pem" sg dovecot -c "umask 027; cat '$KEYFILE' > '/etc/dovecot/private/$DOMAIN.pem'" service dovecot force-reload ;; "$CHATHOSTS") set -x sg ejabberd -c "umask 027; cat '$KEYFILE' '$FULLCHAINFILE' > '/etc/ejabberd/$DOMAIN.pem'" #service ejabberd force-reload ;; esac } # TODO: Set file changedate to OCSP expiry expiry, and skip if 48h+ away cert_staple() { CERTFILE="$3"; CHAINFILE="$5" > /dev/null which -- ocsptool || return CERTDIR=$(dirname "$CERTFILE") set -x ocsptool --ask --load-issuer "$CHAINFILE" --load-cert "$CERTFILE" --outfile "$CERTDIR"/ocsp.der } case "$ACTION" in deploy_challenge) ;; clean_challenge) ;; deploy_cert) cert_fix "$@" #cert_staple "$@" ;; unchanged_cert) #cert_fix "$@" #cert_staple "$@" ;; *) >&2 echo "ERROR: unsupported action \"$ACTION\"" exit 1 ;; esac