blob: 71644ec0cb068bbddc07091e982f660c9277bb1b (
plain)
- #!/bin/sh
- set -e
- ACTION=$1; shift
- REALM=$(cat /etc/local-ORG/realm) || true
- # resolve hostnames of service installed and registered with Redpill
- servicehosts() {
- SERVICE=$1; shift
- for binary in "$@"; do
- > /dev/null which -- "$binary" || exit
- done
- cat "/etc/local-REDPILL/$REALM/${SERVICE}host" \
- "/etc/local-REDPILL/$REALM/${SERVICE}althosts" \
- 2> /dev/null \
- | perl -0777 -pe 's/\s*\#.*//gm;s/^\s+//;s/\s+$//;s/\s+/|/g'
- }
- MAILHOSTS=$(servicehosts mail postconf) || true
- CHATHOSTS=$(servicehosts chat ejabberdctl) || true
- MUMBLEHOSTS=$(servicehosts mumble murmurd) || true
- cert_fix() {
- DOMAIN="$1"; KEYFILE="$2"; CERTFILE="$3"; FULLCHAINFILE="$4"
- case "$DOMAIN" in
- "$MAILHOSTS")
- set -x
- cat "$FULLCHAINFILE" > "/etc/dovecot/$DOMAIN.pem"
- sg dovecot -c "umask 027; cat '$KEYFILE' > '/etc/dovecot/private/$DOMAIN.pem'"
- service dovecot force-reload
- ;;
- "$CHATHOSTS")
- set -x
- sg ejabberd -c "umask 027; cat '$KEYFILE' '$FULLCHAINFILE' > '/etc/ejabberd/$DOMAIN.pem'"
- service ejabberd force-reload
- ;;
- "$MUMBLEHOSTS")
- set -x
- sg mumble-server -c "umask 027; cat '$KEYFILE' > '/etc/mumble-server-$DOMAIN.key'"
- sg mumble-server -c "umask 027; cat '$CERTFILE' > '/etc/mumble-server-$DOMAIN.pem'"
- service mumble-server force-reload
- ;;
- esac
- }
- # TODO: Set file changedate to OCSP expiry expiry, and skip if 48h+ away
- cert_staple() {
- CERTFILE="$3"; CHAINFILE="$5"
- > /dev/null which -- ocsptool || return
- CERTDIR=$(dirname "$CERTFILE")
- set -x
- ocsptool --ask --load-issuer "$CHAINFILE" --load-cert "$CERTFILE" --outfile "$CERTDIR"/ocsp.der
- }
- case "$ACTION" in
- deploy_challenge) ;;
- clean_challenge) ;;
- deploy_cert)
- cert_fix "$@"
- #cert_staple "$@"
- ;;
- unchanged_cert)
- #cert_fix "$@"
- #cert_staple "$@"
- ;;
- esac
|
