From 3db8f51eb0f377faa2051e484fe76708ed032ef2 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 22 Nov 2022 20:55:25 +0000 Subject: [PATCH] Shellcheck and formatting --- root/app/le-renew.sh | 1 + .../renewal-hooks/deploy/10-default | 1 + .../letsencrypt/renewal-hooks/post/10-nginx | 8 +- .../letsencrypt/renewal-hooks/pre/10-nginx | 6 +- root/etc/cont-init.d/30-test-run | 1 + root/etc/cont-init.d/31-require-url | 1 + root/etc/cont-init.d/40-folders | 1 + root/etc/cont-init.d/41-samples | 1 + root/etc/cont-init.d/42-fail2ban | 1 + root/etc/cont-init.d/43-crontabs | 1 + root/etc/cont-init.d/45-nginx | 1 + root/etc/cont-init.d/50-certbot | 157 +++++++++--------- root/etc/cont-init.d/55-permissions | 1 + root/etc/cont-init.d/60-renew | 3 +- root/etc/cont-init.d/70-outdated | 1 + root/etc/services.d/fail2ban/run | 1 + 16 files changed, 102 insertions(+), 84 deletions(-) diff --git a/root/app/le-renew.sh b/root/app/le-renew.sh index dcdb595..7f2137a 100644 --- a/root/app/le-renew.sh +++ b/root/app/le-renew.sh @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash echo "<------------------------------------------------->" echo diff --git a/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default b/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default index aada3c5..e87f85c 100644 --- a/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default +++ b/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash cd /config/keys/letsencrypt || exit 1 openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: diff --git a/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx b/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx index f23a4d9..e072301 100644 --- a/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx +++ b/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx @@ -1,13 +1,15 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash +# shellcheck source=/dev/null . /config/.donoteditthisfile.conf -if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then - if ps aux | grep 's6-supervise nginx' | grep -v grep >/dev/null; then +if [ ! "${ORIGVALIDATION}" = "dns" ] && [ ! "${ORIGVALIDATION}" = "duckdns" ]; then + if pgrep -f "s6-supervise nginx" >/dev/null; then s6-svc -u /run/service/nginx fi else - if ps aux | grep [n]ginx: >/dev/null; then + if pgrep -f "nginx:" >/dev/null; then s6-svc -h /run/service/nginx fi fi diff --git a/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx b/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx index 638121c..5767c6c 100644 --- a/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx +++ b/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx @@ -1,9 +1,11 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash +# shellcheck source=/dev/null . /config/.donoteditthisfile.conf -if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then - if ps aux | grep [n]ginx: >/dev/null; then +if [ ! "${ORIGVALIDATION}" = "dns" ] && [ ! "${ORIGVALIDATION}" = "duckdns" ]; then + if pgrep -f "nginx:" >/dev/null; then s6-svc -d /run/service/nginx fi fi diff --git a/root/etc/cont-init.d/30-test-run b/root/etc/cont-init.d/30-test-run index d559814..f4b2243 100644 --- a/root/etc/cont-init.d/30-test-run +++ b/root/etc/cont-init.d/30-test-run @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # Echo init finish for test runs if [[ -n "${TEST_RUN}" ]]; then diff --git a/root/etc/cont-init.d/31-require-url b/root/etc/cont-init.d/31-require-url index 4761521..4e936fa 100644 --- a/root/etc/cont-init.d/31-require-url +++ b/root/etc/cont-init.d/31-require-url @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # check to make sure that the required variables are set if [[ -z "${URL}" ]]; then diff --git a/root/etc/cont-init.d/40-folders b/root/etc/cont-init.d/40-folders index a244cca..87cef4e 100644 --- a/root/etc/cont-init.d/40-folders +++ b/root/etc/cont-init.d/40-folders @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # make our folders and links mkdir -p \ diff --git a/root/etc/cont-init.d/41-samples b/root/etc/cont-init.d/41-samples index b80dd41..83054d6 100644 --- a/root/etc/cont-init.d/41-samples +++ b/root/etc/cont-init.d/41-samples @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # samples are removed on init by the nginx base diff --git a/root/etc/cont-init.d/42-fail2ban b/root/etc/cont-init.d/42-fail2ban index 36ed2de..abd14b4 100644 --- a/root/etc/cont-init.d/42-fail2ban +++ b/root/etc/cont-init.d/42-fail2ban @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # copy/update the fail2ban config defaults to/in /config cp -R /defaults/fail2ban/filter.d /config/fail2ban/ diff --git a/root/etc/cont-init.d/43-crontabs b/root/etc/cont-init.d/43-crontabs index 2cc0d27..30065b7 100644 --- a/root/etc/cont-init.d/43-crontabs +++ b/root/etc/cont-init.d/43-crontabs @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # copy crontabs if needed if [[ ! -f /config/crontabs/root ]]; then diff --git a/root/etc/cont-init.d/45-nginx b/root/etc/cont-init.d/45-nginx index 87778b7..e94c92a 100644 --- a/root/etc/cont-init.d/45-nginx +++ b/root/etc/cont-init.d/45-nginx @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # copy default config files if they don't exist if [[ ! -f /config/nginx/proxy.conf ]]; then diff --git a/root/etc/cont-init.d/50-certbot b/root/etc/cont-init.d/50-certbot index 41d7620..5323504 100644 --- a/root/etc/cont-init.d/50-certbot +++ b/root/etc/cont-init.d/50-certbot @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # Display variables for troubleshooting echo -e "Variables set:\\n\ @@ -18,12 +19,12 @@ STAGING=${STAGING}\\n" # Sanitize variables SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER) for i in "${SANED_VARS[@]}"; do - export echo "$i"="${!i//\"/}" - export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" + export echo "${i}"="${!i//\"/}" + export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" done # check to make sure DNSPLUGIN is selected if dns validation is used -if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then +if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." sleep infinity fi @@ -50,30 +51,30 @@ if [ -f "/config/donoteditthisfile.conf" ]; then mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf fi if [ ! -f "/config/.donoteditthisfile.conf" ]; then - echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf + echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf echo "Created .donoteditthisfile.conf" fi # load original config settings -# shellcheck disable=SC1091 +# shellcheck source=/dev/null . /config/.donoteditthisfile.conf # set default validation to http -if [ -z "$VALIDATION" ]; then +if [ -z "${VALIDATION}" ]; then VALIDATION="http" echo "VALIDATION parameter not set; setting it to http" fi # set duckdns validation to dns -if [ "$VALIDATION" = "duckdns" ]; then +if [ "${VALIDATION}" = "duckdns" ]; then VALIDATION="dns" DNSPLUGIN="duckdns" - if [ -n "$DUCKDNSTOKEN" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini;then + if [ -n "${DUCKDNSTOKEN}" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini fi fi -if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then - if [ "$SUBDOMAINS" = "wildcard" ]; then +if [ "${VALIDATION}" = "dns" ] && [ "${DNSPLUGIN}" = "duckdns" ]; then + if [ "${SUBDOMAINS}" = "wildcard" ]; then echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" export ONLY_SUBDOMAINS=true else @@ -84,16 +85,16 @@ if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then fi # if zerossl is selected or staging is set to true, use the relevant server -if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then +if [ "${CERTPROVIDER}" = "zerossl" ] && [ "${STAGING}" = "true" ]; then echo "ZeroSSL does not support staging mode, ignoring STAGING variable" fi -if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" +if [ "${CERTPROVIDER}" = "zerossl" ] && [ -n "${EMAIL}" ]; then + echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}" ACMESERVER="https://acme.zerossl.com/v2/DV90" -elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then +elif [ "${CERTPROVIDER}" = "zerossl" ] && [ -z "${EMAIL}" ]; then echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" sleep infinity -elif [ "$STAGING" = "true" ]; then +elif [ "${STAGING}" = "true" ]; then echo "NOTICE: Staging is active" echo "Using Let's Encrypt as the cert provider" ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" @@ -103,46 +104,46 @@ else fi # figuring out url only vs url & subdomains vs subdomains only -if [ -n "$SUBDOMAINS" ]; then +if [ -n "${SUBDOMAINS}" ]; then echo "SUBDOMAINS entered, processing" - if [ "$SUBDOMAINS" = "wildcard" ]; then - if [ "$ONLY_SUBDOMAINS" = true ]; then + if [ "${SUBDOMAINS}" = "wildcard" ]; then + if [ "${ONLY_SUBDOMAINS}" = true ]; then export URL_REAL="-d *.${URL}" - echo "Wildcard cert for only the subdomains of $URL will be requested" + echo "Wildcard cert for only the subdomains of ${URL} will be requested" else export URL_REAL="-d *.${URL} -d ${URL}" - echo "Wildcard cert for $URL will be requested" + echo "Wildcard cert for ${URL} will be requested" fi else echo "SUBDOMAINS entered, processing" - for job in $(echo "$SUBDOMAINS" | tr "," " "); do - export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" + for job in $(echo "${SUBDOMAINS}" | tr "," " "); do + export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}" done - if [ "$ONLY_SUBDOMAINS" = true ]; then - URL_REAL="$SUBDOMAINS_REAL" + if [ "${ONLY_SUBDOMAINS}" = true ]; then + URL_REAL="${SUBDOMAINS_REAL}" echo "Only subdomains, no URL in cert" else URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" fi - echo "Sub-domains processed are: $SUBDOMAINS_REAL" + echo "Sub-domains processed are: ${SUBDOMAINS_REAL}" fi else echo "No subdomains defined" - URL_REAL="-d $URL" + URL_REAL="-d ${URL}" fi # add extra domains -if [ -n "$EXTRA_DOMAINS" ]; then +if [ -n "${EXTRA_DOMAINS}" ]; then echo "EXTRA_DOMAINS entered, processing" - for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do - export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" + for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do + export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}" done - echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" - URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" + echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}" + URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}" fi # figuring out whether to use e-mail and which -if [[ $EMAIL == *@* ]]; then +if [[ ${EMAIL} == *@* ]]; then echo "E-mail address entered: ${EMAIL}" EMAILPARAM="-m ${EMAIL} --no-eff-email" else @@ -151,34 +152,34 @@ else fi # setting the validation method to use -if [ "$VALIDATION" = "dns" ]; then - if [ "$DNSPLUGIN" = "route53" ]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi +if [ "${VALIDATION}" = "dns" ]; then + if [ "${DNSPLUGIN}" = "route53" ]; then + if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(azure|gandi)$ ]]; then - if [ -n "$PROPAGATION" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi + elif [[ "${DNSPLUGIN}" =~ ^(azure|gandi)$ ]]; then + if [ -n "${PROPAGATION}" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini" - elif [[ "$DNSPLUGIN" =~ ^(duckdns)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then + if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini --dns-duckdns-no-txt-restore ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(google)$ ]]; then + if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then + if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then - if [ -n "$PROPAGATION" ]; then echo "standalone dns plugin does not support setting propagation time"; fi + elif [[ "${DNSPLUGIN}" =~ ^(standalone)$ ]]; then + if [ -n "${PROPAGATION}" ]; then echo "standalone dns plugin does not support setting propagation time"; fi PREFCHAL="-a dns-${DNSPLUGIN}" - elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(directadmin)$ ]]; then + if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" else - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" fi echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" -elif [ "$VALIDATION" = "tls-sni" ]; then +elif [ "${VALIDATION}" = "tls-sni" ]; then PREFCHAL="--standalone --preferred-challenges http" echo "*****tls-sni validation has been deprecated, attempting http validation instead" else @@ -188,11 +189,11 @@ fi # setting the symlink for key location rm -rf /config/keys/letsencrypt -if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ]; then - DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" - ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt +if [ "${ONLY_SUBDOMAINS}" = "true" ] && [ ! "${SUBDOMAINS}" = "wildcard" ]; then + DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}" + ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt else - ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt + ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt fi rm -rf /config/keys/cert.crt ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt @@ -200,61 +201,61 @@ rm -rf /config/keys/cert.key ln -s ./letsencrypt/privkey.pem /config/keys/cert.key # checking for changes in cert variables, revoking certs if necessary -if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then +if [ ! "${URL}" = "${ORIGURL}" ] || [ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ] || [ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ] || [ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ] || [ ! "${VALIDATION}" = "${ORIGVALIDATION}" ] || [ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ] || [ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ] || [ ! "${STAGING}" = "${ORIGSTAGING}" ] || [ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]; then echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" - if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then - ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" + if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then + ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" else - ORIGDOMAIN="$ORIGURL" + ORIGDOMAIN="${ORIGURL}" fi - if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then - REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") - REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then + if [ "${ORIGCERTPROVIDER}" = "zerossl" ] && [ -n "${ORIGEMAIL}" ]; then + REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}") + REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "${REV_ZEROSSL_EAB_KID}" ] || [ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]; then echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." sleep infinity fi REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" - elif [ "$ORIGSTAGING" = "true" ]; then + elif [ "${ORIGSTAGING}" = "true" ]; then REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" else REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" fi - if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER + if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then + certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi # saving new variables -echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf +echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf # alter extension for error message -if [ "$DNSPLUGIN" = "google" ]; then - FILENAME="$DNSPLUGIN.json" +if [ "${DNSPLUGIN}" = "google" ]; then + FILENAME="${DNSPLUGIN}.json" else - FILENAME="$DNSPLUGIN.ini" + FILENAME="${DNSPLUGIN}.ini" fi # Check if the cert is using the old LE root cert, revoke and regen if necessary if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking." REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" - if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER + if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then + certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi # generating certs if necessary if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then - if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then + if [ "${CERTPROVIDER}" = "zerossl" ] && [ -n "${EMAIL}" ]; then echo "Retrieving EAB from ZeroSSL" - EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") - ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then + EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}") + ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "${ZEROSSL_EAB_KID}" ] || [ -z "${ZEROSSL_EAB_HMAC_KEY}" ]; then echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." sleep infinity fi @@ -262,9 +263,9 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then fi echo "Generating new certificate" # shellcheck disable=SC2086 - certbot certonly --non-interactive --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL + certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL} if [ ! -d /config/keys/letsencrypt ]; then - if [ "$VALIDATION" = "dns" ]; then + if [ "${VALIDATION}" = "dns" ]; then echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." else echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" diff --git a/root/etc/cont-init.d/55-permissions b/root/etc/cont-init.d/55-permissions index 6808b20..4c50bd8 100644 --- a/root/etc/cont-init.d/55-permissions +++ b/root/etc/cont-init.d/55-permissions @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # permissions chown -R abc:abc \ diff --git a/root/etc/cont-init.d/60-renew b/root/etc/cont-init.d/60-renew index 0bc3daa..b402a0b 100644 --- a/root/etc/cont-init.d/60-renew +++ b/root/etc/cont-init.d/60-renew @@ -1,7 +1,8 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # Check if the cert is expired or expires within a day, if so, renew -if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then +if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)." else echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes." diff --git a/root/etc/cont-init.d/70-outdated b/root/etc/cont-init.d/70-outdated index 04e0335..42f3ad1 100644 --- a/root/etc/cont-init.d/70-outdated +++ b/root/etc/cont-init.d/70-outdated @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash if [[ -f /config/nginx/geoip2.conf ]]; then echo "/config/nginx/geoip2.conf exists. diff --git a/root/etc/services.d/fail2ban/run b/root/etc/services.d/fail2ban/run index 6f7f3af..a06f3d0 100644 --- a/root/etc/services.d/fail2ban/run +++ b/root/etc/services.d/fail2ban/run @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash exec \ fail2ban-client -x -f start