Shellcheck and formatting

This commit is contained in:
Eric Nemchik 2022-11-22 20:55:25 +00:00
parent 588dde99ed
commit 3db8f51eb0
16 changed files with 102 additions and 84 deletions

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
echo "<------------------------------------------------->" echo "<------------------------------------------------->"
echo echo

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
cd /config/keys/letsencrypt || exit 1 cd /config/keys/letsencrypt || exit 1
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

View File

@ -1,13 +1,15 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# shellcheck source=/dev/null
. /config/.donoteditthisfile.conf . /config/.donoteditthisfile.conf
if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then if [ ! "${ORIGVALIDATION}" = "dns" ] && [ ! "${ORIGVALIDATION}" = "duckdns" ]; then
if ps aux | grep 's6-supervise nginx' | grep -v grep >/dev/null; then if pgrep -f "s6-supervise nginx" >/dev/null; then
s6-svc -u /run/service/nginx s6-svc -u /run/service/nginx
fi fi
else else
if ps aux | grep [n]ginx: >/dev/null; then if pgrep -f "nginx:" >/dev/null; then
s6-svc -h /run/service/nginx s6-svc -h /run/service/nginx
fi fi
fi fi

View File

@ -1,9 +1,11 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# shellcheck source=/dev/null
. /config/.donoteditthisfile.conf . /config/.donoteditthisfile.conf
if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then if [ ! "${ORIGVALIDATION}" = "dns" ] && [ ! "${ORIGVALIDATION}" = "duckdns" ]; then
if ps aux | grep [n]ginx: >/dev/null; then if pgrep -f "nginx:" >/dev/null; then
s6-svc -d /run/service/nginx s6-svc -d /run/service/nginx
fi fi
fi fi

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# Echo init finish for test runs # Echo init finish for test runs
if [[ -n "${TEST_RUN}" ]]; then if [[ -n "${TEST_RUN}" ]]; then

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# check to make sure that the required variables are set # check to make sure that the required variables are set
if [[ -z "${URL}" ]]; then if [[ -z "${URL}" ]]; then

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# make our folders and links # make our folders and links
mkdir -p \ mkdir -p \

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# samples are removed on init by the nginx base # samples are removed on init by the nginx base

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# copy/update the fail2ban config defaults to/in /config # copy/update the fail2ban config defaults to/in /config
cp -R /defaults/fail2ban/filter.d /config/fail2ban/ cp -R /defaults/fail2ban/filter.d /config/fail2ban/

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# copy crontabs if needed # copy crontabs if needed
if [[ ! -f /config/crontabs/root ]]; then if [[ ! -f /config/crontabs/root ]]; then

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# copy default config files if they don't exist # copy default config files if they don't exist
if [[ ! -f /config/nginx/proxy.conf ]]; then if [[ ! -f /config/nginx/proxy.conf ]]; then

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# Display variables for troubleshooting # Display variables for troubleshooting
echo -e "Variables set:\\n\ echo -e "Variables set:\\n\
@ -18,12 +19,12 @@ STAGING=${STAGING}\\n"
# Sanitize variables # Sanitize variables
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER) SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
for i in "${SANED_VARS[@]}"; do for i in "${SANED_VARS[@]}"; do
export echo "$i"="${!i//\"/}" export echo "${i}"="${!i//\"/}"
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
done done
# check to make sure DNSPLUGIN is selected if dns validation is used # check to make sure DNSPLUGIN is selected if dns validation is used
if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
sleep infinity sleep infinity
fi fi
@ -50,30 +51,30 @@ if [ -f "/config/donoteditthisfile.conf" ]; then
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
fi fi
if [ ! -f "/config/.donoteditthisfile.conf" ]; then if [ ! -f "/config/.donoteditthisfile.conf" ]; then
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo "Created .donoteditthisfile.conf" echo "Created .donoteditthisfile.conf"
fi fi
# load original config settings # load original config settings
# shellcheck disable=SC1091 # shellcheck source=/dev/null
. /config/.donoteditthisfile.conf . /config/.donoteditthisfile.conf
# set default validation to http # set default validation to http
if [ -z "$VALIDATION" ]; then if [ -z "${VALIDATION}" ]; then
VALIDATION="http" VALIDATION="http"
echo "VALIDATION parameter not set; setting it to http" echo "VALIDATION parameter not set; setting it to http"
fi fi
# set duckdns validation to dns # set duckdns validation to dns
if [ "$VALIDATION" = "duckdns" ]; then if [ "${VALIDATION}" = "duckdns" ]; then
VALIDATION="dns" VALIDATION="dns"
DNSPLUGIN="duckdns" DNSPLUGIN="duckdns"
if [ -n "$DUCKDNSTOKEN" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini;then if [ -n "${DUCKDNSTOKEN}" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
fi fi
fi fi
if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then if [ "${VALIDATION}" = "dns" ] && [ "${DNSPLUGIN}" = "duckdns" ]; then
if [ "$SUBDOMAINS" = "wildcard" ]; then if [ "${SUBDOMAINS}" = "wildcard" ]; then
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
export ONLY_SUBDOMAINS=true export ONLY_SUBDOMAINS=true
else else
@ -84,16 +85,16 @@ if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then
fi fi
# if zerossl is selected or staging is set to true, use the relevant server # if zerossl is selected or staging is set to true, use the relevant server
if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then if [ "${CERTPROVIDER}" = "zerossl" ] && [ "${STAGING}" = "true" ]; then
echo "ZeroSSL does not support staging mode, ignoring STAGING variable" echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
fi fi
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then if [ "${CERTPROVIDER}" = "zerossl" ] && [ -n "${EMAIL}" ]; then
echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
ACMESERVER="https://acme.zerossl.com/v2/DV90" ACMESERVER="https://acme.zerossl.com/v2/DV90"
elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then elif [ "${CERTPROVIDER}" = "zerossl" ] && [ -z "${EMAIL}" ]; then
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
sleep infinity sleep infinity
elif [ "$STAGING" = "true" ]; then elif [ "${STAGING}" = "true" ]; then
echo "NOTICE: Staging is active" echo "NOTICE: Staging is active"
echo "Using Let's Encrypt as the cert provider" echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
@ -103,46 +104,46 @@ else
fi fi
# figuring out url only vs url & subdomains vs subdomains only # figuring out url only vs url & subdomains vs subdomains only
if [ -n "$SUBDOMAINS" ]; then if [ -n "${SUBDOMAINS}" ]; then
echo "SUBDOMAINS entered, processing" echo "SUBDOMAINS entered, processing"
if [ "$SUBDOMAINS" = "wildcard" ]; then if [ "${SUBDOMAINS}" = "wildcard" ]; then
if [ "$ONLY_SUBDOMAINS" = true ]; then if [ "${ONLY_SUBDOMAINS}" = true ]; then
export URL_REAL="-d *.${URL}" export URL_REAL="-d *.${URL}"
echo "Wildcard cert for only the subdomains of $URL will be requested" echo "Wildcard cert for only the subdomains of ${URL} will be requested"
else else
export URL_REAL="-d *.${URL} -d ${URL}" export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for $URL will be requested" echo "Wildcard cert for ${URL} will be requested"
fi fi
else else
echo "SUBDOMAINS entered, processing" echo "SUBDOMAINS entered, processing"
for job in $(echo "$SUBDOMAINS" | tr "," " "); do for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}"
done done
if [ "$ONLY_SUBDOMAINS" = true ]; then if [ "${ONLY_SUBDOMAINS}" = true ]; then
URL_REAL="$SUBDOMAINS_REAL" URL_REAL="${SUBDOMAINS_REAL}"
echo "Only subdomains, no URL in cert" echo "Only subdomains, no URL in cert"
else else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
fi fi
echo "Sub-domains processed are: $SUBDOMAINS_REAL" echo "Sub-domains processed are: ${SUBDOMAINS_REAL}"
fi fi
else else
echo "No subdomains defined" echo "No subdomains defined"
URL_REAL="-d $URL" URL_REAL="-d ${URL}"
fi fi
# add extra domains # add extra domains
if [ -n "$EXTRA_DOMAINS" ]; then if [ -n "${EXTRA_DOMAINS}" ]; then
echo "EXTRA_DOMAINS entered, processing" echo "EXTRA_DOMAINS entered, processing"
for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}"
done done
echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}"
URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}"
fi fi
# figuring out whether to use e-mail and which # figuring out whether to use e-mail and which
if [[ $EMAIL == *@* ]]; then if [[ ${EMAIL} == *@* ]]; then
echo "E-mail address entered: ${EMAIL}" echo "E-mail address entered: ${EMAIL}"
EMAILPARAM="-m ${EMAIL} --no-eff-email" EMAILPARAM="-m ${EMAIL} --no-eff-email"
else else
@ -151,34 +152,34 @@ else
fi fi
# setting the validation method to use # setting the validation method to use
if [ "$VALIDATION" = "dns" ]; then if [ "${VALIDATION}" = "dns" ]; then
if [ "$DNSPLUGIN" = "route53" ]; then if [ "${DNSPLUGIN}" = "route53" ]; then
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(azure|gandi)$ ]]; then elif [[ "${DNSPLUGIN}" =~ ^(azure|gandi)$ ]]; then
if [ -n "$PROPAGATION" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi if [ -n "${PROPAGATION}" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini" PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
elif [[ "$DNSPLUGIN" =~ ^(duckdns)$ ]]; then elif [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini --dns-duckdns-no-txt-restore ${PROPAGATIONPARAM}" PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini --dns-duckdns-no-txt-restore ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then elif [[ "${DNSPLUGIN}" =~ ^(google)$ ]]; then
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then elif [[ "${DNSPLUGIN}" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then elif [[ "${DNSPLUGIN}" =~ ^(standalone)$ ]]; then
if [ -n "$PROPAGATION" ]; then echo "standalone dns plugin does not support setting propagation time"; fi if [ -n "${PROPAGATION}" ]; then echo "standalone dns plugin does not support setting propagation time"; fi
PREFCHAL="-a dns-${DNSPLUGIN}" PREFCHAL="-a dns-${DNSPLUGIN}"
elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then elif [[ "${DNSPLUGIN}" =~ ^(directadmin)$ ]]; then
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
else else
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
fi fi
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
elif [ "$VALIDATION" = "tls-sni" ]; then elif [ "${VALIDATION}" = "tls-sni" ]; then
PREFCHAL="--standalone --preferred-challenges http" PREFCHAL="--standalone --preferred-challenges http"
echo "*****tls-sni validation has been deprecated, attempting http validation instead" echo "*****tls-sni validation has been deprecated, attempting http validation instead"
else else
@ -188,11 +189,11 @@ fi
# setting the symlink for key location # setting the symlink for key location
rm -rf /config/keys/letsencrypt rm -rf /config/keys/letsencrypt
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ]; then if [ "${ONLY_SUBDOMAINS}" = "true" ] && [ ! "${SUBDOMAINS}" = "wildcard" ]; then
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
else else
ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
fi fi
rm -rf /config/keys/cert.crt rm -rf /config/keys/cert.crt
ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
@ -200,61 +201,61 @@ rm -rf /config/keys/cert.key
ln -s ./letsencrypt/privkey.pem /config/keys/cert.key ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
# checking for changes in cert variables, revoking certs if necessary # checking for changes in cert variables, revoking certs if necessary
if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then if [ ! "${URL}" = "${ORIGURL}" ] || [ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ] || [ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ] || [ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ] || [ ! "${VALIDATION}" = "${ORIGVALIDATION}" ] || [ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ] || [ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ] || [ ! "${STAGING}" = "${ORIGSTAGING}" ] || [ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then
ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
else else
ORIGDOMAIN="$ORIGURL" ORIGDOMAIN="${ORIGURL}"
fi fi
if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then if [ "${ORIGCERTPROVIDER}" = "zerossl" ] && [ -n "${ORIGEMAIL}" ]; then
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then if [ -z "${REV_ZEROSSL_EAB_KID}" ] || [ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity sleep infinity
fi fi
REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
elif [ "$ORIGSTAGING" = "true" ]; then elif [ "${ORIGSTAGING}" = "true" ]; then
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
else else
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi fi
if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER}
fi fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi fi
# saving new variables # saving new variables
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
# alter extension for error message # alter extension for error message
if [ "$DNSPLUGIN" = "google" ]; then if [ "${DNSPLUGIN}" = "google" ]; then
FILENAME="$DNSPLUGIN.json" FILENAME="${DNSPLUGIN}.json"
else else
FILENAME="$DNSPLUGIN.ini" FILENAME="${DNSPLUGIN}.ini"
fi fi
# Check if the cert is using the old LE root cert, revoke and regen if necessary # Check if the cert is using the old LE root cert, revoke and regen if necessary
if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking." echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER}
fi fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi fi
# generating certs if necessary # generating certs if necessary
if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then if [ "${CERTPROVIDER}" = "zerossl" ] && [ -n "${EMAIL}" ]; then
echo "Retrieving EAB from ZeroSSL" echo "Retrieving EAB from ZeroSSL"
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then if [ -z "${ZEROSSL_EAB_KID}" ] || [ -z "${ZEROSSL_EAB_HMAC_KEY}" ]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity sleep infinity
fi fi
@ -262,9 +263,9 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
fi fi
echo "Generating new certificate" echo "Generating new certificate"
# shellcheck disable=SC2086 # shellcheck disable=SC2086
certbot certonly --non-interactive --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
if [ ! -d /config/keys/letsencrypt ]; then if [ ! -d /config/keys/letsencrypt ]; then
if [ "$VALIDATION" = "dns" ]; then if [ "${VALIDATION}" = "dns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
else else
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# permissions # permissions
chown -R abc:abc \ chown -R abc:abc \

View File

@ -1,7 +1,8 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
# Check if the cert is expired or expires within a day, if so, renew # Check if the cert is expired or expires within a day, if so, renew
if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)." echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
else else
echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes." echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
if [[ -f /config/nginx/geoip2.conf ]]; then if [[ -f /config/nginx/geoip2.conf ]]; then
echo "/config/nginx/geoip2.conf exists. echo "/config/nginx/geoip2.conf exists.

View File

@ -1,4 +1,5 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash
exec \ exec \
fail2ban-client -x -f start fail2ban-client -x -f start