-
-
Notifications
You must be signed in to change notification settings - Fork 53
/
Copy pathentrypoint.sh
executable file
·116 lines (95 loc) · 3.57 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#!/bin/bash
# Correctly route responses when secondaries access through VPN
/sbin/ip route add 10.8.0.0/24 via 172.16.7.2
# Prometheus basic auth
[[ -z "${DESECSTACK_PROMETHEUS_PASSWORD}" ]] && { echo "You must set DESECSTACK_PROMETHEUS_PASSWORD to a non-empty value."; exit 1; }
echo prometheus:$(openssl passwd -apr1 -stdin <<< $DESECSTACK_PROMETHEUS_PASSWORD) > /etc/nginx/htpasswd
# list of domains we're using
DOMAINS="\
checkipv4.dedyn.${DESECSTACK_DOMAIN} \
checkipv6.dedyn.${DESECSTACK_DOMAIN} \
checkip.dedyn.${DESECSTACK_DOMAIN} \
dedyn.${DESECSTACK_DOMAIN} \
desec.${DESECSTACK_DOMAIN} \
update6.dedyn.${DESECSTACK_DOMAIN} \
update.dedyn.${DESECSTACK_DOMAIN} \
www.dedyn.${DESECSTACK_DOMAIN} \
get.desec.${DESECSTACK_DOMAIN} \
www.desec.${DESECSTACK_DOMAIN}"
# list of files we expect at /etc/ssl/private/
FILES_NEEDED=$(for DOMAIN in $DOMAINS ; do echo $DOMAIN.cer ; echo $DOMAIN.key ; done | sort)
FILES_PRESENT=$(cd /etc/ssl/private && ls -1 | sort)
FILES_MISSING=$(diff <(echo "$FILES_NEEDED" ) <(echo "$FILES_PRESENT") | egrep '^-.*(cer|key)' | cut -b 2-)
# link certs
if [ ! -z "$FILES_MISSING" ] ; then
# generate certificates
mkdir -p /autocert/
(
cd /autocert/
echo "Autogenerating certificates for www in " $(pwd)
for DOMAIN in $DOMAINS; do
echo "Autogenerating certificate for $DOMAIN ..."
openssl req \
-newkey rsa:2048 \
-nodes \
-keyout $DOMAIN.key \
-x509 \
-days 1\
-out $DOMAIN.cer \
-subj "/C=DE/ST=Berlin/L=Berlin/O=deSEC/OU=autocert/CN=$DOMAIN" \
-addext "subjectAltName = DNS:$DOMAIN"
done
echo "Autogeneration completed. Your certificates in " $(pwd) ":"
ls -1
)
# inform the user
echo "############################################################"
echo "WARNING some certificate or key files are missing, falling"
echo " back to auto-generated self-signed certificates"
echo "############################################################"
echo "####### your files in $DESECSTACK_WWW_CERTS:"
ls -1 /etc/ssl/private/
echo "############################################################"
echo "####### missing in $DESECSTACK_WWW_CERTS:"
for FILE in $FILES_MISSING ; do
echo $FILE
done
echo "############################################################"
# setup certificate path
export CERT_PATH=/autocert/
else
# inform the user
echo "Found all certificates, using user-provided certificates."
# remove any obsolete autogenerated certs
rm -f /autocert/*
# setup certificate path
export CERT_PATH=/etc/ssl/private/
fi
# replace environment references in config files
/etc/nginx/envreplace.sh
(
echo "Starting nginx"
nginx -g 'daemon off;' && exit 1
) &
nginx_pid=$!
echo "nginx PID: ${nginx_pid}"
if [ -z "$FILES_MISSING" ] ; then
(
echo "Setting up monitoring for certificate files in $CERT_PATH"
inotifywait -m -e create,modify,move,delete $CERT_PATH | while read line; do
echo "File update detected: $line"
nginx -t
if [ $? -ne 0 ]; then
echo "Error: invalid nginx configuration"
else
echo "Reloading nginx with new configuration"
nginx -s reload
fi
done
echo "inotifywait failed, killing nginx with PID ${nginx_pid}"
kill -TERM $nginx_pid
) &
else
echo "Warning: Not monitoring certificate rotation as not all certificates were provided"
fi
wait $nginx_pid || exit 1