geos_one
/
snippets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add NPM scripts

This commit is contained in:
Mario Fetka 2024-01-07 12:01:42 +01:00
parent f9a2f5f43e
commit d275cfeac6
4 changed files with 92 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -1,2 +1,4 @@
# snippets
# Script Collection
Welcome to the Geos One Snippets - a collection of useful Bash, Perl, and Python scripts for .

13
nginx-proxy-manager/README.md Normal file
View File

@ -0,0 +1,13 @@
# Nginx Proxy Manager Cert Deploy
These scripts expect that the install of the NPM is done with the Proxmox Helper Scripts from https://tteck.github.io/Proxmox/
The script bucket-ssl schould be copied to /etc/cron.daily/ and the exicution bit set
scp bucket-ssl root@aaa.bbb.ccc.ddd:/etc/cron.daily/
ssh root@aaa.bbb.ccc.ddd -f 'chmod +x /etc/cron.daily/bucket-ssl'
The script for the sites must be edited to your liking and also copied to the host where the script is needed.
scp site-ssl root@eee.fff.ggg.hhh:/etc/cron.daily/
ssh root@eee.fff.ggg.hhh -f 'chmod +x /etc/cron.daily/site-ssl'

28
nginx-proxy-manager/certs-bucket Executable file
View File

@ -0,0 +1,28 @@
#!/usr/bin/env bash
# Then endpoint for the s3 compatible storage in most cases a minio install
ENDPOINT_URL="https://minio.example.com"
# Some services prefere a pfx cert store file the follwing password ist for that store.
PFX_PASSWORD=securepw
####################################################
set -e
RENEWED_DOMAINS=`ls /etc/letsencrypt/live/`
echo $RENEWED_DOMAINS
for domain in $RENEWED_DOMAINS; do
echo $domain
DOMAINNAME=`openssl x509 -noout -text -in /etc/letsencrypt/live/$domain/cert.pem | grep DNS: | sed 's/^.*,//' | sed 's/^.*DNS://'`
cat "/etc/letsencrypt/live/$domain/fullchain.pem" "/etc/letsencrypt/live/$domain/privkey.pem" > /tmp/$DOMAINNAME.pem
openssl pkcs12 -export -out /tmp/$DOMAINNAME.pfx -inkey "/etc/letsencrypt/live/$domain/privkey.pem" -in "/etc/letsencrypt/live/$domain/cert.pem" -certfile "/etc/letsencrypt/live/$domain/chain.pem" -certfile "/etc/letsencrypt/live/$domain/fullchain.pem" -password pass:$PFX_PASSWORD
# Just an example, you can use any non-sensitive storage medium you want
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/fullchain.pem" "s3://certs/$DOMAINNAME.fullchain"
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/chain.pem" "s3://certs/$DOMAINNAME.chain"
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/cert.pem" "s3://certs/$DOMAINNAME.crt"
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/privkey.pem" "s3://certs/$DOMAINNAME.key"
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pem" "s3://certs/$DOMAINNAME.pem"
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pfx" "s3://certs/$DOMAINNAME.pfx"
rm -f /tmp/$DOMAINNAME.pem
rm -f /tmp/$DOMAINNAME.pfx
done

48
nginx-proxy-manager/site-ssl Executable file
View File

@ -0,0 +1,48 @@
#!/usr/bin/env bash
# Domain specifies the site for withc you download the certs
DOMAIN="site.example.com"
# Bucket is the source for the cert
BUCKET="https://minio.example.com/certs"
# Service is the service that needs to be restarted for nginx apache2 postfix ... this script works out of the box
# for other services the download path must be changed acordingly.
# std for my preferred setup is the certs for the service is in a ssl folder in the config dir for the service
SERVICE="nginx"
MAXWAIT=30
# Put this in crontab for every 12 hours
# Assuming Apache, and that your private key and certificate are located in
# - /etc/apache2/privkey.pem
# - /etc/apache2/fullchain.pem , respectively
#set -euf -o pipefail
sleep $((RANDOM % MAXWAIT))
# Create teh needed Directory in the Service Config Directory
mkdir -p /etc/$SERVICE/ssl
# Download the latest certificate to a temporarily location so we can check validity
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.fullchain $BUCKET/$DOMAIN.fullchain
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.chain $BUCKET/$DOMAIN.chain
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.crt $BUCKET/$DOMAIN.crt
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.key $BUCKET/$DOMAIN.key
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pem $BUCKET/$DOMAIN.pem
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pfx $BUCKET/$DOMAIN.pfx
# Verify the certificate is valid for our existing key (should be)
MOD_CRT=`openssl x509 -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.crt | openssl md5`
MOD_KEY=`openssl rsa -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.key | openssl md5`
if [ "$MOD_CRT" != "$MOD_KEY" ]; then
echo "Key didn't match: $MOD_CRT vs $MOD_KEY"
#exit 1
fi
# Deploy the certificate and graceful reload
echo "New certificate: " `openssl x509 -in /etc/$SERVICE/ssl/$DOMAIN.fullchain -noout -subject -dates -issuer`
systemctl reload $SERVICE