From d275cfeac63a25fa74f7d43e04d26cf2ee4aa288 Mon Sep 17 00:00:00 2001
From: Mario Fetka <mario.fetka@gmail.com>
Date: Sun, 7 Jan 2024 12:01:42 +0100
Subject: [PATCH] add NPM scripts

---
 README.md                        |  4 ++-
 nginx-proxy-manager/README.md    | 13 +++++++++
 nginx-proxy-manager/certs-bucket | 28 +++++++++++++++++++
 nginx-proxy-manager/site-ssl     | 48 ++++++++++++++++++++++++++++++++
 4 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 nginx-proxy-manager/README.md
 create mode 100755 nginx-proxy-manager/certs-bucket
 create mode 100755 nginx-proxy-manager/site-ssl

diff --git a/README.md b/README.md
index 8dd3762..5ca9949 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,4 @@
-# snippets
+# Script Collection
+
+Welcome to the Geos One Snippets - a collection of useful Bash, Perl, and Python scripts for .
 
diff --git a/nginx-proxy-manager/README.md b/nginx-proxy-manager/README.md
new file mode 100644
index 0000000..0573fb9
--- /dev/null
+++ b/nginx-proxy-manager/README.md
@@ -0,0 +1,13 @@
+# Nginx Proxy Manager Cert Deploy
+
+These scripts expect that the install of the NPM is done with the Proxmox Helper Scripts from https://tteck.github.io/Proxmox/
+
+The script bucket-ssl schould be copied to /etc/cron.daily/ and the exicution bit set
+
+scp bucket-ssl root@aaa.bbb.ccc.ddd:/etc/cron.daily/
+ssh root@aaa.bbb.ccc.ddd -f 'chmod +x /etc/cron.daily/bucket-ssl'
+
+The script for the sites must be edited to your liking and also copied to the host where the script is needed.
+
+scp site-ssl root@eee.fff.ggg.hhh:/etc/cron.daily/
+ssh root@eee.fff.ggg.hhh -f 'chmod +x /etc/cron.daily/site-ssl'
diff --git a/nginx-proxy-manager/certs-bucket b/nginx-proxy-manager/certs-bucket
new file mode 100755
index 0000000..cce2a23
--- /dev/null
+++ b/nginx-proxy-manager/certs-bucket
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Then endpoint for the s3 compatible storage in most cases a minio install
+ENDPOINT_URL="https://minio.example.com"
+
+# Some services prefere a pfx cert store file the follwing password ist for that store.
+PFX_PASSWORD=securepw
+
+####################################################
+set -e
+
+RENEWED_DOMAINS=`ls /etc/letsencrypt/live/`
+echo $RENEWED_DOMAINS
+for domain in $RENEWED_DOMAINS; do
+echo $domain
+  DOMAINNAME=`openssl x509 -noout -text -in /etc/letsencrypt/live/$domain/cert.pem | grep DNS: | sed 's/^.*,//' | sed 's/^.*DNS://'`
+  cat "/etc/letsencrypt/live/$domain/fullchain.pem" "/etc/letsencrypt/live/$domain/privkey.pem" > /tmp/$DOMAINNAME.pem
+  openssl pkcs12 -export -out /tmp/$DOMAINNAME.pfx -inkey "/etc/letsencrypt/live/$domain/privkey.pem" -in "/etc/letsencrypt/live/$domain/cert.pem" -certfile "/etc/letsencrypt/live/$domain/chain.pem" -certfile "/etc/letsencrypt/live/$domain/fullchain.pem" -password pass:$PFX_PASSWORD
+   # Just an example, you can use any non-sensitive storage medium you want
+  aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/fullchain.pem" "s3://certs/$DOMAINNAME.fullchain"
+  aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/chain.pem" "s3://certs/$DOMAINNAME.chain"
+  aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/cert.pem" "s3://certs/$DOMAINNAME.crt"
+  aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/privkey.pem" "s3://certs/$DOMAINNAME.key"
+  aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pem" "s3://certs/$DOMAINNAME.pem"
+  aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pfx" "s3://certs/$DOMAINNAME.pfx"
+  rm -f /tmp/$DOMAINNAME.pem
+  rm -f /tmp/$DOMAINNAME.pfx
+done
diff --git a/nginx-proxy-manager/site-ssl b/nginx-proxy-manager/site-ssl
new file mode 100755
index 0000000..9a0df3a
--- /dev/null
+++ b/nginx-proxy-manager/site-ssl
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Domain specifies the site for withc you download the certs
+DOMAIN="site.example.com"
+
+# Bucket is the source for the cert
+BUCKET="https://minio.example.com/certs"
+
+# Service is the service that needs to be restarted for nginx apache2 postfix ... this script works out of the box
+# for other services the download path must be changed acordingly.
+# std for my preferred setup is the certs for the service is in a ssl folder in the config dir for the service
+SERVICE="nginx"
+
+MAXWAIT=30
+
+# Put this in crontab for every 12 hours
+# Assuming Apache, and that your private key and certificate are located in
+# - /etc/apache2/privkey.pem
+# - /etc/apache2/fullchain.pem , respectively
+
+#set -euf -o pipefail
+
+sleep $((RANDOM % MAXWAIT))
+
+# Create teh needed Directory in the Service Config Directory
+mkdir -p /etc/$SERVICE/ssl
+
+# Download the latest certificate to a temporarily location so we can check validity
+curl -s -o /etc/$SERVICE/ssl/$DOMAIN.fullchain $BUCKET/$DOMAIN.fullchain
+curl -s -o /etc/$SERVICE/ssl/$DOMAIN.chain $BUCKET/$DOMAIN.chain
+curl -s -o /etc/$SERVICE/ssl/$DOMAIN.crt $BUCKET/$DOMAIN.crt
+curl -s -o /etc/$SERVICE/ssl/$DOMAIN.key $BUCKET/$DOMAIN.key
+curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pem $BUCKET/$DOMAIN.pem
+curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pfx $BUCKET/$DOMAIN.pfx
+
+
+# Verify the certificate is valid for our existing key (should be)
+MOD_CRT=`openssl x509 -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.crt | openssl md5`
+MOD_KEY=`openssl rsa -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.key | openssl md5`
+if [ "$MOD_CRT" != "$MOD_KEY" ]; then
+  echo "Key didn't match: $MOD_CRT vs $MOD_KEY"
+  #exit 1
+fi
+
+# Deploy the certificate and graceful reload
+echo "New certificate: "  `openssl x509 -in /etc/$SERVICE/ssl/$DOMAIN.fullchain -noout -subject -dates -issuer`
+
+systemctl reload $SERVICE
\ No newline at end of file