add NPM scripts
This commit is contained in:
Mario Fetka
parent
f9a2f5f43e
commit
d275cfeac6
@ -1,2 +1,4 @@
|
|||||||
# snippets
|
# Script Collection
|
||||||
|
|
||||||
|
Welcome to the Geos One Snippets - a collection of useful Bash, Perl, and Python scripts for .
|
||||||
|
|
||||||
|
|||||||
13
nginx-proxy-manager/README.md
Normal file
13
nginx-proxy-manager/README.md
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# Nginx Proxy Manager Cert Deploy
|
||||||
|
|
||||||
|
These scripts expect that the install of the NPM is done with the Proxmox Helper Scripts from https://tteck.github.io/Proxmox/
|
||||||
|
|
||||||
|
The script bucket-ssl schould be copied to /etc/cron.daily/ and the exicution bit set
|
||||||
|
|
||||||
|
scp bucket-ssl root@aaa.bbb.ccc.ddd:/etc/cron.daily/
|
||||||
|
ssh root@aaa.bbb.ccc.ddd -f 'chmod +x /etc/cron.daily/bucket-ssl'
|
||||||
|
|
||||||
|
The script for the sites must be edited to your liking and also copied to the host where the script is needed.
|
||||||
|
|
||||||
|
scp site-ssl root@eee.fff.ggg.hhh:/etc/cron.daily/
|
||||||
|
ssh root@eee.fff.ggg.hhh -f 'chmod +x /etc/cron.daily/site-ssl'
|
||||||
28
nginx-proxy-manager/certs-bucket
Executable file
28
nginx-proxy-manager/certs-bucket
Executable file
@ -0,0 +1,28 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Then endpoint for the s3 compatible storage in most cases a minio install
|
||||||
|
ENDPOINT_URL="https://minio.example.com"
|
||||||
|
|
||||||
|
# Some services prefere a pfx cert store file the follwing password ist for that store.
|
||||||
|
PFX_PASSWORD=securepw
|
||||||
|
|
||||||
|
####################################################
|
||||||
|
set -e
|
||||||
|
|
||||||
|
RENEWED_DOMAINS=`ls /etc/letsencrypt/live/`
|
||||||
|
echo $RENEWED_DOMAINS
|
||||||
|
for domain in $RENEWED_DOMAINS; do
|
||||||
|
echo $domain
|
||||||
|
DOMAINNAME=`openssl x509 -noout -text -in /etc/letsencrypt/live/$domain/cert.pem | grep DNS: | sed 's/^.*,//' | sed 's/^.*DNS://'`
|
||||||
|
cat "/etc/letsencrypt/live/$domain/fullchain.pem" "/etc/letsencrypt/live/$domain/privkey.pem" > /tmp/$DOMAINNAME.pem
|
||||||
|
openssl pkcs12 -export -out /tmp/$DOMAINNAME.pfx -inkey "/etc/letsencrypt/live/$domain/privkey.pem" -in "/etc/letsencrypt/live/$domain/cert.pem" -certfile "/etc/letsencrypt/live/$domain/chain.pem" -certfile "/etc/letsencrypt/live/$domain/fullchain.pem" -password pass:$PFX_PASSWORD
|
||||||
|
# Just an example, you can use any non-sensitive storage medium you want
|
||||||
|
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/fullchain.pem" "s3://certs/$DOMAINNAME.fullchain"
|
||||||
|
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/chain.pem" "s3://certs/$DOMAINNAME.chain"
|
||||||
|
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/cert.pem" "s3://certs/$DOMAINNAME.crt"
|
||||||
|
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/privkey.pem" "s3://certs/$DOMAINNAME.key"
|
||||||
|
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pem" "s3://certs/$DOMAINNAME.pem"
|
||||||
|
aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pfx" "s3://certs/$DOMAINNAME.pfx"
|
||||||
|
rm -f /tmp/$DOMAINNAME.pem
|
||||||
|
rm -f /tmp/$DOMAINNAME.pfx
|
||||||
|
done
|
||||||
48
nginx-proxy-manager/site-ssl
Executable file
48
nginx-proxy-manager/site-ssl
Executable file
@ -0,0 +1,48 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Domain specifies the site for withc you download the certs
|
||||||
|
DOMAIN="site.example.com"
|
||||||
|
|
||||||
|
# Bucket is the source for the cert
|
||||||
|
BUCKET="https://minio.example.com/certs"
|
||||||
|
|
||||||
|
# Service is the service that needs to be restarted for nginx apache2 postfix ... this script works out of the box
|
||||||
|
# for other services the download path must be changed acordingly.
|
||||||
|
# std for my preferred setup is the certs for the service is in a ssl folder in the config dir for the service
|
||||||
|
SERVICE="nginx"
|
||||||
|
|
||||||
|
MAXWAIT=30
|
||||||
|
|
||||||
|
# Put this in crontab for every 12 hours
|
||||||
|
# Assuming Apache, and that your private key and certificate are located in
|
||||||
|
# - /etc/apache2/privkey.pem
|
||||||
|
# - /etc/apache2/fullchain.pem , respectively
|
||||||
|
|
||||||
|
#set -euf -o pipefail
|
||||||
|
|
||||||
|
sleep $((RANDOM % MAXWAIT))
|
||||||
|
|
||||||
|
# Create teh needed Directory in the Service Config Directory
|
||||||
|
mkdir -p /etc/$SERVICE/ssl
|
||||||
|
|
||||||
|
# Download the latest certificate to a temporarily location so we can check validity
|
||||||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.fullchain $BUCKET/$DOMAIN.fullchain
|
||||||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.chain $BUCKET/$DOMAIN.chain
|
||||||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.crt $BUCKET/$DOMAIN.crt
|
||||||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.key $BUCKET/$DOMAIN.key
|
||||||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pem $BUCKET/$DOMAIN.pem
|
||||||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pfx $BUCKET/$DOMAIN.pfx
|
||||||
|
|
||||||
|
|
||||||
|
# Verify the certificate is valid for our existing key (should be)
|
||||||
|
MOD_CRT=`openssl x509 -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.crt | openssl md5`
|
||||||
|
MOD_KEY=`openssl rsa -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.key | openssl md5`
|
||||||
|
if [ "$MOD_CRT" != "$MOD_KEY" ]; then
|
||||||
|
echo "Key didn't match: $MOD_CRT vs $MOD_KEY"
|
||||||
|
#exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Deploy the certificate and graceful reload
|
||||||
|
echo "New certificate: " `openssl x509 -in /etc/$SERVICE/ssl/$DOMAIN.fullchain -noout -subject -dates -issuer`
|
||||||
|
|
||||||
|
systemctl reload $SERVICE
|
||||||
Loading…
Reference in New Issue
Block a user