Update configurations for dehydrated deployment.

2025-09-16 18:12:27 +00:00 · 2025-09-16 18:12:27 +00:00 · 06de93d4bc
commit 06de93d4bc
parent 1ce05c50bd
7 changed files with 78 additions and 64 deletions
--- a/etc/dehydrated/.gitignore
+++ b/etc/dehydrated/.gitignore
@ -0,0 +1 @@
+/chains/
--- a/etc/dehydrated/hooks/default
+++ b/etc/dehydrated/hooks/default
@ -11,7 +11,7 @@ CERTSDIR="/etc/certificates"
 FACILITY="local3"
 TAG="dehydrated"
 # Where from/to to send emails.
-EMAIL_FROM="Systems' Administrator <nobody@slackware.uk>"
+EMAIL_FROM="\"Server: ${HOSTNAME%%.*}\" <noreply@slackware.uk>"
 EMAIL_TO=("Systems' Administrator <sysadmin@slackware.uk>")

 # Get the system ID.
@ -48,12 +48,12 @@ notify() {

 # Service configurations (used at startup/shutdown).
 services() {
-  local DAEMON ERR=0 LOG_PREFIX="Dehydrated configuration" PIDFILE RCFILE
+  local DAEMON ERR=0 LOG_PREFIX="Dehydrated configuration" PIDFILE RCFILE SANITY="$1"

  # Select the service configuration based on the distribution.
  # RCFILE_<service> is required for any service.
  # Either DAEMON_<service> or PIDFILE_<service>, or both is required for any service.
-  if [[ "$ID" == "slackware" ]]; then
+  if [[ "$SYSTEM_ID" == "slackware" ]]; then
    # HTTP daemon selection.
    if [[ -x "/etc/rc.d/rc.httpd" ]]; then
      RCFILE_HTTPD="/etc/rc.d/rc.httpd"
@ -76,7 +76,7 @@ services() {
      DAEMON_SMTPD="exim"
      PIDFILE_SMTPD="/run/exim.pid"
    fi
-  elif [[ "$ID" == "void" ]]; then
+  elif [[ "$SYSTEM_ID" == "void" ]]; then
    # HTTP daemon selection.
    # thttpd on Void doesn't have a directly callable rc script, so can't be supported.
    if [[ -x "/usr/sbin/apachectl" ]]; then
@ -84,7 +84,7 @@ services() {
      DAEMON_HTTPD="httpd"
      PIDFILE_HTTPD="/run/httpd/httpd.pid"
    fi    
-  elif [[ "$ID" == "alpine" ]]; then
+  elif [[ "$SYSTEM_ID" == "alpine" ]]; then
    # HTTP daemon selection.
    if [[ -x "/etc/init.d/apache2" ]]; then
      RCFILE_HTTPD="/etc/init.d/apache2"
@ -97,22 +97,24 @@ services() {
    fi
    # Samba daemon selection.
    if [[ -x "/etc/init.d/samba" ]]; then
-      SAMBA_RCFILE="/etc/init.d/samba"
-      SAMBA_SERVICENAME="samba"
-      SAMBA_PIDFILE="/run/samba.pid"
+# FIXME:
+#      RCFILE_SAMBA="/etc/init.d/samba"
+      DAEMON_SAMBA="samba"
+      PIDFILE_SAMBA="/run/samba.pid"
    fi
  fi

  # Sanity check settings.
-  [[ -z "$RCFILE_HTTPD" ]] && notify "warning" "No configuration settings for an HTTP daemon - no start/restart of HTTP daemon is possible -- check configuration"
-  for RCFILE in "${!RCFILE_@}"; do
-    DAEMON="DAEMON_${RCFILE#RCFILE_}"
-    PIDFILE="PIDFILE_${RCFILE#RCFILE_}"
-    [[ -n "${!RCFILE}" ]] && [[ -z "${!DAEMON}" ]] && [[ -z "${!PIDFILE}" ]] && [[ ! -v "SERVICES_ERROR_REPORTED" ]] &&  notify "error" "'$RCFILE' is set, but neither '$DAEMON' nor '$PIDFILE' is set - at least one setting is required -- aborting" && ERR=1
-  done
+  ((SANITY == 1)) && {
+    [[ -z "$RCFILE_HTTPD" ]] && notify "warning" "No configuration settings for an HTTP daemon - no start/restart of HTTP daemon is possible -- check configuration"
+    for RCFILE in "${!RCFILE_@}"; do
+      DAEMON="DAEMON_${RCFILE#RCFILE_}"
+      PIDFILE="PIDFILE_${RCFILE#RCFILE_}"
+      [[ -n "${!RCFILE}" ]] && [[ -z "${!DAEMON}" ]] && [[ -z "${!PIDFILE}" ]] && notify "error" "'$RCFILE' is set, but neither '$DAEMON' nor '$PIDFILE' is set - at least one setting is required -- aborting" && ERR=1
+    done
+  }

-  # Don't report configuration errors more than once.
-  ((ERR == 1)) && SERVICES_ERROR_REPORTED=1 && return 1
+  ((ERR == 1)) && return 1

  return 0
 }
@ -198,22 +200,24 @@ deploy_cert() {

    # The first time through this will create the files readable by root only, but better to err on the side of caution.
    # Subsequent runs will retain whatever permissions were set by the admin after the first run.
-    umask 066
-    # shellcheck disable=SC2015
-    cat "$CERTFILE" >"$CERTSDIR/${DOMAIN}_cert.pem" && cat "$KEYFILE" >"$CERTSDIR/${DOMAIN}_key.pem" && cat "$CHAINFILE" >"$CERTSDIR/${DOMAIN}_chain.pem" && cat "$FULLCHAINFILE" >"$CERTSDIR/${DOMAIN}_fullchain.pem" || {
-      notify "error" "Failed to copy certificates/key to '$CERTSDIR' during '$DOMAIN' certificate deployment"
+    cmp "$CERTFILE" "$CERTSDIR/${DOMAIN}_cert.pem" >/dev/null 2>&1 || {
+      umask 066
+      # shellcheck disable=SC2015
+      cat "$CERTFILE" >"$CERTSDIR/${DOMAIN}_cert.pem" && cat "$KEYFILE" >"$CERTSDIR/${DOMAIN}_key.pem" && cat "$CHAINFILE" >"$CERTSDIR/${DOMAIN}_chain.pem" && cat "$FULLCHAINFILE" >"$CERTSDIR/${DOMAIN}_fullchain.pem" || {
+        notify "error" "Failed to copy certificates/key to '$CERTSDIR' during '$DOMAIN' certificate deployment"
+        # Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew.
+        return 0
+      }
+    }
+
+    # Set a marker (used in the exit_hook function) to signal that services should be reloaded at the end of deployments.
+    touch /run/dehydrated-reload-marker || {
+      notify "warning" "Failed to create reload marker during '$DOMAIN' certificate deployment - reloading services manually may be required -- check server"
      # Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew.
      return 0
    }
  }

-  # Set a marker (used in the exit_hook function) to signal that services should be reloaded at the end of deployments.
-  touch /run/dehydrated-reload-marker || {
-    notify "warning" "Failed to create reload marker during '$DOMAIN' certificate deployment - reloading services manually may be required -- check server"
-    # Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew.
-    return 0
-  }
-
  # Notify the sysadmin of the sucessful renewal.
  notify "information" "Sucessful renewal and deployment of certificate/key for '$DOMAIN'"

@ -314,12 +318,22 @@ startup_hook() {

  local LOG_PREFIX="Dehydrated startup"

-  # Read services configuration.
-  services || return 1
+  # Read services configuration (with sanity check)
+  services 1 || return 1
+
+  # Make sure the certificates directory exists.
+  [[ -n "$CERTSDIR" ]] && {
+    umask 022
+    # shellcheck disable=SC2174
+    mkdir -p -m 0755 "$CERTSDIR" 2>/dev/null || {
+      notify "error" "Failed to create certificate storage directory -- aborting"
+      return 1
+    }
+  }

  # If an HTTP daemon rc script is available and the service is not already running, start it.
  [[ -n "$RCFILE_HTTPD" ]] && {
-    if ! pgrep -c ${PIDFILE_HTTPD:+-F "$PIDFILE_HTTPD"} "$DAEMON_HTTPD" >/dev/null 2>&1; then
+    pgrep -c ${PIDFILE_HTTPD:+-F "$PIDFILE_HTTPD"} "$DAEMON_HTTPD" >/dev/null 2>&1 || {
      "$RCFILE_HTTPD" start >/dev/null 2>&1
      sleep 5
      if pgrep -c ${PIDFILE_HTTPD:+-F "$PIDFILE_HTTPD"} "$DAEMON_HTTPD" >/dev/null 2>&1; then
@ -329,9 +343,7 @@ startup_hook() {
        notify "error" "Failure of '$RCFILE_HTTPD' to start HTTP daemon -- aborting"
        return 1
      fi
-    else
-      notify "warning" "'$DAEMON_HTTPD' is already running - will not be shutdown at exit -- check server"
-    fi
+    }
  }

  # Add firewall rules to allow HTTP traffic so the nonce can be validated.
@ -353,24 +365,29 @@ exit_hook() {

  local DAEMON ERR=0 LOG_PREFIX="Dehydrated shutdown" PIDFILE RCFILE TIMEOUT=30

-  # Read services configuration.
-  services || return 1
+  # Read services configuration (without sanity check - this was already done at startup)
+  services 0 || return 1

  # Delete firewall rules that was added to allow HTTP traffic.
-  { iptables -D dehydrated -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT && ip6tables -D dehydrated -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT && iptables -D INPUT -j dehydrated && ip6tables -D INPUT -j dehydrated && iptables -X dehydrated && ip6tables -X dehydrated; } >/dev/null 2>&1 || notify "warning" "Failed to remove firewall rules that were added to allow HTTP traffic -- check server"
-
+  iptables -C INPUT -j dehydrated >/dev/null 2>&1 && iptables -D INPUT -j dehydrated >/dev/null 2>&1
+  ip6tables -C INPUT -j dehydrated >/dev/null 2>&1 && ip6tables -D INPUT -j dehydrated >/dev/null 2>&1
+  iptables -F dehydrated >/dev/null 2>&1
+  ip6tables -F dehydrated >/dev/null 2>&1
+  iptables -X dehydrated >/dev/null 2>&1
+  ip6tables -X dehydrated >/dev/null 2>&1
+  
  # If the reload marker was set, restart services.
  [[ -e /run/dehydrated-reload-marker ]] && {
    for RCFILE in "${!RCFILE_@}"; do
      DAEMON="DAEMON_${RCFILE#RCFILE_}"
      PIDFILE="PIDFILE_${RCFILE#RCFILE_}"
      # If the HTTP daemon is going to be shut down, there's no need to restart it.
-      [[ "$RCFILE" == "RCFILE_HTTPD" ]] && [[ ! -e /run/dehydrated-http-daemon-stop-marker ]] && continue
+      [[ "$RCFILE" == "RCFILE_HTTPD" ]] && [[ -e /run/dehydrated-http-daemon-stop-marker ]] && continue
      # Restart the service.
      "${!RCFILE}" restart >/dev/null 2>&1 || notify "warning" "Failed to restart service '${!DAEMON}' -- check server"
      sleep "$TIMEOUT"
      pgrep -c ${PIDFILE:+-F "${!PIDFILE}"} "${!DAEMON}" >/dev/null 2>&1 || {
-        notice "warning" "Service '${!DAEMON}' exited unexpectedly - trying to start again"
+        notify "warning" "Service '${!DAEMON}' exited unexpectedly - trying to start again"
        "${!RCFILE}" start >/dev/null 2>&1 || notify "warning" "Failed to start service '${!DAEMON}' -- check server"
        sleep "$TIMEOUT"
        pgrep -c ${PIDFILE:+-F "${!PIDFILE}"} "${!DAEMON}" >/dev/null 2>&1 || {
@ -415,7 +432,5 @@ if declare -pF "$HANDLER" >/dev/null 2>&1; then
  "$HANDLER" "$@"
  exit "$?"
 else
-  LOG_PREFIX="Dehydrated configuration"
-  notify "error" "Hook script called with undefined function name '$HANDLER' -- check configuration"
-  exit 1
+  exit 0
 fi