From c5fd865a93e0eac1abaac84c6b1e0a870fa44a14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Deckert?= Date: Fri, 24 Feb 2023 13:40:39 +0100 Subject: [PATCH] fix certificate update, add backup cleaner --- Makefile | 13 ++++++++++--- appliance/02firstboot.start | 2 -- appliance/cert-renew.sh | 8 +++++--- confproxy/isl-backup-cleanup.service | 8 ++++++++ confproxy/isl-backup-cleanup.sh | 12 ++++++++++++ confproxy/isl-backup-cleanup.timer | 12 ++++++++++++ 6 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 confproxy/isl-backup-cleanup.service create mode 100755 confproxy/isl-backup-cleanup.sh create mode 100644 confproxy/isl-backup-cleanup.timer diff --git a/Makefile b/Makefile index 494da66..f07d214 100644 --- a/Makefile +++ b/Makefile @@ -1,11 +1,12 @@ 02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh +isl-backup-cleanup.sh = $(CHROOT)/usr/local/bin/isl-backup-cleanup.sh install_confproxy = $(CHROOT)/opt/confproxy CONFPROXY_URL = https://www.islonline.com/system/installer_latest_linux64 -systemd-units: appliance/cert-renew.service appliance/cert-renew.timer - cp appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ +systemd-units: appliance/cert-renew.service appliance/cert-renew.timer confproxy/isl-backup-cleanup.service confproxy/isl-backup-cleanup.timer + cp appliance/cert-renew.service appliance/cert-renew.timer confproxy/isl-backup-cleanup.service confproxy/isl-backup-cleanup.timer $(CHROOT)/etc/systemd/system/ $(02firstboot): appliance/02firstboot.start mkdir -p $(CHROOT)/usr/local/bin @@ -16,12 +17,18 @@ $(cert-renew.sh): appliance/cert-renew.sh mkdir -p $(CHROOT)/etc/ssl cp $< $@ +$(isl-backup-cleanup.sh): confproxy/isl-backup-cleanup.sh + mkdir -p $(CHROOT)/usr/local/bin + cp $< $@ + $(install_confproxy): # user islcp with fixed uid 950 -RUN useradd --system --comment="ISL ConfProxy User" --home-dir="/opt/confproxy" --shell="/bin/sh" --no-create-home --uid 950 --user-group islcp # virtual-appliance starts the build environment with sh instead of systemd as pid1; skip start service RUN sh -c 'wget $(CONFPROXY_URL) -O /tmp/confproxy-installer.bin && sed -e "s:\"systemd\":\"sh\":g" -e "s:status \"Starting ISL Conference Proxy (confproxy.service)\":exit 0:" -i /tmp/confproxy-installer.bin && sh /tmp/confproxy-installer.bin' + # sometimes ConfProxy also looks into the alternative installation directory /var/confproxy (bug) + ln -sf /opt/confproxy $(CHROOT)/var/confproxy preinstall: -postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(install_confproxy) +postinstall: systemd-units $(02firstboot) $(install_confproxy) $(cert-renew.sh) $(isl-backup-cleanup.sh) diff --git a/appliance/02firstboot.start b/appliance/02firstboot.start index 4a7ff79..b168e76 100755 --- a/appliance/02firstboot.start +++ b/appliance/02firstboot.start @@ -37,10 +37,8 @@ else touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" fi -rm -rf /opt/confproxy/ssl rm -rf /etc/ssl/nginx mkdir -p /etc/ssl -ln -sf "/$LABEL/opt/confproxy/ssl" "/opt/confproxy/ssl" ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx" /etc/ssl/cert-renew.sh diff --git a/appliance/cert-renew.sh b/appliance/cert-renew.sh index a7cb50d..1036f06 100755 --- a/appliance/cert-renew.sh +++ b/appliance/cert-renew.sh @@ -6,8 +6,8 @@ FQDN="$HOST.$TLD" LABEL="DATA" CERT_DIR=/$LABEL/CERTS -CERT_EJABBERD=/$LABEL/etc/ssl/ejabberd -CERT_CONFPROXY=/$LABEL/opt/confproxy/ssl +CERT_NGINX=/$LABEL/etc/ssl/nginx +CERT_CONFPROXY=/$LABEL/etc/ssl/confproxy GETREPO="" GETUSER="" GETPASS="" @@ -44,9 +44,11 @@ if [ $GIT_REVISION != $GIT_NEW_REVISION ] then echo "Update ISL Conference Proxy certificate..." mkdir -p $CERT_CONFPROXY + rm -rf /opt/confproxy/ssl + ln -sf $CERT_CONFPROXY /opt/confproxy/ssl cp $CERT_DIR/$FQDN/$FQDN-cert.pem $CERT_CONFPROXY/cert.pem cp $CERT_DIR/$FQDN/$FQDN-chain.pem $CERT_CONFPROXY/chain.pem - cp $CERT_DIR/$FQDN/$FQDN-key.pem $CERT_CONFPROXY/privkey.pem + cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_CONFPROXY/privkey.pem echo "Restart ISL Conference Proxy..." systemctl is-active --quiet confproxy && systemctl restart confproxy diff --git a/confproxy/isl-backup-cleanup.service b/confproxy/isl-backup-cleanup.service new file mode 100644 index 0000000..7bdc241 --- /dev/null +++ b/confproxy/isl-backup-cleanup.service @@ -0,0 +1,8 @@ +[Unit] +Description=remove old ISL confproxy backups +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/isl-backup-cleanup.sh diff --git a/confproxy/isl-backup-cleanup.sh b/confproxy/isl-backup-cleanup.sh new file mode 100755 index 0000000..4ab3852 --- /dev/null +++ b/confproxy/isl-backup-cleanup.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# remove old backups + +# variables +BACKUPDIR="/DATA/Backup" +RETAIN=3 + +# start +set -e + +cd "$BACKUPDIR" +ls -t *.tar.gz | tail -n +$((RETAIN+1)) | sed "s/Z-islcp-.*/Z-islcp-*/" | xargs -i'{}' sh -c 'rm -f {}' diff --git a/confproxy/isl-backup-cleanup.timer b/confproxy/isl-backup-cleanup.timer new file mode 100644 index 0000000..64a522c --- /dev/null +++ b/confproxy/isl-backup-cleanup.timer @@ -0,0 +1,12 @@ +[Unit] +Description=remove old ISL confproxy backups +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 03:21:00 +Unit=isl-backup-cleanup.service + +[Install] +WantedBy=default.target