fix certificate update, add backup cleaner

This commit is contained in:
Jörg Deckert 2023-02-24 13:40:39 +01:00
parent c7ed48855a
commit c5fd865a93
6 changed files with 47 additions and 8 deletions

View File

@ -1,11 +1,12 @@
02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start 02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
isl-backup-cleanup.sh = $(CHROOT)/usr/local/bin/isl-backup-cleanup.sh
install_confproxy = $(CHROOT)/opt/confproxy install_confproxy = $(CHROOT)/opt/confproxy
CONFPROXY_URL = https://www.islonline.com/system/installer_latest_linux64 CONFPROXY_URL = https://www.islonline.com/system/installer_latest_linux64
systemd-units: appliance/cert-renew.service appliance/cert-renew.timer systemd-units: appliance/cert-renew.service appliance/cert-renew.timer confproxy/isl-backup-cleanup.service confproxy/isl-backup-cleanup.timer
cp appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ cp appliance/cert-renew.service appliance/cert-renew.timer confproxy/isl-backup-cleanup.service confproxy/isl-backup-cleanup.timer $(CHROOT)/etc/systemd/system/
$(02firstboot): appliance/02firstboot.start $(02firstboot): appliance/02firstboot.start
mkdir -p $(CHROOT)/usr/local/bin mkdir -p $(CHROOT)/usr/local/bin
@ -16,12 +17,18 @@ $(cert-renew.sh): appliance/cert-renew.sh
mkdir -p $(CHROOT)/etc/ssl mkdir -p $(CHROOT)/etc/ssl
cp $< $@ cp $< $@
$(isl-backup-cleanup.sh): confproxy/isl-backup-cleanup.sh
mkdir -p $(CHROOT)/usr/local/bin
cp $< $@
$(install_confproxy): $(install_confproxy):
# user islcp with fixed uid 950 # user islcp with fixed uid 950
-RUN useradd --system --comment="ISL ConfProxy User" --home-dir="/opt/confproxy" --shell="/bin/sh" --no-create-home --uid 950 --user-group islcp -RUN useradd --system --comment="ISL ConfProxy User" --home-dir="/opt/confproxy" --shell="/bin/sh" --no-create-home --uid 950 --user-group islcp
# virtual-appliance starts the build environment with sh instead of systemd as pid1; skip start service # virtual-appliance starts the build environment with sh instead of systemd as pid1; skip start service
RUN sh -c 'wget $(CONFPROXY_URL) -O /tmp/confproxy-installer.bin && sed -e "s:\"systemd\":\"sh\":g" -e "s:status \"Starting ISL Conference Proxy (confproxy.service)\":exit 0:" -i /tmp/confproxy-installer.bin && sh /tmp/confproxy-installer.bin' RUN sh -c 'wget $(CONFPROXY_URL) -O /tmp/confproxy-installer.bin && sed -e "s:\"systemd\":\"sh\":g" -e "s:status \"Starting ISL Conference Proxy (confproxy.service)\":exit 0:" -i /tmp/confproxy-installer.bin && sh /tmp/confproxy-installer.bin'
# sometimes ConfProxy also looks into the alternative installation directory /var/confproxy (bug)
ln -sf /opt/confproxy $(CHROOT)/var/confproxy
preinstall: preinstall:
postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(install_confproxy) postinstall: systemd-units $(02firstboot) $(install_confproxy) $(cert-renew.sh) $(isl-backup-cleanup.sh)

View File

@ -37,10 +37,8 @@ else
touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
fi fi
rm -rf /opt/confproxy/ssl
rm -rf /etc/ssl/nginx rm -rf /etc/ssl/nginx
mkdir -p /etc/ssl mkdir -p /etc/ssl
ln -sf "/$LABEL/opt/confproxy/ssl" "/opt/confproxy/ssl"
ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx" ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
/etc/ssl/cert-renew.sh /etc/ssl/cert-renew.sh

View File

@ -6,8 +6,8 @@ FQDN="$HOST.$TLD"
LABEL="DATA" LABEL="DATA"
CERT_DIR=/$LABEL/CERTS CERT_DIR=/$LABEL/CERTS
CERT_EJABBERD=/$LABEL/etc/ssl/ejabberd CERT_NGINX=/$LABEL/etc/ssl/nginx
CERT_CONFPROXY=/$LABEL/opt/confproxy/ssl CERT_CONFPROXY=/$LABEL/etc/ssl/confproxy
GETREPO="" GETREPO=""
GETUSER="" GETUSER=""
GETPASS="" GETPASS=""
@ -44,9 +44,11 @@ if [ $GIT_REVISION != $GIT_NEW_REVISION ]
then then
echo "Update ISL Conference Proxy certificate..." echo "Update ISL Conference Proxy certificate..."
mkdir -p $CERT_CONFPROXY mkdir -p $CERT_CONFPROXY
rm -rf /opt/confproxy/ssl
ln -sf $CERT_CONFPROXY /opt/confproxy/ssl
cp $CERT_DIR/$FQDN/$FQDN-cert.pem $CERT_CONFPROXY/cert.pem cp $CERT_DIR/$FQDN/$FQDN-cert.pem $CERT_CONFPROXY/cert.pem
cp $CERT_DIR/$FQDN/$FQDN-chain.pem $CERT_CONFPROXY/chain.pem cp $CERT_DIR/$FQDN/$FQDN-chain.pem $CERT_CONFPROXY/chain.pem
cp $CERT_DIR/$FQDN/$FQDN-key.pem $CERT_CONFPROXY/privkey.pem cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_CONFPROXY/privkey.pem
echo "Restart ISL Conference Proxy..." echo "Restart ISL Conference Proxy..."
systemctl is-active --quiet confproxy && systemctl restart confproxy systemctl is-active --quiet confproxy && systemctl restart confproxy

View File

@ -0,0 +1,8 @@
[Unit]
Description=remove old ISL confproxy backups
RefuseManualStart=no
RefuseManualStop=yes
[Service]
Type=oneshot
ExecStart=/usr/local/bin/isl-backup-cleanup.sh

12
confproxy/isl-backup-cleanup.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
# remove old backups
# variables
BACKUPDIR="/DATA/Backup"
RETAIN=3
# start
set -e
cd "$BACKUPDIR"
ls -t *.tar.gz | tail -n +$((RETAIN+1)) | sed "s/Z-islcp-.*/Z-islcp-*/" | xargs -i'{}' sh -c 'rm -f {}'

View File

@ -0,0 +1,12 @@
[Unit]
Description=remove old ISL confproxy backups
RefuseManualStart=no
RefuseManualStop=no
[Timer]
Persistent=false
OnCalendar=Sun *-*-* 03:21:00
Unit=isl-backup-cleanup.service
[Install]
WantedBy=default.target