From de761f653b51b7792009568aceab72fedf55fb89 Mon Sep 17 00:00:00 2001
From: Athanasius <github@miggy.org>
Date: Fri, 2 Jul 2021 17:34:29 +0000
Subject: [PATCH] contrib: Add LetsEncrypt example deploy script files

---
 contrib/letsencrypt/certbot-common       | 35 ++++++++++
 contrib/letsencrypt/deploy-changed-certs | 89 ++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
 create mode 100644 contrib/letsencrypt/certbot-common
 create mode 100755 contrib/letsencrypt/deploy-changed-certs

diff --git a/contrib/letsencrypt/certbot-common b/contrib/letsencrypt/certbot-common
new file mode 100644
index 0000000..23f8e47
--- /dev/null
+++ b/contrib/letsencrypt/certbot-common
@@ -0,0 +1,35 @@
+###########################################################################
+# Copy a certificate's files into place, with appropriate ownership and
+# mode.
+#
+# $1 - Name of certificate (i.e. letsencrypt directory names).
+# $2 - Source Directory
+# $3 - Destination filename for fullchain.pem
+# $4 - Destination filename for privkey.pem
+# $5 - File ownership to set (user:group)
+# $6 - File mode to set (as passed to 'chmod')
+###########################################################################
+copy_cert() {
+  CERT_NAME="$1"
+  SRC_DIR="$2"
+  DST_FILE_FULLCHAIN="$3"
+  DST_FILE_PRIVKEY="$4"
+  CERT_NEW_OWNER="$5"
+  CERT_NEW_PERMS="$6"
+
+  echo "${CERT_NAME}: Copying new files into place..."
+
+  # Preserve only the mode as it should be 0600, and thus we won't
+  # temporarily open up the files for *all* users to read,
+  # BUT don't preserve the timestamp as we want it to be 'now' so
+  # that a `find ... -newer <this file>` check works later.
+  cp -v --preserve=mode ${SRC_DIR}/fullchain.pem ${DST_FILE_FULLCHAIN}
+  cp -v --preserve=mode ${SRC_DIR}/privkey.pem ${DST_FILE_PRIVKEY}
+  chown -v ${CERT_NEW_OWNER} ${DST_FILE_FULLCHAIN} ${DST_FILE_PRIVKEY}
+  chmod -v ${CERT_NEW_PERMS} ${DST_FILE_FULLCHAIN} ${DST_FILE_PRIVKEY}
+
+  echo "${CERT_NAME}: Copying new files into place DONE"
+}
+###########################################################################
+
+# vim: :set filetype=sh tabstop=2 shiftwidth=2 expandtab wrapmargin=0 textwidth=0
diff --git a/contrib/letsencrypt/deploy-changed-certs b/contrib/letsencrypt/deploy-changed-certs
new file mode 100755
index 0000000..0986a54
--- /dev/null
+++ b/contrib/letsencrypt/deploy-changed-certs
@@ -0,0 +1,89 @@
+#!/bin/bash
+# Add " -x" above to debug
+#
+# certbot deploy hook
+#
+#  This should be triggered by being present in:
+#
+#     /etc/letsencrypt/renewal-hooks/deploy/
+#
+#  It can be linked into the 'post' directory for testing with:
+#
+#     certbot renew --dry-run
+#
+#  which you might want to do because deploy hooks aren't run for that
+#  command.
+#
+#  You can also just straight up run this script, including to get into place
+#  any certificate files it's configured for, but have never been deployed.
+
+# Paranoia re-enforcement of no group/other perms on created files
+chmod -R og-rwx /etc/letsencrypt/archive
+
+echo "$0 - Running in: $(pwd)"
+# Import common code and settings.
+. /etc/scripts/certbot-common
+
+# As of 2021-07-02 and certbot 0.31.0 (current in Debian buster)
+# there is **zero** information passed in (CL args or environment) to
+# this hook.  So we just need to check each potentially renewed
+# certificate.
+
+###########################################################################
+# MAIN_HOST_NAME
+###########################################################################
+CERT_NAME="MAIN_HOST_NAME"
+# We're only interested if it's newer than when the files were last copied
+SRC_DIR="/etc/letsencrypt/live/${CERT_NAME}"
+DST_FILE_FULLCHAIN="/etc/exim4/exim.crt"
+DST_FILE_PRIVKEY="/etc/exim4/exim.key"
+CERT_NEW_OWNER="root:Debian-exim"
+CERT_NEW_PERMS="440"
+
+#############################################################
+# Needs to be in place for exim to use
+#############################################################
+# 'find' doesn't set exit status depending on if it found anything, that's
+# for actual errors, so we test against the output.
+if [ "$(find ${SRC_DIR} -newer ${DST_FILE_FULLCHAIN} -o -newer ${DST_FILE_PRIVKEY} )" != "" ];
+then
+  echo "${CERT_NAME}: (Re)new(ed) certificate..."
+
+  copy_cert "${CERT_NAME}" "${SRC_DIR}" "${DST_FILE_FULLCHAIN}" "${DST_FILE_PRIVKEY}" "${CERT_NEW_OWNER}" "${CERT_NEW_PERMS}"
+
+  echo "${CERT_NAME}: DONE"
+fi
+#############################################################
+
+###########################################################################
+
+###########################################################################
+# eddn.edcd.io and related names
+###########################################################################
+CERT_NEW_OWNER="eddn:eddn"
+CERT_NEW_PERMS="400"
+
+for eddn in eddn.edcd.io test.eddn.edcd.io staging.eddn.edcd.io ;
+do
+  CERT_NAME="${eddn}"
+  SRC_DIR="/etc/letsencrypt/live/${CERT_NAME}"
+  DST_FILE_FULLCHAIN="/home/eddn/etc/${CERT_NAME}-fullchain.pem"
+  DST_FILE_PRIVKEY="/home/eddn/etc/${CERT_NAME}-privkey.pem"
+  
+  if [ -d "${SRC_DIR}" ];
+  then
+    if [ ! -f "${DST_FILE_FULLCHAIN}" \
+        -o ! -f "${DST_FILE_PRIVKEY}" \
+        -o "$(find ${SRC_DIR} -newer ${DST_FILE_FULLCHAIN} -o -newer ${DST_FILE_PRIVKEY} )" != "" ];
+    then
+      echo "${CERT_NAME}: (Re)New(ed) certificate..."
+  
+      copy_cert "${CERT_NAME}" "${SRC_DIR}" "${DST_FILE_FULLCHAIN}" "${DST_FILE_PRIVKEY}" "${CERT_NEW_OWNER}" "${CERT_NEW_PERMS}"
+  
+      echo "${CERT_NAME}: DONE"
+    fi
+  fi
+done
+###########################################################################
+
+# vim: tabstop=2 shiftwidth=2 expandtab wrapmargin=0 textwidth=0