147 lines
5.2 KiB
Bash
Executable File
147 lines
5.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# update-caddy-certs.sh
|
|
# Gehört ins Caddy-Verzeichnis (neben dem Caddyfile).
|
|
#
|
|
# Liest alle Domains aus dem DMS und generiert die Wildcard-Cert-Blöcke
|
|
# für Caddy in die Datei "mail_certs" (per "import mail_certs" im Caddyfile).
|
|
#
|
|
# Bei neuen Domains: Script erneut laufen lassen + caddy reload.
|
|
#
|
|
# Usage:
|
|
# ./update-caddy-certs.sh
|
|
# DRY_RUN=true ./update-caddy-certs.sh
|
|
# DMS_CONTAINER=mailserver CADDY_CONTAINER=caddy ./update-caddy-certs.sh
|
|
|
|
set -e
|
|
|
|
DMS_CONTAINER=${DMS_CONTAINER:-"mailserver"}
|
|
CADDY_CONTAINER=${CADDY_CONTAINER:-"caddy"}
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
OUTPUT_FILE="$SCRIPT_DIR/mail_certs"
|
|
DRY_RUN=${DRY_RUN:-"false"}
|
|
|
|
# Node-Hostname des Mailservers (für Default-Cert Block)
|
|
# Wird immer mit eingetragen, auch wenn keine DMS-Accounts existieren.
|
|
NODE_HOSTNAME=${NODE_HOSTNAME:-"node1.email-srvr.com"}
|
|
|
|
echo "============================================================"
|
|
echo " 📜 Caddy Wildcard-Cert Konfig Generator"
|
|
echo " DMS Container: $DMS_CONTAINER"
|
|
echo " Caddy Container: $CADDY_CONTAINER"
|
|
echo " Output: $OUTPUT_FILE"
|
|
echo " Node Hostname: $NODE_HOSTNAME"
|
|
[ "$DRY_RUN" = "true" ] && echo " ⚠️ DRY RUN - Keine Dateien werden geschrieben"
|
|
echo "============================================================"
|
|
|
|
# --- Domains aus DMS lesen ---
|
|
echo ""
|
|
echo "📋 Lese Domains aus DMS..."
|
|
DOMAINS=$(docker exec "$DMS_CONTAINER" setup email list 2>/dev/null \
|
|
| grep -oP '(?<=@)[^\s]+' \
|
|
| sort -u)
|
|
|
|
if [ -z "$DOMAINS" ]; then
|
|
echo "⚠️ Keine DMS-Accounts gefunden. Nur Node-Hostname wird eingetragen."
|
|
fi
|
|
|
|
if [ -n "$DOMAINS" ]; then
|
|
echo " Gefundene Domains:"
|
|
for d in $DOMAINS; do echo " - $d"; done
|
|
fi
|
|
|
|
# --- Konfig generieren ---
|
|
echo ""
|
|
echo "📝 Generiere Caddy-Konfiguration..."
|
|
|
|
OUTPUT=""
|
|
OUTPUT="${OUTPUT}# mail_certs - Automatisch generiert von update-caddy-certs.sh\n"
|
|
OUTPUT="${OUTPUT}# Wildcard-Zertifikate für DMS-Domains + Node-Hostname.\n"
|
|
OUTPUT="${OUTPUT}# Einbinden im Caddyfile: import mail_certs\n"
|
|
OUTPUT="${OUTPUT}# Generiert: $(date)\n"
|
|
OUTPUT="${OUTPUT}\n"
|
|
|
|
# Node-Hostname immer als erstes (Default-Cert des DMS)
|
|
echo " → Node-Hostname Block: $NODE_HOSTNAME"
|
|
OUTPUT="${OUTPUT}# Node-Hostname (Default-Cert für DMS Fallback)\n"
|
|
OUTPUT="${OUTPUT}${NODE_HOSTNAME} {\n"
|
|
OUTPUT="${OUTPUT} tls {\n"
|
|
OUTPUT="${OUTPUT} dns cloudflare {env.CLOUDFLARE_API_TOKEN}\n"
|
|
OUTPUT="${OUTPUT} }\n"
|
|
OUTPUT="${OUTPUT} respond \"OK\" 200\n"
|
|
OUTPUT="${OUTPUT}}\n\n"
|
|
|
|
# Wildcard-Blocks + webmail Block pro Kundendomain
|
|
for domain in $DOMAINS; do
|
|
echo " → Wildcard Block: *.${domain}"
|
|
echo " → Webmail Block: webmail.${domain}"
|
|
|
|
# Wildcard-Cert Block (für Cert-Generierung + Fallback)
|
|
OUTPUT="${OUTPUT}# Wildcard-Cert für $domain\n"
|
|
OUTPUT="${OUTPUT}*.${domain}, ${domain} {\n"
|
|
OUTPUT="${OUTPUT} tls {\n"
|
|
OUTPUT="${OUTPUT} dns cloudflare {env.CLOUDFLARE_API_TOKEN}\n"
|
|
OUTPUT="${OUTPUT} }\n"
|
|
OUTPUT="${OUTPUT} respond \"OK\" 200\n"
|
|
OUTPUT="${OUTPUT}}\n\n"
|
|
|
|
# Webmail Block (Roundcube) - muss VOR dem Wildcard-Block matchen
|
|
# Caddy wertet Blöcke in Reihenfolge aus, spezifischere Hosts gewinnen
|
|
OUTPUT="${OUTPUT}# Roundcube Webmail für $domain\n"
|
|
OUTPUT="${OUTPUT}webmail.${domain} {\n"
|
|
OUTPUT="${OUTPUT} reverse_proxy roundcube:80\n"
|
|
OUTPUT="${OUTPUT} encode gzip\n"
|
|
OUTPUT="${OUTPUT} log {\n"
|
|
OUTPUT="${OUTPUT} output stderr\n"
|
|
OUTPUT="${OUTPUT} format console\n"
|
|
OUTPUT="${OUTPUT} }\n"
|
|
OUTPUT="${OUTPUT}}\n\n"
|
|
done
|
|
|
|
# --- Ausgabe ---
|
|
if [ "$DRY_RUN" = "true" ]; then
|
|
echo ""
|
|
echo "--- VORSCHAU ---"
|
|
printf '%b' "$OUTPUT"
|
|
echo "--- ENDE ---"
|
|
else
|
|
printf '%b' "$OUTPUT" > "$OUTPUT_FILE"
|
|
echo " ✅ Geschrieben: $OUTPUT_FILE"
|
|
fi
|
|
|
|
# --- Import im Caddyfile prüfen ---
|
|
CADDYFILE="$SCRIPT_DIR/Caddyfile"
|
|
if [ -f "$CADDYFILE" ]; then
|
|
if grep -q "import mail_certs" "$CADDYFILE"; then
|
|
echo " ✅ 'import mail_certs' bereits im Caddyfile vorhanden."
|
|
else
|
|
echo ""
|
|
echo "⚠️ AKTION: 'import mail_certs' fehlt noch im Caddyfile!"
|
|
echo " Bitte nach dem globalen {} Block eintragen:"
|
|
echo ""
|
|
echo " { ← globaler Block"
|
|
echo " email {env.CLOUDFLARE_EMAIL}"
|
|
echo " ..."
|
|
echo " }"
|
|
echo " import mail_certs ← hier einfügen"
|
|
echo " import email_autodiscover"
|
|
echo " ..."
|
|
fi
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================================"
|
|
echo "🔄 Nächste Schritte:"
|
|
echo ""
|
|
echo "1. Caddy Konfiguration validieren:"
|
|
echo " docker exec $CADDY_CONTAINER caddy validate --config /etc/caddy/Caddyfile"
|
|
echo ""
|
|
echo "2. Caddy neu laden (kein Downtime):"
|
|
echo " docker exec $CADDY_CONTAINER caddy reload --config /etc/caddy/Caddyfile"
|
|
echo ""
|
|
echo "3. Cert-Generierung verfolgen (~30s pro Domain):"
|
|
echo " docker logs -f $CADDY_CONTAINER 2>&1 | grep -i 'certificate\|acme\|tls\|error'"
|
|
echo ""
|
|
echo "4. Cert-Pfade kontrollieren:"
|
|
echo " ls /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/"
|
|
echo " acme-v02.api.letsencrypt.org-directory/"
|
|
echo "============================================================" |