diff --git a/root/etc/crontabs/abc b/root/etc/crontabs/abc index e69de29..a9909e3 100644 --- a/root/etc/crontabs/abc +++ b/root/etc/crontabs/abc @@ -0,0 +1,2 @@ +# min hour day month weekday command +8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1 diff --git a/root/etc/crontabs/root b/root/etc/crontabs/root deleted file mode 100644 index c24fea0..0000000 --- a/root/etc/crontabs/root +++ /dev/null @@ -1,9 +0,0 @@ -# do daily/weekly/monthly maintenance -# min hour day month weekday command -*/15 * * * * run-parts /etc/periodic/15min -0 * * * * run-parts /etc/periodic/hourly -0 2 * * * run-parts /etc/periodic/daily -0 3 * * 6 run-parts /etc/periodic/weekly -0 5 1 * * run-parts /etc/periodic/monthly -# renew letsencrypt certs -8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1 diff --git a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run index 806cf43..c233e2c 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run @@ -31,6 +31,12 @@ if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | gre sleep infinity fi +# set owner of certbot's CONFIG_DIR, WORK_DIR, and LOGS_DIR to abc +lsiown -R abc:abc \ + /etc/letsencrypt \ + /var/lib/letsencrypt \ + /var/log/letsencrypt + # set_ini_value logic: # - if the name is not found in the file, append the name=value to the end of the file # - if the name is found in the file, replace the value @@ -46,6 +52,7 @@ function set_ini_value() { # ensure config files exist and has at least one value set (set_ini_value does not work on empty files) touch /config/etc/letsencrypt/cli.ini +lsiown abc:abc /config/etc/letsencrypt/cli.ini grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini # copy dns default configs @@ -192,9 +199,9 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] || REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory") fi if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true + s6-setuidgid abc certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true else - certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true + s6-setuidgid abc certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi @@ -207,9 +214,9 @@ if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "l echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking." REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory") if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true + s6-setuidgid abc certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true else - certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true + s6-setuidgid abc certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi @@ -342,7 +349,7 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini fi echo "Generating new certificate" - certbot certonly --non-interactive --renew-by-default + s6-setuidgid abc certbot certonly --non-interactive --renew-by-default if [[ ! -d /config/keys/letsencrypt ]]; then if [[ "${VALIDATION}" = "dns" ]]; then echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file." diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run deleted file mode 100755 index c0bb241..0000000 --- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/with-contenv bash -# shellcheck shell=bash - -# make folders -mkdir -p \ - /config/crontabs - -## root -# if crontabs do not exist in config -if [[ ! -f /config/crontabs/root ]]; then - # copy crontab from system - if crontab -l -u root; then - crontab -l -u root >/config/crontabs/root - fi - - # if crontabs still do not exist in config (were not copied from system) - # copy crontab from included defaults (using -n, do not overwrite an existing file) - cp -n /etc/crontabs/root /config/crontabs/ 2> >(grep -v 'cp: not replacing') -fi -# set permissions and import user crontabs -lsiown root:root /config/crontabs/root -crontab -u root /config/crontabs/root - -## abc -# if crontabs do not exist in config -if [[ ! -f /config/crontabs/abc ]]; then - # copy crontab from system - if crontab -l -u abc; then - crontab -l -u abc >/config/crontabs/abc - fi - - # if crontabs still do not exist in config (were not copied from system) - # copy crontab from included defaults (using -n, do not overwrite an existing file) - cp -n /etc/crontabs/abc /config/crontabs/ 2> >(grep -v 'cp: not replacing') -fi -# set permissions and import user crontabs -lsiown abc:abc /config/crontabs/abc -crontab -u abc /config/crontabs/abc diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type deleted file mode 100644 index bdd22a1..0000000 --- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type +++ /dev/null @@ -1 +0,0 @@ -oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up deleted file mode 100644 index 006d814..0000000 --- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up +++ /dev/null @@ -1 +0,0 @@ -/etc/s6-overlay/s6-rc.d/init-crontabs-config/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-folders-config/run b/root/etc/s6-overlay/s6-rc.d/init-folders-config/run index 87cef4e..c18da5b 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-folders-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-folders-config/run @@ -3,7 +3,7 @@ # make our folders and links mkdir -p \ - /config/{fail2ban,crontabs,dns-conf} \ + /config/{fail2ban,dns-conf} \ /config/etc/letsencrypt/renewal-hooks \ /config/log/{fail2ban,letsencrypt,nginx} \ /config/nginx/proxy-confs \ diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontabs-config b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontabs-config deleted file mode 100644 index e69de29..0000000 diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/dependencies.d/init-fail2ban-config b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-fail2ban-config similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-crontabs-config/dependencies.d/init-fail2ban-config rename to root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-fail2ban-config diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontabs-config b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontabs-config deleted file mode 100644 index e69de29..0000000