v1.4.3

2022-03-23 09:15:16 +01:00
parent 9c8e7db788
commit e82685fc21
10 changed files with 130 additions and 88 deletions
--- a/example.cert
+++ b/example.cert
@@ -15,3 +15,6 @@ KEY_FILE=/etc/pki/tls/private/example.com.pem
 KEY_OWNER=root
 KEY_GROUP=root
 KEY_MODE=0600
+
+SERVICE=someservice
+ACTION=reload
--- a/15
+++ b/15
@@ -30,9 +30,20 @@ case $1 in
      fi
      if [[ -z $MD_RENEWED_HOST_DIR ]]; then
        echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$DOMAIN
+        rm -f $MD_RENEWED_DIR/installed/$DOMAIN
      else
-        mkdir -p $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR
-        echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR/$DOMAIN
+        for f in $MD_RENEWED_DIR/renewed/*/; do
+          if [[ ! -d "$f" ]]; then
+            continue
+          fi
+          echo $(date) $(hostname) > ${f}${DOMAIN}
+        done
+        for f in $MD_RENEWED_DIR/installed/*/; do
+          if [[ ! -d "$f" ]]; then
+            continue
+          fi
+              rm -f ${f}${DOMAIN}
+        done
      fi
      ;;
    installed)
--- a/5
+++ b/5
@@ -23,12 +23,12 @@ fi

 if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then
  mkdir -p $MD_RENEWED_INSTALLING_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLING_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLING_TARGET
 fi

 if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then
  mkdir -p $MD_RENEWED_INSTALLED_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLED_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLED_TARGET
 fi

 echo "md-renewed.service Looking for our domains: ${MYDOMAINS[*]}"
@@ -51,7 +51,6 @@ done

 if [[ $HTTPD_RELOAD == y ]]; then
  echo "md-renewed.service Restarting apache."
-  sleep $[ ( $RANDOM % 60 )  + 1 ]s
  /usr/bin/systemctl reload httpd
 fi

--- a/94
+++ b/94
@@ -40,34 +40,65 @@ function run_copy
  local DOMAIN="$1"
  local CONFIG="$2"

-  CERT_OWNER=""
-  CERT_GROUP=""
-  CERT_MODE=""
+  CERT_OWNER="root"
+  CERT_GROUP="root"
+  CERT_MODE="0700"
  CERT_FILE=""
-  KEY_OWNER=""
-  KEY_GROUP=""
-  KEY_MODE=""
+  KEY_OWNER="root"
+  KEY_GROUP="root"
+  KEY_MODE="0700"
  KEY_FILE=""
+  SERVICE=""
+  ACRION="restart"

  . $CONFIG

  [[ -z $CERT_FILE ]] && exit 0;

-  if [[ -z $KEY_FILE ]]; then
-    KEY_FILE="$CERT_FILE"
+  TEMP_CERT_FILE=$(mktemp)
+
+  if [[ ! -z $KEY_FILE ]]; then
+    TEMP_KEY_FILE=$(mktemp)
  fi

-  cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE
+  OLD_UMASK=$(umask)
+  umask 0077
+  DO_ACTION=n

+  if [[ ! -z $KEY_FILE && $KEY_FILE != $CERT_FILE ]]; then
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $TEMP_CERT_FILE
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $TEMP_KEY_FILE
+
+    if [[ $(md5sum $TEMP_CERT_FILE) != $(md5sum $CERT_FILE) ]]; then
+      cp -f $TEMP_CERT_FILE $CERT_FILE
      set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
-
-  if [[ $CERT_FILE != $KEY_FILE ]]; then
-    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $KEY_FILE
-  else
-    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $KEY_FILE
+      DO_ACTION=y
    fi
+    rm -f $TEMP_CERT_FILE

+    if [[ $(md5sum $TEMP_KEY_FILE) != $(md5sum $KEY_FILE) ]]; then
+      cp -f $TEMP_KEY_FILE $KEY_FILE
      set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
+      DO_ACTION=y
+    fi
+    rm -f $TEMP_KEY_FILE
+  else
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $TEMP_CERT_FILE
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $TEMP_CERT_FILE
+
+    if [[ $(md5sum $TEMP_CERT_FILE) != $(md5sum $CERT_FILE) ]]; then
+      cp -f $TEMP_CERT_FILE $CERT_FILE
+      set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
+      DO_ACTION=y
+    fi
+    rm -f $TEMP_CERT_FILE
+  fi
+  umask $OLD_UMASK
+
+  if [[ $DO_ACTION == y && ! -z $SERVICE ]]; then
+    ACTION=${ACTION:-restart}
+    /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1
+  fi
 }

 function run_service
@@ -81,9 +112,7 @@ function run_service

  [[ -z $SERVICE ]] && exit 0;

-  if [[ -z $ACTION ]]; then
-    ACTION="restart"
-  fi
+  ACTION=${ACTION:-restart}

  /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1
 }
@@ -102,8 +131,6 @@ function domain_renew
  done
 }

-HTTP_RELOAD=n
-
 if [ -z $MD_RENEWED_HOST_DIR ]; then
  MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing
  MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed
@@ -114,12 +141,12 @@ fi

 if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then
  mkdir -p $MD_RENEWED_INSTALLING_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLING_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLING_TARGET
 fi

 if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then
  mkdir -p $MD_RENEWED_INSTALLED_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLED_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLED_TARGET
 fi

 echo "md-renewed-install.service Looking for our domains: ${MYDOMAINS[*]}"
@@ -132,23 +159,15 @@ for f in ${MD_RENEWED_INSTALLING_TARGET}/*; do
  rm -f $f
  echo "md-renewed-install.service Checking domain $DOMAIN"

-  if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then
  echo "md-renewed-install.service Installing domain $DOMAIN"
  touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN

  if [[ -d /etc/md-renewed/$DOMAIN ]]; then
    domain_renew "$DOMAIN"
  fi
-
-    for i in ${MYDOMAINS[@]}; do
-      if [[ $DOMAIN == $i ]]; then
-        echo "md-renewed-install.service $DOMAIN is our."
-        HTTPD_RELOAD=y
-      fi
-    done
-  fi
 done

+if [[ $1 == "force" ]]; then
  echo "md-renewed-install.service Looking for our already installed domains: ${MYDOMAINS[*]}"
  for f in ${MOD_MD_DIR}/domains/*; do
    if [[ ! -d $f ]]; then
@@ -156,28 +175,17 @@ for f in ${MOD_MD_DIR}/domains/*; do
    fi

    DOMAIN=$(basename $f)
+
    echo "md-renewed-install.service Checking already installed domain $DOMAIN"

    if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then
      touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN
+    fi

    if [[ -d /etc/md-renewed/$DOMAIN ]]; then
      domain_renew "$DOMAIN"
    fi
-
-    for i in ${MYDOMAINS[@]}; do
-      if [[ $DOMAIN == $i ]]; then
-        echo "md-renewed-install.service Already installed $DOMAIN is our."
-        HTTPD_RELOAD=y
-      fi
  done
 fi
-done
-
-if [[ $HTTPD_RELOAD == y ]]; then
-  echo "md-renewed-install.service Restarting apache."
-  sleep $[ ( $RANDOM % 60 )  + 1 ]s
-  /usr/bin/systemctl reload httpd
-fi

 exit 0
--- a/md-renewed-install.path
+++ b/md-renewed-install.path
@@ -1,13 +0,0 @@
-[Path]
-PathExistsGlob=/var/lib/httpd/md-renewed/installing/*
-Unit=md-renewed-install.service
-MakeDirectory=true
-DirectoryMode=0777
-
-[Unit]
-BindsTo=httpd.service
-After=httpd.service
-
-[Install]
-WantedBy=multi-user.target
-
--- a/md-renewed-install.service
+++ b/md-renewed-install.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=The Apache HTTP Server reloader
 After=network.target
+Wants=md-renewed-install.timer

 [Service]
 Type=oneshot
--- a/md-renewed-install.timer
+++ b/md-renewed-install.timer
@@ -0,0 +1,11 @@
+[Unit]
+BindsTo=httpd.service
+After=httpd.service
+
+[Timer]
+Unit=md-renewed-install.service
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
+
--- a/md-renewed.conf
+++ b/md-renewed.conf
@@ -1,5 +1,7 @@
 MOD_MD_DIR=/var/lib/httpd/md
 MD_RENEWED_DIR=/var/lib/httpd/md-renewed
 MD_RENEWED_HOST_DIR=
+MD_USER=apache
+MD_GROUP=apache


--- a/md-renewed.spec
+++ b/md-renewed.spec
@@ -1,5 +1,5 @@
 Name:           md-renewed
-Version:        1.3.4
+Version:        1.4.3
 Release:        1%{?dist}
 Summary:        Restart service on Apache module mod_md certificate renewal
 License:        MIT
@@ -9,14 +9,18 @@ BuildArch:      noarch

 Source0:        md-renewed
 Source1:        md-message
+
 Source2:        md-renewed.path
 Source3:        md-renewed.service
+Source4:        md-renewed.timer
+
 Source5:        md-renewed-install
-Source6:        md-renewed-install.path
+Source6:        md-renewed-install.timer
 Source7:        md-renewed-install.service

 Source10:       md-renewed-httpd.conf
 Source11:       md-renewed.conf
+
 Source20:       example.service
 Source21:       example.cert
 Source22:       example.sh
@@ -41,6 +45,7 @@ Restart service on Apache module mod_md certificate renewal
 %{__install} -d -m 0755 %{buildroot}%{_unitdir}
 %{__install} -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
 %{__install} -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/
+%{__install} -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/
 %{__install} -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/
 %{__install} -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/

@@ -66,15 +71,18 @@ Restart service on Apache module mod_md certificate renewal

 %post
 %systemd_post md-renewed.path
-%systemd_post md-renewed-install.path
+%systemd_post md-renewed.timer
+%systemd_post md-renewed-install.timer

 %preun
 %systemd_preun md-renewed.path
-%systemd_preun md-renewed-install.path
+%systemd_preun md-renewed.timer
+%systemd_preun md-renewed-install.timer

 %postun
 %systemd_postun md-renewed.path
-%systemd_postun md-renewed-install.path
+%systemd_postun md-renewed.timer
+%systemd_postun md-renewed-install.timer

 %clean
 %{__rm} -rf %{buildroot}
@@ -93,7 +101,8 @@ Restart service on Apache module mod_md certificate renewal
 %{_unitdir}/md-renewed.service
 %{_unitdir}/md-renewed-install.service
 %{_unitdir}/md-renewed.path
-%{_unitdir}/md-renewed-install.path
+%{_unitdir}/md-renewed.timer
+%{_unitdir}/md-renewed-install.timer

 %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/
 %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/errored
--- a/md-renewed.timer
+++ b/md-renewed.timer
@@ -0,0 +1,11 @@
+[Unit]
+BindsTo=httpd.service
+After=httpd.service
+
+[Timer]
+Unit=md-renewed.service
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
+