Dmitry Yu Okunev лет назад: 5
Сommit
9bbd7be671

+ 16 - 0
generate-certificate-auth-hook.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+. /root/bin/generate-certificate-common.sh
+
+echo "${VERIFICATION_DOMAIN}:"
+
+/root/bin/generate-certificate-cleanup-hook.sh
+
+addRecord "$VERIFICATION_DOMAIN" "$CERTBOT_VALIDATION"
+RC="$?"
+if [ "$RC" != '0' ]; then
+	exit $RC
+fi
+
+echo "waiting 10 seconds for the TXT-record of $VERIFICATION_DOMAIN to propagate"
+sleep 10

+ 14 - 0
generate-certificate-cleanup-hook.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+. /opt/certbot-telemedhelp-authenticator-hook/_common.sh
+
+CURRENT_RECORDS=( $(getRecords "$VERIFICATION_DOMAIN") )
+
+for CURRENT_RECORD in ${CURRENT_RECORDS[@]}; do
+	CLOUDFLARE_DOMAIN="$(getDomain "$VERIFICATION_DOMAIN")"
+	removeRecord "${CLOUDFLARE_ZONE[$CLOUDFLARE_DOMAIN]}" "$CURRENT_RECORD"
+	RC="$?"
+	if [ "$RC" != '0' ]; then
+		exit $RC
+	fi
+done

+ 3 - 0
generate-certificate-common.sh

@@ -0,0 +1,3 @@
+
+
+VERIFICATION_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"

+ 7 - 0
generate-certificate.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
+
+#certbot certonly --cert-name instances --agree-tos --email admin@ut.mephi.ru --preferred-challenges=dns --expand --manual-public-ip-logging-ok -n --renew-by-default --manual --manual-auth-hook /root/bin/generate-certificate-auth-hook.sh --manual-cleanup-hook /root/bin/generate-certificate-cleanup-hook.sh $@
+certbot certonly --cert-name sites --agree-tos --email admin@ut.mephi.ru --preferred-challenges http --expand --manual-public-ip-logging-ok -n --renew-by-default --authenticator certbot-haproxy:haproxy-authenticator --installer certbot-haproxy:haproxy-installer $@
+
+cat /etc/letsencrypt/live/sites/{fullchain,privkey}.pem > /etc/letsencrypt/live/sites/haproxy.pem

+ 136 - 0
reload-instance-list.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
+
+ZONE="private.os.mephi.ru"
+ZONE_PUBLIC="public.os.mephi.ru"
+MY_IP=85.143.112.100
+
+DOMAIN_ID=$(mysql --defaults-file=/etc/mysql/debian.cnf pdns -Ne "SELECT id FROM domains WHERE name='$ZONE'")
+cd ~/reload-instance-list-workdir
+CURRENT_INSTANCES=($(~/go/bin/openstack-instance-list | sort))
+
+OLD_HASH="$(cat /run/reload-instance-list.sh.hash)"
+CURRENT_HASH="$(echo "$CURRENT_INSTANCES" | md5sum | awk '{print $1}')"
+
+if [ "$CURRENT_HASH" = "$OLD_HASH" ]; then
+	exit
+fi
+echo "$CURRENT_HASH" > /run/reload-instance-list.sh.hash
+timeout 600 lockfile-create /run/reload-instance-list.sh.lock
+trap 'lockfile-remove /run/reload-instance-list.sh.lock' SIGINT SIGTERM SIGHUP SIGQUIT SIGALRM SIGILL SIGABRT SIGPIPE EXIT
+
+oldIFS="$IFS"
+
+# updating the domain zone
+
+declare -A OLD_IDS_IP
+declare -A OLD_IDS_ID
+
+for LINE in $(pdnsutil list-zone "$ZONE" 2>/dev/null | sed -e "s/\\.$ZONE//g" | tr "\t" "@"); do
+	IFS="@"; WORDS=($LINE); IFS="$oldIFS"
+	ID="${WORDS[0]}"
+	IP="${WORDS[4]}"
+	if [ "$IP" = '' ]; then
+		continue
+	fi
+	if [ "$ID" = "$ZONE" ]; then
+		continue
+	fi
+	OLD_IDS_IP[$ID]="$IP"
+	OLD_IDS_ID[$ID]="$ID"
+done
+
+for LINE in ${CURRENT_INSTANCES[@]}; do
+	IFS=","; WORDS=($LINE); IFS="$oldIFS"
+	ID="${WORDS[0]}"
+	IP="${WORDS[1]}"
+	if [ "${OLD_IDS_IP[$ID]}" = '' ]; then
+		pdnsutil add-record "$ZONE" "$ID" A "$IP"
+		continue
+	fi
+	if [ "${OLD_IDS_IP[$ID]}" != "$IP" ]; then
+		mysql --defaults-file=/etc/mysql/debian.cnf pdns -Ne "DELETE FROM records WHERE domain_id='$DOMAIN_ID' AND name='$ID.$ZONE'"
+		pdnsutil add-record "$ZONE" "$ID" A "$IP"
+	fi
+	OLD_IDS_IP[$ID]=""
+	OLD_IDS_ID[$ID]=""
+done
+
+for OLD_ID in ${OLD_IDS_ID[@]}; do
+	if [ "$OLD_ID" = '' ]; then
+		continue
+	fi
+	mysql --defaults-file=/etc/mysql/debian.cnf pdns -Ne "DELETE FROM records WHERE domain_id='$DOMAIN_ID' AND name='$OLD_ID.$ZONE'"
+done
+
+# generating the certificate
+
+GENCERT_ARGS=()
+
+for LINE in ${CURRENT_INSTANCES[@]}; do
+	IFS=","; WORDS=($LINE); IFS="$oldIFS"
+	ID="${WORDS[0]}"
+	GENCERT_ARGS+=" -d ${ID}.${ZONE_PUBLIC} "
+done
+
+for LINE in $(cat /etc/webaliases); do
+	IFS=":"; WORDS=($LINE); IFS="$oldIFS"
+	HOST="${WORDS[0]}"
+	GENCERT_ARGS+=" -d ${HOST} "
+done
+
+/root/bin/generate-certificate.sh ${GENCERT_ARGS[@]}
+
+# generating haproxy config
+
+	cat > /etc/haproxy/gen-conf.d/050-frontends.conf <<EOF
+
+# Automatically generated frontend configuration:
+
+EOF
+	cat > /etc/haproxy/gen-conf.d/060-backends.conf <<EOF
+
+# Automatically generated backends configuration:
+
+EOF
+
+for LINE in ${CURRENT_INSTANCES[@]}; do
+	IFS=","; WORDS=($LINE); IFS="$oldIFS"
+	ID="${WORDS[0]}"
+	IP="${WORDS[1]}"
+
+	cat >> /etc/haproxy/gen-conf.d/050-frontends.conf <<EOF
+	acl host_${ID} hdr(host) -i ${ID}.${ZONE}
+	acl host_${ID} hdr(host) -i ${ID}.${ZONE_PUBLIC}
+	use_backend backend_${ID} if host_${ID}
+EOF
+	cat >> /etc/haproxy/gen-conf.d/060-backends.conf <<EOF
+backend backend_${ID}
+	mode http
+	server primary ${IP}:80
+EOF
+	#option httpchk GET / "HTTP/1.0\r\nX-Forwarded-Proto: https"
+	#option redispatch
+	#http-send-name-header Host
+	#http-check expect rstatus ((2|3)[0-9][0-9]|40[13])
+	#server primary 192.168.3.132:80 check inter 25s
+	#server backup0 192.168.0.132:80 check backup inter 25s
+	#server backup1 192.168.1.132:80 check backup inter 25s
+done
+
+for LINE in $(cat /etc/webaliases); do
+	IFS=":"; WORDS=($LINE); IFS="$oldIFS"
+	HOST="${WORDS[0]}"
+	ID="${WORDS[1]}"
+	IP="$(host "$HOST" | awk '{if($2=="has" && $3=="address"){print $4}}')"
+
+	if [ "$IP" != "$MY_IP" ]; then
+		continue
+	fi
+
+	cat >> /etc/haproxy/gen-conf.d/050-frontends.conf <<EOF
+	acl host_${ID} hdr(host) -i ${HOST}
+EOF
+done
+
+cat /etc/haproxy/gen-conf.d/* > /etc/haproxy/haproxy.cfg