dmz_certbot

lib/registrar/ovh-domain.sh

@@ -5,7 +5,8 @@
 function set_base {
 
     BASE_URL="https://eu.api.ovh.com/1.0"
-    source ./.ovh-credential
+    BASEDIR=$(dirname "$0")
+    source "$BASEDIR"/.ovh-credential
 }
 
 function build_url_list_records {

scripts/miaou

@@ -177,12 +177,63 @@ function build_routes() {
     builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq -
 }
 
+function build_dmz_certbot {
+    PREFIX="miaou:dmz:certbot"
+
+    # FIXME: to remove
+    # if [[ "$target" != dev ]]; then
+    if [[ "$target" == dev ]]; then
+
+        #TODO: check public ip available
+        my_ip=$(dig +short myip.opendns.com @resolver1.opendns.com)
+        if hostname -I | grep -q ${my_ip}; then
+            echo "My PUBLIC IP address is: <$my_ip>"
+        else
+            echoerr "This machine can not respond to its PUBLIC IP address: <$my_ip>" #FIXME: && exit 100
+        fi
+
+        default_registrar=$(yqm '.registrar.default')
+        [[ $default_registrar != 'OVH' ]] && echoerr "Sorry, no OVH registrar detected, please provide other registrar protocol" && exit 101
+
+        readarray -t services < <(yqmt '.expanded.services[] | [ .domain, .fqdn ]')
+        for service in "${services[@]}"; do
+            read -r -a item <<<"$service"
+
+            domain=${item[0]}
+            fqdn=${item[1]}
+            subDomain=${fqdn%.$domain}
+
+            echo "TODO: fqdn=$fqdn, domain=$domain"
+            local server_ip
+            server_ip=$(dig +short A $fqdn)
+            if [[ $server_ip == "$my_ip" ]]; then
+                echo "CNAME <$fqdn> approved successfuly!"
+            else
+                if [[ -n $server_ip ]]; then
+                    local server_name
+                    server_name=$(dig +short CNAME "$fqdn")
+                    echowarn "CNAME <$fqdn> points to another server: <$server_name>"
+                else
+                    echo TODO:REGISTRAR needed
+                    "$MIAOU_BASEDIR"/lib/registrar/ovh-domain.sh "$domain" "$subDomain"
+                fi
+            fi
+
+        done
+    else
+        echo "bypass certbot certificate generation due to target=<$target>"
+    fi
+}
+
 function build_dmz_reverseproxy() {
-    PREFIX="miaou:build:dmz"
-    echo -n "building configuration for nginx ... "
+    PREFIX="miaou:dmz:nginx"
+
+    echo -n "building default configuration for nginx ... "
     mkdir -p "$MIAOU_CONFIGDIR/nginx"
     tera -t "$MIAOU_BASEDIR/templates/nginx/_default.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nginx/_default" &>/dev/null
+    PREFIX="" echo OK
 
+    echo -n "building hosts configuration for nginx ... "
     tera -t "$MIAOU_BASEDIR/templates/nginx/hosts.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nginx/hosts" &>/dev/null
     PREFIX="" echo OK
 
@@ -190,17 +241,14 @@ function build_dmz_reverseproxy() {
     for f in "$MIAOU_CONFIGDIR"/nginx/*; do
         lxc file push --uid=0 --gid=0 "$f" "$DMZ_CONTAINER/etc/nginx/sites-available/" &>/dev/null
     done
-    PREFIX="" echo OK
-
     cat <<EOF | PREFIX="miaou:build:dmz" lxc_exec "$DMZ_CONTAINER"
         cd /etc/nginx/sites-enabled/
         for i in ../sites-available/*; do
-            # echo dmz: enabling... \$i
             ln -sf \$i
         done
-        nginx -tq
-        systemctl restart nginx
+        nginx -tq && systemctl restart nginx
 EOF
+    PREFIX="" echo OK
     echo "nginx reloaded successfully!"
 }
 
@@ -489,15 +537,16 @@ DMZ_IP=$(get_dmz_ip)
 readonly DMZ_IP DMZ_CONTAINER
 
 if check_expand_conf; then
-    archive_allconf
+    # archive_allconf
     expand_conf
-    check_resolv_conf
-    build_nftables
-    prepare_containers
-    build_services
-    build_dmz_reverseproxy
-    build_routes
-    build_monit
+    # check_resolv_conf
+    # build_nftables
+    # prepare_containers
+    # build_services
+    build_dmz_certbot
+    # build_dmz_reverseproxy
+    # build_routes
+    # build_monit
 else
     monit_show
 fi