github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move commander service from host to docker container (#37 #38)

Browse Source
This commit is contained in:
Arjan H
2022-04-17 19:36:46 +02:00
parent 99d8bbe6be
commit 091e532308
14 changed files with 216 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
acme_tiny.py
View File

@@ -6,8 +6,8 @@ try:
except ImportError: # pragma: no cover
from urllib2 import urlopen, Request # Python 2
DEFAULT_CA = "https://LABCA_FQDN" # DEPRECATED! USE DEFAULT_DIRECTORY_URL INSTEAD
DEFAULT_DIRECTORY_URL = "https://LABCA_FQDN/directory"
DEFAULT_CA = "http://boulder:4001" # DEPRECATED! USE DEFAULT_DIRECTORY_URL INSTEAD
DEFAULT_DIRECTORY_URL = "http://boulder:4001/directory"
LOGGER = logging.getLogger(__name__)
LOGGER.addHandler(logging.StreamHandler())

14
backup
View File

@@ -10,23 +10,23 @@ fi
BASE=${HOSTNAME}_${CRON}${NOW}
TMPDIR=/tmp/$BASE
mkdir -p $TMPDIR
mkdir -p /home/labca/backup
mkdir -p /backup
cd /home/labca/boulder
cd /boulder
docker-compose exec -T bmysql mysqldump boulder_sa_integration >$TMPDIR/boulder_sa_integration.sql
cp -p /home/labca/nginx_data/ssl/*key* /home/labca/nginx_data/ssl/*cert.pem /home/labca/nginx_data/ssl/*.csr $TMPDIR/
cp -p /etc/nginx/ssl/*key* /etc/nginx/ssl/*cert.pem /etc/nginx/ssl/*.csr $TMPDIR/
cp -rp /home/labca/admin/data $TMPDIR/
cp -rp /admin/data $TMPDIR/
cd /tmp
tar czf /home/labca/backup/$BASE.tgz $BASE
tar czf /backup/$BASE.tgz $BASE
rm -rf $TMPDIR
# housekeeping
find /home/labca/backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \;
find /backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \;
if [ "$1" != "cron" ]; then
echo /home/labca/backup/$BASE.tgz
echo /backup/$BASE.tgz
fi

87
commander
View File

@@ -2,7 +2,7 @@
set -euo pipefail
LOGFILE=/home/labca/logs/commander.log
LOGFILE=/logs/commander.log
err_report() {
echo "ERROR! On line $1 in commander script"
@@ -38,7 +38,7 @@ function wait_server() {
read txt
case $txt in
"trust-store")
cp /home/labca/nginx_data/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt
cp /etc/nginx/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt
cp ~labca/admin/data/root-ca.pem /usr/local/share/ca-certificates/root-ca.crt
update-ca-certificates &>>$LOGFILE
echo "Waiting for initial startup of the docker containers..." &>>$LOGFILE
@@ -47,7 +47,7 @@ case $txt in
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"docker-restart")
cd /home/labca/boulder
cd /boulder
docker-compose stop &>>$LOGFILE
wait_down $PS_MYSQL &>>$LOGFILE
wait_down $PS_LABCA &>>$LOGFILE
@@ -58,41 +58,41 @@ case $txt in
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"acme-request")
cd /home/labca/nginx_data/ssl
cd /etc/nginx/ssl
[ -e account.key ] || openssl genrsa 4096 > account.key
[ -e labca_key.pem ] || openssl genrsa 4096 > labca_key.pem
san=$(openssl x509 -noout -text -in labca_cert.pem | grep DNS:)
openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > domain.csr
url=$(grep 'DEFAULT_DIRECTORY_URL =' /home/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
url=$(grep 'DEFAULT_DIRECTORY_URL =' /acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
wait_server $url
sleep 10
/home/labca/labca/renew
ln -sf /home/labca/labca/cron_d /etc/cron.d/labca
ln -sf /home/labca/labca/logrotate_d /etc/logrotate.d/labca
/labca/renew
ln -sf /labca/cron_d /etc/cron.d/labca
ln -sf /labca/logrotate_d /etc/logrotate.d/labca
;;
"acme-change")
read fqdn
cd /home/labca/nginx_data/ssl
cd /etc/nginx/ssl
openssl genrsa 4096 > labca_key.pem
openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$fqdn")) > domain.csr
url=$(grep 'DEFAULT_DIRECTORY_URL =' /home/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
url=$(grep 'DEFAULT_DIRECTORY_URL =' /acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
wait_server $url
sleep 10
/home/labca/labca/renew
/labca/renew
;;
"nginx-remove-redirect")
perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /home/labca/nginx_data/conf.d/labca.conf
perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf
;;
"nginx-reload")
cd /home/labca/boulder
cd /boulder
docker-compose exec -T nginx nginx -s reload &>>$LOGFILE
;;
"nginx-restart")
cd /home/labca/boulder
cd /boulder
docker-compose restart nginx &>>$LOGFILE
;;
"log-cert")
[ -f /home/labca/nginx_data/ssl/acme_tiny.log ] && tail -200 /home/labca/nginx_data/ssl/acme_tiny.log || /bin/true
[ -f /etc/nginx/ssl/acme_tiny.log ] && tail -200 /etc/nginx/ssl/acme_tiny.log || /bin/true
exit 0
;;
"log-commander")
@@ -100,30 +100,30 @@ case $txt in
exit 0
;;
"log-boulder")
cd /home/labca/boulder
cd /boulder
docker-compose logs -f --no-color --tail=50 boulder
;;
"log-boulder-notail")
cd /home/labca/boulder
cd /boulder
docker-compose logs --no-color --tail=50 boulder
;;
"log-audit")
cd /home/labca/boulder
cd /boulder
docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -50
docker-compose logs -f --no-color --tail=0 boulder | grep "\[AUDIT\]"
;;
"log-activity")
cd /home/labca/boulder
cd /boulder
echo "GMT"
docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -15
exit 0
;;
"log-labca")
cd /home/labca/boulder
cd /boulder
docker-compose logs -f --no-color --tail=50 labca
;;
"log-labca-notail")
cd /home/labca/boulder
cd /boulder
docker-compose logs --no-color --tail=50 labca
;;
"log-labca-err")
@@ -131,16 +131,15 @@ case $txt in
exit 0
;;
"log-web")
cd /home/labca/boulder
cd /boulder
docker-compose logs -f --no-color --tail=50 nginx
;;
"log-components")
timezone=$(cat /etc/timezone)
nginx=$(ps -eo lstart,args | grep nginx | grep master | grep -v grep | cut -c 5-24)
svc=$(ps -eo lstart,args | grep tcpserver | grep sudo | grep -v grep | cut -c 5-24)
boulder=$(ps -eo lstart,args | grep bin/boulder-wfe2 | grep -v grep | cut -c 5-24)
labca=$(ps -eo lstart,args | grep bin/labca | grep -v grep | head -1 | cut -c 5-24)
echo "$timezone|$nginx|$svc|$boulder|$labca"
nginx=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _nginx_ | grep -v grep | cut -d "|" -f1)
svc=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _control_ | grep -v grep | cut -d "|" -f1)
boulder=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _boulder_ | grep -v grep | cut -d "|" -f1)
labca=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _labca_ | grep -v grep | cut -d "|" -f1)
echo "$nginx|$svc|$boulder|$labca"
exit 0
;;
"log-stats")
@@ -156,30 +155,30 @@ case $txt in
"revoke-cert")
read serial
read reasonCode
cd /home/labca/boulder
cd /boulder
docker-compose exec -T boulder bin/admin-revoker serial-revoke --config labca/config/admin-revoker.json $serial $reasonCode 2>&1
;;
"test-email")
read recipient
cd /home/labca/boulder
cd /boulder
docker-compose exec -T boulder bin/mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1
;;
"boulder-start")
cd /home/labca/boulder
cd /boulder
COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d bmysql
COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d boulder
wait_up $PS_MYSQL &>>$LOGFILE
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"boulder-stop")
cd /home/labca/boulder
cd /boulder
docker-compose stop boulder
docker-compose stop bmysql
wait_down $PS_MYSQL &>>$LOGFILE
wait_down $PS_BOULDER &>>$LOGFILE
;;
"boulder-restart")
cd /home/labca/boulder
cd /boulder
docker-compose stop boulder
docker-compose stop bmysql
wait_down $PS_MYSQL &>>$LOGFILE
@@ -190,33 +189,33 @@ case $txt in
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"labca-restart")
cd /home/labca/boulder
cd /boulder
docker-compose stop labca
wait_down $PS_LABCA &>>$LOGFILE
COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d labca
wait_up $PS_LABCA &>>$LOGFILE
;;
"svc-restart")
service labca stop
wait_down $PS_SERVICE &>>$LOGFILE
service labca start
wait_up $PS_SERVICE &>>$LOGFILE
cd /boulder
set +e
docker-compose restart control
set -e
;;
"log-backups")
ls -1tr /home/labca/backup || /bin/true
ls -1tr /backup || /bin/true
exit 0
;;
"log-server-backup")
/home/labca/labca/backup
/labca/backup
exit 0
;;
"backup-delete")
read backup
rm -f /home/labca/backup/$backup
rm -f /backup/$backup
;;
"backup-restore")
read backup
/home/labca/labca/restore $backup
/labca/restore $backup
;;
"server-restart")
reboot
@@ -228,9 +227,9 @@ case $txt in
cd $dn
branch="$(git symbolic-ref --short HEAD 2>/dev/null)" || branch="(none)"
if [ "$branch" == "master" ] || [ "$branch" == "main" ] || [ "$branch" == "(none)" ]; then
nohup /home/labca/labca/install &>>$LOGFILE
nohup /labca/install &>>$LOGFILE
else
nohup /home/labca/labca/install -b $branch &>>$LOGFILE
nohup /labca/install -b $branch &>>$LOGFILE
fi
;;
*)

93
control.sh Executable file
View File

@@ -0,0 +1,93 @@
#!/bin/bash
set -e
get_fqdn() {
local file_fqdn=""
if [ -e /admin/data/config.json ]; then
file_fqdn=$(grep fqdn /admin/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",")
fi
if [ "$file_fqdn" == "" ]; then
if [ "$LABCA_FQDN" == "notset" ]; then
echo "ERROR: environment variable LABCA_FQDN is not set!"
exit 1
else
echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /admin/data/config.json
fi
elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then
echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..."
export LABCA_FQDN=$file_fqdn
fi
}
# TODO: install docker should be done in pre-baked image
install_docker() {
apt update
apt install -y apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
apt install -y docker-ce
dockerComposeVersion="1.28.5"
local dcver=""
[ -x /usr/local/bin/docker-compose ] && dcver="`/usr/local/bin/docker-compose --version`"
local vercmp=${dcver/$dockerComposeVersion/}
if [ "$dcver" == "" ] || [ "$dcver" == "$vercmp" ]; then
curl -sSL https://github.com/docker/compose/releases/download/$dockerComposeVersion/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
fi
}
selfsigned_cert() {
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
}
renew_near_expiry() {
pushd /etc/nginx/ssl >/dev/null
if ! expires=$(openssl x509 -checkend 86400 -noout -in /etc/nginx/ssl/labca_cert.pem); then
hash=$(openssl x509 -hash -noout -in /etc/nginx/ssl/labca_cert.pem)
issuer_hash=$(openssl x509 -issuer_hash -noout -in /etc/nginx/ssl/labca_cert.pem)
if [ "$hash" == "$issuer_hash" ]; then
selfsigned_cert
else
echo "acme-request" | /labca/commander
fi
fi
popd >/dev/null
}
# TODO: install cron should be done in pre-baked image
start_cron() {
apt update
apt install -y cron
service cron start
}
# TODO: install ucspi-tcp should be done in pre-baked image
serve_commander() {
apt update
apt install -y ucspi-tcp
echo "Start serving commander script..."
tcpserver 0.0.0.0 3030 /labca/commander
}
main() {
get_fqdn
docker ps >/dev/null || install_docker
[ -e /etc/nginx/ssl/labca_cert.pem ] || selfsigned_cert
renew_near_expiry
mkdir -p /logs
start_cron
serve_commander
}
main "$@"

6
cron_d
View File

@@ -2,6 +2,6 @@
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
1 6 * * Mon root /home/labca/labca/backup cron
1 7 * * * root /home/labca/labca/mailer
5 7 * * * root /home/labca/labca/smartrenew
1 6 * * Mon root /labca/backup cron
1 7 * * * root /labca/mailer
5 7 * * * root /labca/smartrenew

20
gui/dashboard.go
View File

@@ -122,6 +122,9 @@ func _parseActivity(data string) []Activity {
lines := strings.Split(data, "\n")
if lines[0] == "/UTC" {
lines[0] = "Etc/UTC"
}
loc, err := time.LoadLocation(lines[0])
if err != nil {
log.Printf("Could not determine location: %s\n", err)
@@ -155,13 +158,7 @@ func _parseComponents(data string) []Component {
parts := strings.Split(data, "|")
loc, err := time.LoadLocation(parts[0])
if err != nil {
log.Printf("Could not determine location: %s\n", err)
loc = time.Local
}
nginx, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[1], loc)
nginx, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[0])
nginxReal := ""
nginxNice := "stopped"
nginxClass := "error"
@@ -171,7 +168,7 @@ func _parseComponents(data string) []Component {
nginxClass = ""
}
svc, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[2], loc)
svc, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[1])
svcReal := ""
svcNice := "stopped"
svcClass := "error"
@@ -181,7 +178,7 @@ func _parseComponents(data string) []Component {
svcClass = ""
}
boulder, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[3], loc)
boulder, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[2])
boulderReal := ""
boulderNice := "stopped"
boulderClass := "error"
@@ -191,7 +188,7 @@ func _parseComponents(data string) []Component {
boulderClass = ""
}
labca, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[4], loc)
labca, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[3])
labcaReal := ""
labcaNice := "stopped"
labcaClass := "error"
@@ -226,6 +223,9 @@ func _parseStats(data string) []Stat {
parts := strings.Split(data, "|")
if parts[0] == "/UTC" {
parts[0] = "Etc/UTC"
}
loc, err := time.LoadLocation(parts[0])
if err != nil {
log.Printf("Could not determine location: %s\n", err)

41
gui/main.go
View File

@@ -1207,13 +1207,7 @@ func logsHandler(w http.ResponseWriter, r *http.Request) {
}
func getLog(w http.ResponseWriter, r *http.Request, logType string) string {
ip, err := _discoverGateway()
if err != nil {
errorHandler(w, r, err, http.StatusInternalServerError)
return ""
}
conn, err := net.Dial("tcp", ip.String()+":3030")
conn, err := net.Dial("tcp", "control:3030")
if err != nil {
errorHandler(w, r, err, http.StatusInternalServerError)
return ""
@@ -1245,13 +1239,7 @@ func wsErrorHandler(err error) {
}
func showLog(ws *websocket.Conn, logType string) {
ip, err := _discoverGateway()
if err != nil {
wsErrorHandler(err)
return
}
conn, err := net.Dial("tcp", ip.String()+":3030")
conn, err := net.Dial("tcp", "control:3030")
if err != nil {
wsErrorHandler(err)
return
@@ -1482,31 +1470,8 @@ func _parseLinuxIPRouteShow(output []byte) (net.IP, error) {
return nil, errors.New("no gateway found")
}
func _discoverGateway() (net.IP, error) {
if isDev {
ip := net.ParseIP("127.0.0.1")
if ip != nil {
return ip, nil
}
}
routeCmd := exec.Command("ip", "route", "show")
output, err := routeCmd.CombinedOutput()
if err != nil {
return nil, err
}
return _parseLinuxIPRouteShow(output)
}
func _hostCommand(w http.ResponseWriter, r *http.Request, command string, params ...string) bool {
ip, err := _discoverGateway()
if err != nil {
errorHandler(w, r, err, http.StatusInternalServerError)
return false
}
conn, err := net.Dial("tcp", ip.String()+":3030")
conn, err := net.Dial("tcp", "control:3030")
if err != nil {
errorHandler(w, r, err, http.StatusInternalServerError)
return false

14
install
View File

@@ -369,6 +369,9 @@ copy_admin() {
chown -R labca:labca $baseDir
chown root:root "$cloneDir/cron_d"
[ -e /etc/cron.d/labca ] && rm /etc/cron.d/labca || true
[ -e /etc/logrotate.d/labca ] && rm /etc/logrotate.d/labca || true
git add --all &>/dev/null || true
git commit --all --quiet -m "LabCA after update $runId" &>>$installLog || true
@@ -746,15 +749,12 @@ startup() {
for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
[ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog
done
COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d &>>$installLog
[ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca
update-rc.d labca defaults &>>$installLog
update-rc.d labca enable &>>$installLog
service labca stop &>>$installLog || true
wait_down $PS_SERVICE &>>$installLog
service labca start &>>$installLog
wait_up $PS_SERVICE &>>$installLog
update-rc.d labca disable &>>$installLog || true
[ -e "/etc/init.d/labca" ] && rm /etc/init.d/labca || true
COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d &>>$installLog
wait_up $PS_MYSQL &>>$installLog
wait_up $PS_LABCA &>>$installLog

4
logrotate_d
View File

@@ -1,5 +1,5 @@
/home/labca/nginx_data/ssl/*.log
/home/labca/logs/cron-*.log
/etc/nginx/ssl/*.log
/logs/cron-*.log
{
rotate 4
monthly

2
mailer
View File

@@ -3,7 +3,7 @@
set -e
TODAY=`date '+%Y_%m_%d'`
LOGFILE=/home/labca/logs/cron-mailer.log
LOGFILE=/logs/cron-mailer.log
echo $TODAY >>$LOGFILE
cd /home/labca/boulder

46
patches/docker-compose.patch
View File

@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index b7e5656c5..51393c181 100644
index b7e5656c5..3b82e8651 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,7 +8,7 @@ services:
@@ -50,7 +50,7 @@ index b7e5656c5..51393c181 100644
networks:
bluenet:
aliases:
@@ -56,21 +65,51 @@ services:
@@ -56,21 +65,71 @@ services:
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
@@ -64,20 +64,14 @@ index b7e5656c5..51393c181 100644
- netaccess:
+ labca:
image: *boulder_image
- environment:
- GO111MODULE: "on"
- GOFLAGS: -mod=vendor
- BOULDER_CONFIG_DIR: test/config
networks:
- bluenet
volumes:
+ image: *boulder_image
+ networks:
+ - bluenet
+ volumes:
+ - /home/labca/admin:/go/src/labca
+ - ./.gocache:/root/.cache/go-build
+ - /home/labca/nginx_data/static:/wwwstatic
- .:/boulder
- working_dir: *boulder_working_dir
- entrypoint: test/entrypoint-netaccess.sh
+ - .:/boulder
+ - /home/labca/boulder_labca:/boulder/labca
+ expose:
+ - 3000
@@ -105,6 +99,32 @@ index b7e5656c5..51393c181 100644
+ - /home/labca/nginx_data/ssl:/etc/nginx/ssl
+ - /home/labca/nginx_data/static:/var/www/html
+
+ control:
image: *boulder_image
- environment:
- GO111MODULE: "on"
- GOFLAGS: -mod=vendor
- BOULDER_CONFIG_DIR: test/config
networks:
- bluenet
volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
+ - /home/labca/admin:/admin
+ - /home/labca/labca:/labca
- .:/boulder
- working_dir: *boulder_working_dir
- entrypoint: test/entrypoint-netaccess.sh
+ - /home/labca/boulder_labca:/boulder/labca
+ - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
+ - /home/labca/nginx_data/ssl:/etc/nginx/ssl
+ - /home/labca/nginx_data/static:/var/www/html
+ expose:
+ - 3030
+ environment:
+ LABCA_FQDN: ${LABCA_FQDN:-notset}
+ working_dir: /labca
+ command: ./control.sh
+
+volumes:
+ dbdata:

6
renew
View File

@@ -2,10 +2,10 @@
set -e
cd /home/labca/nginx_data/ssl
cd /etc/nginx/ssl
date >> acme_tiny.log
python ~labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/labca/nginx_data/static/.well-known/acme-challenge/ > domain_chain.crt 2>> acme_tiny.log || exit 1
python3 /labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt 2>> acme_tiny.log || exit 1
mv domain_chain.crt labca_cert.pem
cd /home/labca/boulder
cd /boulder
docker-compose restart nginx

8
restore
View File

@@ -2,7 +2,7 @@
set -e
FILE=/home/labca/backup/$1
FILE=/backup/$1
[ "$1" != "" ] || (echo "You must provide a backup file name to restore"; exit 1)
[ -f $FILE ] || (echo "Backup file '$FILE' not found"; exit 1)
@@ -13,11 +13,11 @@ TMPDIR=/tmp/$BASE
cd /tmp
tar xzf $FILE
cd /home/labca/boulder
cd /boulder
docker-compose exec -T bmysql mysql boulder_sa_integration <$TMPDIR/boulder_sa_integration.sql
mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /home/labca/nginx_data/ssl/
mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /etc/nginx/ssl/
rm -rf /home/labca/admin/data && mv $TMPDIR/data /home/labca/admin/
rm -rf /admin/data && mv $TMPDIR/data /admin/
rm -rf $TMPDIR

10
smartrenew
View File

@@ -5,10 +5,10 @@ set -e
RENEW=30
TODAY=`date '+%Y_%m_%d'`
echo $TODAY >> /home/labca/nginx_data/ssl/cron.log
echo $TODAY >> /etc/nginx/ssl/cron.log
if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /home/labca/nginx_data/ssl/labca_cert.pem`; then
echo " renewing!" >> /home/labca/nginx_data/ssl/cron.log
cp /home/labca/nginx_data/ssl/labca_cert.pem /home/labca/nginx_data/ssl/labca_cert_$TODAY.pem
~labca/labca/renew
if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /etc/nginx/ssl/labca_cert.pem`; then
echo " renewing!" >> /etc/nginx/ssl/cron.log
cp /etc/nginx/ssl/labca_cert.pem /etc/nginx/ssl/labca_cert_$TODAY.pem
/labca/renew
fi