From d1552035f109fefb284dec25dfa1b273cdc86568 Mon Sep 17 00:00:00 2001 From: Luke Tidd Date: Sun, 25 Aug 2024 11:41:21 -0400 Subject: [PATCH] redid firewall --- ssl-status.py | 4 ++-- ssl-update.py | 18 +++++++++++------- update_all | 4 ++-- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/ssl-status.py b/ssl-status.py index d1b91e7..da85752 100755 --- a/ssl-status.py +++ b/ssl-status.py @@ -9,8 +9,8 @@ import sys import time supported_services = [ - # 'git', 'plex', 'jellyfin', 'photoprism', 'nextcloud', 'read'] - 'git', 'plex', 'photoprism', 'nextcloud', 'read'] + # 'git', 'plex', 'photoprism', 'nextcloud', 'read', 'www', 'chat'] + 'git', 'plex', 'photoprism', 'read', 'www', 'chat'] def get_cert_dates(url, port=443): cmd = ( diff --git a/ssl-update.py b/ssl-update.py index d83df68..aa1eb1c 100755 --- a/ssl-update.py +++ b/ssl-update.py @@ -17,8 +17,8 @@ import sys import time import pexpect -firewall = 'danknasty' -firewall_user = 'luke131' +firewall = '10.0.0.1' +firewall_user = 'luke' firewall_key = '/root/.ssh/id_autofirewall' server_user = 'luke' domain = 'drheck.dev' @@ -42,6 +42,7 @@ users = { 'chat': 'synapse', 'sync': 'syncv3', 'www': 'http', + 'spacebar': '_spacebar', } # systemd service names that don't match the service name @@ -69,7 +70,7 @@ def firewall_mod(state, service, decrypt_pp): os.environ['ssl_service'] = service cmd = ['/usr/bin/ssh', '-i', firewall_key, '-o', 'SendEnv=state', '-o', 'SendEnv=ssl_service', '-l', firewall_user, - firewall, 'doas', '-n', '/usr/local/bin/ssl-update.sh'] + firewall, '/usr/local/bin/ssl-update.sh'] log.info(f'env for fw: state: {os.environ["state"]}') log.info(f'env for fw: ssl_service: {service}') log.info(f'cmd to connect to firewall: "{" ".join(cmd)}"') @@ -215,7 +216,7 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp): ['Create a file containing just this data:\r\n\r\n([^\r]+)\r', ('You have an existing certificate that has exactly the ' "same domains or certificate name you requested and isn't " - 'close to expiry'),'\(U\)pdate key type\/\(K\)eep existing key type:', + 'close to expiry'),'(U)pdate key type/(K)eep existing key type:', pexpect.TIMEOUT, pexpect.EOF], timeout=20) if res > 2: sys.exit('Timed out') @@ -285,10 +286,13 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp): if 'failed' in output_text: sys.exit('Something went wrong') - log.info(f'open port 80 to {service}') + log.info(f'close port 80 to {service}') firewall_mod('HTTP_DOWN', service, decrypt_pp) service_enabled_symlink.unlink() + if service_enabled_symlink.is_symlink(): + sys.exit(f'Could not unlink {service_enabled_symlink}') + log.info('created symlink to enable service') log.info('removed symlink in nginx to disable HTTP') restart('nginx') @@ -327,8 +331,8 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp): def main(args): - # logging.basicConfig(level=os.environ.get("LOGLEVEL", "WARNING")) - logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO")) + logging.basicConfig(level=os.environ.get("LOGLEVEL", "WARNING")) + #logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO")) log.info(f'program start: {sys.argv}') if len(args) != 1: sys.exit(f'Give a service to renew: {", ".join(supported_services)} ') diff --git a/update_all b/update_all index b142ec9..96df15e 100755 --- a/update_all +++ b/update_all @@ -3,7 +3,7 @@ declare -a services services+=('git') services+=('plex') -services+=('jellyfin') +# services+=('jellyfin') services+=('photoprism') services+=('nextcloud') services+=('read') @@ -27,7 +27,7 @@ mkdir -p "$logdir" for service in "${services[@]}"; do log="${logdir}/${service}.log" - if ! sudo ./ssl-update.py "$service" &> "$log"; then + if ! sudo ./ssl-update.py "$service" &>"$log"; then printf '%s failed. Log: %s\n' "$service" "$log" else printf '%s succeeded.\n' "$service"