redid firewall

ssl-status.py

@@ -9,8 +9,8 @@ import sys
 import time
 
 supported_services = [
-    # 'git', 'plex', 'jellyfin', 'photoprism', 'nextcloud', 'read']
+  # 'git', 'plex', 'photoprism', 'nextcloud', 'read', 'www', 'chat']
-  'git', 'plex', 'photoprism', 'nextcloud', 'read']
+  'git', 'plex', 'photoprism', 'read', 'www', 'chat']
 
 def get_cert_dates(url, port=443):
   cmd = (

ssl-update.py

@@ -17,8 +17,8 @@ import sys
 import time
 import pexpect
 
-firewall = 'danknasty'
+firewall = '10.0.0.1'
-firewall_user = 'luke131'
+firewall_user = 'luke'
 firewall_key = '/root/.ssh/id_autofirewall'
 server_user = 'luke'
 domain = 'drheck.dev'
@@ -42,6 +42,7 @@ users = {
     'chat': 'synapse',
     'sync': 'syncv3',
     'www': 'http',
+    'spacebar': '_spacebar',
 }
 
 # systemd service names that don't match the service name
@@ -69,7 +70,7 @@ def firewall_mod(state, service, decrypt_pp):
   os.environ['ssl_service'] = service
   cmd = ['/usr/bin/ssh', '-i', firewall_key, '-o',
          'SendEnv=state', '-o', 'SendEnv=ssl_service', '-l', firewall_user,
-         firewall, 'doas', '-n', '/usr/local/bin/ssl-update.sh']
+         firewall, '/usr/local/bin/ssl-update.sh']
   log.info(f'env for fw: state: {os.environ["state"]}')
   log.info(f'env for fw: ssl_service: {service}')
   log.info(f'cmd to connect to firewall: "{" ".join(cmd)}"')
@@ -215,7 +216,7 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp):
         ['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
          ('You have an existing certificate that has exactly the '
           "same domains or certificate name you requested and isn't "
-          'close to expiry'),'\(U\)pdate key type\/\(K\)eep existing key type:',
+          'close to expiry'),'(U)pdate key type/(K)eep existing key type:',
           pexpect.TIMEOUT, pexpect.EOF], timeout=20)
     if res > 2:
       sys.exit('Timed out')
@@ -285,10 +286,13 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp):
   if 'failed' in output_text:
     sys.exit('Something went wrong')
 
-  log.info(f'open port 80 to {service}')
+  log.info(f'close port 80 to {service}')
   firewall_mod('HTTP_DOWN', service, decrypt_pp)
 
   service_enabled_symlink.unlink()
+  if service_enabled_symlink.is_symlink():
+    sys.exit(f'Could not unlink {service_enabled_symlink}')
+    log.info('created symlink to enable service')
   log.info('removed symlink in nginx to disable HTTP')
 
   restart('nginx')
@@ -327,8 +331,8 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp):
 
 
 def main(args):
-  # logging.basicConfig(level=os.environ.get("LOGLEVEL", "WARNING"))
+  logging.basicConfig(level=os.environ.get("LOGLEVEL", "WARNING"))
-  logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
+  #logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
   log.info(f'program start: {sys.argv}')
   if len(args) != 1:
     sys.exit(f'Give a service to renew: {", ".join(supported_services)} ')

update_all

@@ -3,7 +3,7 @@
 declare -a services
 services+=('git')
 services+=('plex')
-services+=('jellyfin')
+# services+=('jellyfin')
 services+=('photoprism')
 services+=('nextcloud')
 services+=('read')
@@ -27,7 +27,7 @@ mkdir -p "$logdir"
 
 for service in "${services[@]}"; do
   log="${logdir}/${service}.log"
-  if ! sudo ./ssl-update.py "$service" &> "$log"; then
+  if ! sudo ./ssl-update.py "$service" &>"$log"; then
     printf '%s failed. Log: %s\n' "$service" "$log"
   else
     printf '%s succeeded.\n' "$service"