redid firewall

2024-08-25 11:41:21 -04:00 · 2024-08-25 11:41:21 -04:00 · d1552035f1
commit d1552035f1
parent b9b557aae3
3 changed files with 15 additions and 11 deletions
--- a/ssl-status.py
+++ b/ssl-status.py
@ -9,8 +9,8 @@ import sys
 import time

 supported_services = [
-    # 'git', 'plex', 'jellyfin', 'photoprism', 'nextcloud', 'read']
-  'git', 'plex', 'photoprism', 'nextcloud', 'read']
+  # 'git', 'plex', 'photoprism', 'nextcloud', 'read', 'www', 'chat']
+  'git', 'plex', 'photoprism', 'read', 'www', 'chat']

 def get_cert_dates(url, port=443):
  cmd = (
--- a/ssl-update.py
+++ b/ssl-update.py
@ -17,8 +17,8 @@ import sys
 import time
 import pexpect

-firewall = 'danknasty'
-firewall_user = 'luke131'
+firewall = '10.0.0.1'
+firewall_user = 'luke'
 firewall_key = '/root/.ssh/id_autofirewall'
 server_user = 'luke'
 domain = 'drheck.dev'
@ -42,6 +42,7 @@ users = {
    'chat': 'synapse',
    'sync': 'syncv3',
    'www': 'http',
+    'spacebar': '_spacebar',
 }

 # systemd service names that don't match the service name
@ -69,7 +70,7 @@ def firewall_mod(state, service, decrypt_pp):
  os.environ['ssl_service'] = service
  cmd = ['/usr/bin/ssh', '-i', firewall_key, '-o',
         'SendEnv=state', '-o', 'SendEnv=ssl_service', '-l', firewall_user,
-         firewall, 'doas', '-n', '/usr/local/bin/ssl-update.sh']
+         firewall, '/usr/local/bin/ssl-update.sh']
  log.info(f'env for fw: state: {os.environ["state"]}')
  log.info(f'env for fw: ssl_service: {service}')
  log.info(f'cmd to connect to firewall: "{" ".join(cmd)}"')
@ -215,7 +216,7 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp):
        ['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
         ('You have an existing certificate that has exactly the '
          "same domains or certificate name you requested and isn't "
-          'close to expiry'),'\(U\)pdate key type\/\(K\)eep existing key type:',
+          'close to expiry'),'(U)pdate key type/(K)eep existing key type:',
          pexpect.TIMEOUT, pexpect.EOF], timeout=20)
    if res > 2:
      sys.exit('Timed out')
@ -285,10 +286,13 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp):
  if 'failed' in output_text:
    sys.exit('Something went wrong')

-  log.info(f'open port 80 to {service}')
+  log.info(f'close port 80 to {service}')
  firewall_mod('HTTP_DOWN', service, decrypt_pp)

  service_enabled_symlink.unlink()
+  if service_enabled_symlink.is_symlink():
+    sys.exit(f'Could not unlink {service_enabled_symlink}')
+    log.info('created symlink to enable service')
  log.info('removed symlink in nginx to disable HTTP')

  restart('nginx')
@ -327,8 +331,8 @@ def run_cert_bot(fqdn, service, challenge_path, decrypt_pp):


 def main(args):
-  # logging.basicConfig(level=os.environ.get("LOGLEVEL", "WARNING"))
-  logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
+  logging.basicConfig(level=os.environ.get("LOGLEVEL", "WARNING"))
+  #logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
  log.info(f'program start: {sys.argv}')
  if len(args) != 1:
    sys.exit(f'Give a service to renew: {", ".join(supported_services)} ')
--- a/2
+++ b/2
@ -3,7 +3,7 @@
 declare -a services
 services+=('git')
 services+=('plex')
-services+=('jellyfin')
+# services+=('jellyfin')
 services+=('photoprism')
 services+=('nextcloud')
 services+=('read')