From b9c51d29ae859e4f92ee067a5a7b3e8811de278d Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 21 Jan 2025 18:18:18 +0100 Subject: [PATCH] Solved cert bugs --- group_vars/all | 2 +- roles/docker-ldap/tasks/main.yml | 1 - .../templates/docker-compose.yml.j2 | 4 +-- roles/docker-ldap/vars/main.yml | 7 ++-- .../templates/docker-compose.yml.j2 | 2 +- roles/docker-mailu/vars/main.yml | 7 ++-- .../files/nginx-docker-cert-deploy.sh | 33 +++++++++++++++---- .../handlers/main.yml | 2 +- roles/nginx-docker-cert-deploy/vars/main.yml | 1 - 9 files changed, 40 insertions(+), 19 deletions(-) diff --git a/group_vars/all b/group_vars/all index 3e1f294a..5732b52b 100644 --- a/group_vars/all +++ b/group_vars/all @@ -246,7 +246,7 @@ keycloak_administrator_username: "{{administrator_username}}" #### LDAP ldap_version: "latest" -ldap_admin_version: "latest" +ldap_admin_version: "2.0.0-dev" ldap_administrator_username: "{{administrator_username}}" ldap_administrator_password: "{{user_administrator_initial_password}}" #CHANGE for security reasons diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index a71310ec..d92864a9 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -2,7 +2,6 @@ - name: "include docker/compose/common.yml" include_tasks: docker/compose/common.yml -# optimize - name: "include tasks nginx-docker-proxy-domain.yml" include_tasks: nginx-docker-proxy-domain.yml diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 96fc5621..61bd692c 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -35,10 +35,10 @@ services: LDAP_LDAPS_PORT_NUMBER: 636 # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port). LDAP_TLS_CERT_FILE: /certs/cert.pem # File containing the certificate file for the TLS traffic. No defaults. LDAP_TLS_KEY_FILE: /certs/key.pem # File containing the key for certificate. No defaults. - #LDAP_TLS_CA_FILE: # File containing the CA of the certificate. No defaults. + LDAP_TLS_CA_FILE: /certs/chain.pem # File containing the CA of the certificate. No defaults. #LDAP_TLS_DH_PARAMS_FILE: # File containing the DH parameters. No defaults. volumes: - - {{cert_mount_directory}}:/certs + - {{cert_mount_directory}}:/certs:ro - 'data:/bitnami/openldap' {% include 'templates/docker/container/networks.yml.j2' %} {% include 'templates/docker/compose/volumes.yml.j2' %} diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index 266cc2bc..78dfcbb3 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -1,3 +1,4 @@ -docker_compose_project_name: "ldap" -ldap_root: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" -ldap_admin_dm: "cn={{ldap_administrator_username}},{{ldap_root}}" \ No newline at end of file +docker_compose_project_name: "ldap" +ldap_root: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" +ldap_admin_dn: "cn={{ldap_administrator_username}},{{ldap_root}}" +cert_mount_directory: "{{docker_compose_instance_directory}}/certs/" \ No newline at end of file diff --git a/roles/docker-mailu/templates/docker-compose.yml.j2 b/roles/docker-mailu/templates/docker-compose.yml.j2 index 6cc0e76a..e412ce93 100644 --- a/roles/docker-mailu/templates/docker-compose.yml.j2 +++ b/roles/docker-mailu/templates/docker-compose.yml.j2 @@ -32,7 +32,7 @@ services: - "{{ ip4_address }}:4190:4190" volumes: - "/etc/mailu/overrides/nginx:/overrides:ro" - - "{{docker_compose_instance_directory}}/certs/:/certs" + - "{{cert_mount_directory}}:/certs:ro" {% include 'templates/docker/container/depends-on-also-database.yml.j2' %} resolver: condition: service_started diff --git a/roles/docker-mailu/vars/main.yml b/roles/docker-mailu/vars/main.yml index cb905f2f..2ab9a658 100644 --- a/roles/docker-mailu/vars/main.yml +++ b/roles/docker-mailu/vars/main.yml @@ -1,3 +1,4 @@ -docker_compose_project_name: "mailu" -database_password: "{{mailu_database_password}}" -database_type: "mariadb" \ No newline at end of file +docker_compose_project_name: "mailu" +database_password: "{{mailu_database_password}}" +database_type: "mariadb" +cert_mount_directory: "{{docker_compose_instance_directory}}/certs/" \ No newline at end of file diff --git a/roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh b/roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh index 38fc9dc4..2231a56b 100644 --- a/roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh +++ b/roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh @@ -11,14 +11,35 @@ domain="$1" docker_compose_instance_directory="$2" # Copy certificates -cp "/etc/letsencrypt/live/$domain/privkey.pem" "$docker_compose_instance_directory/certs/key.pem" || exit 1 -cp "/etc/letsencrypt/live/$domain/fullchain.pem" $docker_compose_instance_directory/certs/cert.pem || exit 1 +cp -Rv "/etc/letsencrypt/live/$domain/"* "$docker_compose_instance_directory/certs" || exit 1 + +# Flag to track if any Nginx reload was successful +nginx_reload_successful=false # Reload Nginx in all containers within the Docker Compose setup cd "$docker_compose_instance_directory" || exit 1 -docker compose ps --services | while read -r service; do - docker compose exec "$service" nginx -s reload && exit 0 + +# Iterate over all services +for service in $(docker compose ps --services); do + echo "Checking service: $service" + # Check if Nginx exists in the container + if docker compose exec -T "$service" which nginx > /dev/null 2>&1; then + echo "Reloading Nginx for service: $service" + if docker compose exec -T "$service" nginx -s reload; then + nginx_reload_successful=true + echo "Successfully reloaded Nginx for service: $service" + else + echo "Failed to reload Nginx for service: $service" >&2 + fi + else + echo "Nginx not found in service: $service, skipping." + fi done -# Restart all docker containers if no nginx reload is possible -docker compose restart || exit 1 \ No newline at end of file +# Restart all containers if no Nginx reload was successful +if [ "$nginx_reload_successful" = false ]; then + echo "No Nginx reload was successful. Restarting all Docker containers." + docker compose restart || exit 1 +else + echo "At least one Nginx reload was successful. No restart needed." +fi diff --git a/roles/nginx-docker-cert-deploy/handlers/main.yml b/roles/nginx-docker-cert-deploy/handlers/main.yml index 4056f057..bc5f1bdc 100644 --- a/roles/nginx-docker-cert-deploy/handlers/main.yml +++ b/roles/nginx-docker-cert-deploy/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: "restart nginx-docker-cert-deploy.cymais.service" systemd: - name: nginx-docker-cert-deploy.{{domain}}.cymais.service + name: nginx-docker-cert-deploy.{{docker_compose_project_name}}.cymais.service state: restarted enabled: yes daemon_reload: yes \ No newline at end of file diff --git a/roles/nginx-docker-cert-deploy/vars/main.yml b/roles/nginx-docker-cert-deploy/vars/main.yml index 9a4e5225..5a19b2c7 100644 --- a/roles/nginx-docker-cert-deploy/vars/main.yml +++ b/roles/nginx-docker-cert-deploy/vars/main.yml @@ -1,2 +1 @@ -cert_mount_directory: "{{docker_compose_instance_directory}}/certs/" nginx_docker_cert_deploy_script: "{{path_administrator_scripts}}nginx-docker-cert-deploy.sh" \ No newline at end of file