50-config

#!/usr/bin/with-contenv bash

# check to make sure that the required variables are set
# shellcheck disable=SC2153
if [ -z "$URL" ]; then
  echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details."
  exit 1
fi

# make our folders and links
mkdir -p \
	/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs} \
	/var/run/fail2ban
rm -rf /etc/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt

# copy config files
[[ ! -f /etc/fail2ban/jail.local ]] && \
	cp -R /etc/fail2ban/filter.d /config/fail2ban/ && \
	cp -R /etc/fail2ban/action.d /config/fail2ban/
[[ ! -f /config/fail2ban/jail.local ]] && \
	cp /defaults/jail.local /config/fail2ban/jail.local
[[ ! -d /config/fail2ban/filter.d ]] && \
	cp -R /etc/fail2ban/filter.d /config/fail2ban/
[[ ! -d /config/fail2ban/action.d ]] && \
	cp -R /etc/fail2ban/action.d /config/fail2ban/
cp -R /config/fail2ban/filter.d/* /etc/fail2ban/filter.d/
cp -R /config/fail2ban/action.d/* /etc/fail2ban/action.d/
cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
[[ ! -f /config/crontabs/root ]] && \
	cp /etc/crontabs/root /config/crontabs/
[[ ! -f /config/nginx/proxy.conf ]] && \
	cp /defaults/proxy.conf /config/nginx/proxy.conf

# import user crontabs
rm /etc/crontabs/*
cp /config/crontabs/* /etc/crontabs/

# create original config file if it doesn't exist
if [ ! -f "/config/donoteditthisfile.conf" ]; then
# shellcheck disable=SC2153
  echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGDHLEVEL=\"$DHLEVEL\"" > /config/donoteditthisfile.conf
fi

# load original config settings
# shellcheck disable=SC1091
. /config/donoteditthisfile.conf

# compare dhparams existence and level, create if necessary
if [ ! "$DHLEVEL" = "$ORIGDHLEVEL" ]; then
  rm -rf /config/nginx/dhparams.pem
  echo "DH parameters bit setting changed. Deleting old dhparams file."
fi

if [ ! -f "/config/nginx/dhparams.pem" ]; then
  echo "Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed"
  openssl dhparam -out /config/nginx/dhparams.pem "$DHLEVEL"
  echo "DH parameters successfully created - $DHLEVEL bits"
else
  echo "$ORIGDHLEVEL bit DH parameters present"
fi

# figuring out url only vs url & subdomains vs subdomains only
if [ ! -z "$SUBDOMAINS" ]; then
  echo "SUBDOMAINS entered, processing"
  for job in $(echo "$SUBDOMAINS" | tr "," " "); do
    export SUBDOMAINS2="$SUBDOMAINS2 -d ${job}.${URL}"
  done
  if [ "$ONLY_SUBDOMAINS" = true ]; then
    URLS="$SUBDOMAINS2"
    echo "Only subdomains, no URL in cert"
  else
    URLS="-d ${URL}${SUBDOMAINS2}"
  fi
  echo "Sub-domains processed are: $SUBDOMAINS2"
else
  echo "No subdomains defined"
  URLS="-d $URL"
fi

# add extra domains
if [ ! -z "$EXTRA_DOMAINS" ]; then
  echo "EXTRA_DOMAINS entered, processing"
  for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
    export EXTRA_DOMAINS2="$EXTRA_DOMAINS2 -d ${job}"
  done
  echo "Extra domains processed are: $EXTRA_DOMAINS2"
  URLS="$URLS $EXTRA_DOMAINS2"
fi

# figuring out whether to use e-mail and which
if [[ $EMAIL == *@* ]]; then
  echo "E-mail address entered: ${EMAIL}"
  EMAILPARAM="-m ${EMAIL}"
else
  echo "No e-mail address entered or address invalid"
  EMAILPARAM="--register-unsafely-without-email"
fi

# setting the symlink for key location
rm -rf /config/keys/letsencrypt
if [ "$ONLY_SUBDOMAINS" = "true" ]; then
  DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
  ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
else
  ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
fi

# checking for changes in cert variables, revoking certs if necessary
if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ]; then
  echo "Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
  if [ "$ORIGONLY_SUBDOMAINS" = "true" ]; then
    ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
    certbot revoke --staging --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem
  else
    certbot revoke --staging --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGURL"/fullchain.pem
  fi
  rm -rf /config/etc
  mkdir -p /config/etc/letsencrypt
fi

# generating certs if necessary
if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
  echo "Generating new certificate"
# shellcheck disable=SC2086
  certbot certonly --staging --non-interactive --renew-by-default --standalone --preferred-challenges http-01 --rsa-key-size 4096 $EMAILPARAM --agree-tos $URLS
  cd /config/keys/letsencrypt || exit
  openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
else
  chmod +x /app/le-renew.sh
  /app/le-renew.sh
fi

# saving new variables
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGDHLEVEL=\"$DHLEVEL\"" > /config/donoteditthisfile.conf

# logfiles needed by fail2ban
[[ ! -f /config/log/nginx/error.log ]] && \
	touch /config/log/nginx/error.log
[[ ! -f /config/log/nginx/access.log ]] && \
	touch /config/log/nginx/access.log

# permissions
chown -R abc:abc \
	/config
chmod -R 0644 /etc/logrotate.d

# Start fail2ban
fail2ban-client -x start