bunkerweb 1.4.0

2022-06-03 17:24:14 +02:00
parent 3a078326c5
commit a9f886804a
5245 changed files with 1432051 additions and 27894 deletions
--- a/core/letsencrypt/jobs/certbot-auth.py
+++ b/core/letsencrypt/jobs/certbot-auth.py
@@ -0,0 +1,51 @@
+#!/usr/bin/python3
+
+import sys, os, traceback
+
+sys.path.append("/opt/bunkerweb/deps/python")
+sys.path.append("/opt/bunkerweb/utils")
+sys.path.append("/opt/bunkerweb/api")
+
+from logger import log
+from API import API
+
+status = 0
+
+try :
+    # Get env vars
+    is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
+    is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
+    token = os.getenv("CERTBOT_TOKEN")
+    validation = os.getenv("CERTBOT_VALIDATION")
+
+    # Cluster case
+    if is_kubernetes_mode or is_swarm_mode :
+        for variable, value in os.environ.items() :
+            if not variable.startswith("CLUSTER_INSTANCE_") :
+                continue
+            endpoint = value.split(" ")[0]
+            host = value.split(" ")[1]
+            api = API(endpoint, host=host)
+            sent, err, status, resp = api.request("POST", "/lets-encrypt/challenge", data={"token": token, "validation": validation})
+            if not sent :
+                status = 1
+                log("LETS-ENCRYPT", "❌", "Can't send API request to " + api.get_endpoint() + "/lets-encrypt/challenge : " + err)
+            else :
+                if status != 200 :
+                    status = 1
+                    log("LETS-ENCRYPT", "❌", "Error while sending API request to " + api.get_endpoint() + "/lets-encrypt/challenge : status = " + resp["status"] + ", msg = " + resp["msg"])
+                else :
+                    log("LETS-ENCRYPT", "ℹ️", "Successfully sent API request to " + api.get_endpoint() + "/lets-encrypt/challenge")
+
+    # Docker or Linux case
+    else :
+        root_dir = "/opt/bunkerweb/tmp/lets-encrypt/.well-known/acme-challenge/"
+        os.makedirs(root_dir, exist_ok=True)
+        with open(root_dir + token, "w") as f :
+            f.write(validation)
+except :
+    status = 1
+    log("LETS-ENCRYPT", "❌", "Exception while running certbot-auth.py :")
+    print(traceback.format_exc())
+
+sys.exit(status)
--- a/core/letsencrypt/jobs/certbot-cleanup.py
+++ b/core/letsencrypt/jobs/certbot-cleanup.py
@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+
+import sys, os, traceback
+
+sys.path.append("/opt/bunkerweb/deps/python")
+sys.path.append("/opt/bunkerweb/utils")
+sys.path.append("/opt/bunkerweb/api")
+
+from logger import log
+from API import API
+
+status = 0
+
+try :
+    # Get env vars
+    is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
+    is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
+    token = os.getenv("CERTBOT_TOKEN")
+
+    # Cluster case
+    if is_kubernetes_mode or is_swarm_mode :
+        for variable, value in os.environ.items() :
+            if not variable.startswith("CLUSTER_INSTANCE_") :
+                continue
+            endpoint = value.split(" ")[0]
+            host = value.split(" ")[1]
+            api = API(endpoint, host=host)
+            sent, err, status, resp = api.request("DELETE", "/lets-encrypt/challenge", data={"token": token})
+            if not sent :
+                status = 1
+                log("LETS-ENCRYPT", "❌", "Can't send API request to " + api.get_endpoint() + "/lets-encrypt/challenge : " + err)
+            else :
+                if status != 200 :
+                    status = 1
+                    log("LETS-ENCRYPT", "❌", "Error while sending API request to " + api.get_endpoint() + "/lets-encrypt/challenge : status = " + resp["status"] + ", msg = " + resp["msg"])
+                else :
+                    log("LETS-ENCRYPT", "ℹ️", "Successfully sent API request to " + api.get_endpoint() + "/lets-encrypt/challenge")
+
+    # Docker or Linux case
+    else :
+        challenge_path = "/opt/bunkerweb/tmp/lets-encrypt/.well-known/acme-challenge/" + token
+        if os.path.isfile(challenge_path) :
+            os.remove(challenge_path)
+except :
+    status = 1
+    log("LETS-ENCRYPT", "❌", "Exception while running certbot-cleanup.py :")
+    print(traceback.format_exc())
+
+sys.exit(status)
--- a/core/letsencrypt/jobs/certbot-deploy.py
+++ b/core/letsencrypt/jobs/certbot-deploy.py
@@ -0,0 +1,74 @@
+#!/usr/bin/python3
+
+import sys, os, traceback, tarfile
+from io import BytesIO
+
+
+sys.path.append("/opt/bunkerweb/deps/python")
+sys.path.append("/opt/bunkerweb/utils")
+sys.path.append("/opt/bunkerweb/api")
+
+from logger import log
+from API import API
+
+status = 0
+
+try :
+    # Get env vars
+    is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
+    is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
+    token = os.getenv("CERTBOT_TOKEN")
+
+    # Cluster case
+    if is_kubernetes_mode or is_swarm_mode :
+
+        # Create tarball of /data/letsencrypt
+        tgz = BytesIO()
+        with tarfile.open(mode="w:gz", fileobj=tgz) as tf :
+            tf.add("/data/letsencrypt", arcname=".")
+        tgz.seek(0, 0)
+        files = {"archive.tar.gz": tgz}
+
+        for variable, value in os.environ.items() :
+            if not variable.startswith("CLUSTER_INSTANCE_") :
+                continue
+            endpoint = value.split(" ")[0]
+            host = value.split(" ")[1]
+            api = API(endpoint, host=host)
+            sent, err, status, resp = api.request("POST", "/lets-encrypt/certificates", files=files)
+            if not sent :
+                status = 1
+                log("LETS-ENCRYPT", "❌", "Can't send API request to " + api.get_endpoint() + "/lets-encrypt/certificates : " + err)
+            else :
+                if status != 200 :
+                    status = 1
+                    log("LETS-ENCRYPT", "❌", "Error while sending API request to " + api.get_endpoint() + "/lets-encrypt/certificates : status = " + resp["status"] + ", msg = " + resp["msg"])
+                else :
+                    log("LETS-ENCRYPT", "ℹ️", "Successfully sent API request to " + api.get_endpoint() + "/lets-encrypt/certificates")
+                    sent, err, status, resp = api.request("POST", "/reload")
+                    if not sent :
+                        status = 1
+                        log("LETS-ENCRYPT", "❌", "Can't send API request to " + api.get_endpoint() + "/reload : " + err)
+                    else :
+                        if status != 200 :
+                            status = 1
+                            log("LETS-ENCRYPT", "❌", "Error while sending API request to " + api.get_endpoint() + "/reload : status = " + resp["status"] + ", msg = " + resp["msg"])
+                        else :
+                            log("LETS-ENCRYPT", "ℹ️", "Successfully sent API request to " + api.get_endpoint() + "/reload")
+
+    # Docker or Linux case
+    else :
+        cmd = "/usr/sbin/nginx -s reload"
+        proc = subprocess.run(cmd.split(" "), stdin=subprocess.DEVNULL, stderr=subprocess.STDOUT)
+        if proc.returncode != 0 :
+            status = 1
+            log("LETS-ENCRYPT", "❌", "Error while reloading nginx")
+        else :
+            log("LETS-ENCRYPT", "ℹ️", "Successfully reloaded nginx")
+
+except :
+    status = 1
+    log("LETS-ENCRYPT", "❌", "Exception while running certbot-deploy.py :")
+    print(traceback.format_exc())
+
+sys.exit(status)
--- a/core/letsencrypt/jobs/certbot-new.py
+++ b/core/letsencrypt/jobs/certbot-new.py
@@ -0,0 +1,66 @@
+#!/usr/bin/python3
+
+import sys, os, subprocess, traceback
+
+sys.path.append("/opt/bunkerweb/deps/python")
+sys.path.append("/opt/bunkerweb/utils")
+
+import logger
+
+def certbot_new(first_domain, domains, email) :
+    cmd = "/opt/bunkerweb/deps/python/bin/certbot certonly --manual --preferred-challenges=http --manual-auth-hook /opt/bunkerweb/core/letsencrypt/jobs/certbot-auth.py --manual-cleanup-hook /opt/bunkerweb/core/letsencrypt/jobs/certbot-cleanup.py -n -d " + domains + " --email " + email + " --agree-tos"
+    if os.getenv("USE_LETS_ENCRYPT_STAGING") == "yes" :
+        cmd += " --staging"
+    os.environ["PYTHONPATH"] = "/opt/bunkerweb/deps/python"
+    proc = subprocess.run(cmd.split(" "), stdin=subprocess.DEVNULL, stderr=subprocess.STDOUT, env=os.environ)
+    return proc.returncode
+
+status = 0
+
+try :
+
+    # Multisite case
+    if os.getenv("MULTISITE") == "yes" :
+        for first_server in os.getenv("SERVER_NAME").split(" ") :
+            if os.getenv(first_server + "_AUTO_LETS_ENCRYPT", os.getenv("AUTO_LETS_ENCRYPT")) != "yes" :
+                continue
+            if first_server == "" :
+                continue
+            real_server_name = os.getenv(first_server + "_SERVER_NAME", first_server)
+            domains = real_server_name.replace(" ", ",")
+            if os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
+                logger.log("LETS-ENCRYPT", "ℹ️", "Certificates already exists for domain(s) " + domains)
+                continue
+            real_email = os.getenv(first_server + "_EMAIL_LETS_ENCRYPT", os.getenv("EMAIL_LETS_ENCRYPT", "contact@" + first_server))
+            if real_email == "" :
+                real_email = "contact@" + first_server
+            logger.log("LETS-ENCRYPT", "ℹ️", "Asking certificates for domains : " + domains + " (email = " + real_email + ") ...")
+            if certbot_new(first_server, domains, real_email) != 0 :
+                status = 1
+                logger.log("LETS-ENCRYPT", "❌", "Certificate generation failed for domain(s) " + domains + " ...")
+            else :
+                logger.log("LETS-ENCRYPT", "ℹ️", "Certificate generation succeeded for domain(s) : " + domains)
+
+    # Singlesite case
+    elif os.getenv("AUTO_LETS_ENCRYPT") == "yes" and os.getenv("SERVER_NAME") != "" :
+        first_server = os.getenv("SERVER_NAME").split(" ")[0]
+        domains = os.getenv("SERVER_NAME").replace(" ", ",")
+        if not os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
+            logger.log("LETS-ENCRYPT", "ℹ️", "Certificates already exists for domain(s) " + domains)
+        else :
+            real_email = os.getenv("EMAIL_LETS_ENCRYPT", "contact@" + first_server)
+            if real_email == "" :
+                real_email = "contact@" + first_server
+            logger.log("LETS-ENCRYPT", "ℹ️", "Asking certificates for domain(s) : " + domains + " (email = " + real_email + ") ...")
+            if certbot_new(first_server, domains, real_email) != 0 :
+                status = 2
+                logger.log("LETS-ENCRYPT", "❌", "Certificate generation failed for domain(s) : " + domains)
+            else :
+                logger.log("LETS-ENCRYPT", "ℹ️", "Certificate generation succeeded for domain(s) : " + domains)
+
+except :
+    status = 1
+    logger.log("LETS-ENCRYPT", "❌", "Exception while running certbot-new.py :")
+    print(traceback.format_exc())
+
+sys.exit(status)
--- a/core/letsencrypt/jobs/certbot-renew.py
+++ b/core/letsencrypt/jobs/certbot-renew.py
@@ -0,0 +1,50 @@
+#!/usr/bin/python3
+
+import sys, os, subprocess, traceback
+
+sys.path.append("/opt/bunkerweb/deps/python")
+sys.path.append("/opt/bunkerweb/utils")
+
+import logger
+
+def renew(domain) :
+    cmd = "/opt/bunkerweb/deps/python/bin/certbot renew --cert-name " + domain + " --deploy-hook /opt/bunkerweb/core/letsencrypt/jobs/certbot-deploy.py"
+    os.environ["PYTHONPATH"] = "/opt/bunkerweb/deps/python"
+    proc = subprocess.run(cmd.split(" "), stdin=subprocess.DEVNULL, stderr=subprocess.STDOUT, env=os.environ)
+    return proc.returncode
+
+status = 0
+
+try :
+
+    if os.getenv("MULTISITE") == "yes" :
+        for first_server in os.getenv("SERVER_NAME").split(" ") :
+            if first_server == "" :
+                continue
+            if os.getenv(first_server + "_AUTO_LETS_ENCRYPT", os.getenv("AUTO_LETS_ENCRYPT")) != "yes" :
+                continue
+            if not os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
+                continue
+            ret = renew(first_server)
+            if ret != 0 :
+                status = 2
+                logger.log("LETS-ENCRYPT", "❌", "Certificates renewal for " + first_server + " failed")
+            else :
+                logger.log("LETS-ENCRYPT", "ℹ️", "Certificates renewal for " + first_server + " successful")            
+            
+    elif os.getenv("AUTO_LETS_ENCRYPT") == "yes" and os.getenv("SERVER_NAME") != "" :
+        first_server = os.getenv("SERVER_NAME").split(" ")[0]
+        if os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
+            ret = renew(first_server)
+            if ret != 0 :
+                status = 2
+                logger.log("LETS-ENCRYPT", "❌", "Certificates renewal for " + first_server + " failed")
+            else :
+                logger.log("LETS-ENCRYPT", "ℹ️", "Certificates renewal for " + first_server + " successful")
+
+except :
+    status = 2
+    logger.log("LETS-ENCRYPT", "❌", "Exception while running certbot-renew.py :")
+    print(traceback.format_exc())
+
+sys.exit(status)