wildduck/setup/13_install_ssl_certs.sh

#! /bin/bash

OURNAME=13_install_ssl_certs.sh

echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"

#### SSL CERTS ####

curl https://get.acme.sh | sh

echo 'cert="/etc/wildduck/certs/fullchain.pem"
key="/etc/wildduck/certs/privkey.pem"' > /etc/wildduck/tls.toml

sed -i -e "s/key=/#key=/g;s/cert=/#cert=/g" /etc/zone-mta/interfaces/feeder.toml
echo '# @include "../../wildduck/tls.toml"' >> /etc/zone-mta/interfaces/feeder.toml

# vanity script as first run should not restart anything
echo '#!/bin/bash
echo "OK"' > /usr/local/bin/reload-services.sh
chmod +x /usr/local/bin/reload-services.sh

/root/.acme.sh/acme.sh --issue --nginx \
    -d "$HOSTNAME" \
    --key-file       /etc/wildduck/certs/privkey.pem  \
    --fullchain-file /etc/wildduck/certs/fullchain.pem \
    --reloadcmd     "/usr/local/bin/reload-services.sh" \
    --force || echo "Warning: Failed to generate certificates, using self-signed certs"

# Update site config, make sure ssl is enabled
echo "server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name $HOSTNAME;

    ssl_certificate /etc/wildduck/certs/fullchain.pem;
    ssl_certificate_key /etc/wildduck/certs/privkey.pem;

    # special config for EventSource to disable gzip
    location /api/events {
        proxy_http_version 1.1;
        gzip off;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }

    # special config for uploads
    location /webmail/send {
        client_max_body_size 15M;
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }

    location / {
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }
}" > "/etc/nginx/sites-available/$HOSTNAME"

#See issue https://github.com/nodemailer/wildduck/issues/83
$SYSTEMCTL_PATH start nginx
$SYSTEMCTL_PATH reload nginx
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`#! /bin/bash`

			`OURNAME=13_install_ssl_certs.sh`

			`echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"`

			`#### SSL CERTS ####`

			`curl https://get.acme.sh \| sh`

			`echo 'cert="/etc/wildduck/certs/fullchain.pem"`
			`key="/etc/wildduck/certs/privkey.pem"' > /etc/wildduck/tls.toml`

			`sed -i -e "s/key=/#key=/g;s/cert=/#cert=/g" /etc/zone-mta/interfaces/feeder.toml`
			`echo '# @include "../../wildduck/tls.toml"' >> /etc/zone-mta/interfaces/feeder.toml`

			`# vanity script as first run should not restart anything`
			`echo '#!/bin/bash`
			`echo "OK"' > /usr/local/bin/reload-services.sh`
			`chmod +x /usr/local/bin/reload-services.sh`

			`/root/.acme.sh/acme.sh --issue --nginx \`
			`-d "$HOSTNAME" \`
			`--key-file /etc/wildduck/certs/privkey.pem \`
			`--fullchain-file /etc/wildduck/certs/fullchain.pem \`
			`--reloadcmd "/usr/local/bin/reload-services.sh" \`
			`--force \|\| echo "Warning: Failed to generate certificates, using self-signed certs"`

			`# Update site config, make sure ssl is enabled`
			`echo "server {`
			`listen 80;`
			`listen [::]:80;`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

			`server_name $HOSTNAME;`

			`ssl_certificate /etc/wildduck/certs/fullchain.pem;`
			`ssl_certificate_key /etc/wildduck/certs/privkey.pem;`

updated nginx setup 2019-02-23 08:01:00 +08:00			`# special config for EventSource to disable gzip`
			`location /api/events {`
			`proxy_http_version 1.1;`
			`gzip off;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header HOST \$http_host;`
			`proxy_set_header X-NginX-Proxy true;`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_redirect off;`
			`}`

			`# special config for uploads`
			`location /webmail/send {`
			`client_max_body_size 15M;`
			`proxy_http_version 1.1;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header HOST \$http_host;`
			`proxy_set_header X-NginX-Proxy true;`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_redirect off;`
			`}`

Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`location / {`
updated nginx setup 2019-02-23 08:01:00 +08:00			`proxy_http_version 1.1;`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header HOST \$http_host;`
			`proxy_set_header X-NginX-Proxy true;`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_redirect off;`
			`}`
			`}" > "/etc/nginx/sites-available/$HOSTNAME"`

			`#See issue https://github.com/nodemailer/wildduck/issues/83`
			`$SYSTEMCTL_PATH start nginx`
			`$SYSTEMCTL_PATH reload nginx`