Rillke/Taskfile

## Taskfile
# This was used to deploy Certificates during CI deployments from GitLab CI
# You need files at HTTPS_KEY and HTTPS_CERT (easily done with GitLab Variables of type file)
# HTTPS_CERT is expected to contain a chain


Task::deploy_cert () {

    : @desc "Deploy certificate from GitLab runner to its designated position"
    : @param target_dir="$HOME/ilias"
    : @param cert_dir_name="certs-$(date +'%Y-%m-%d_%H-%M-%S%z')"

    echo "[HTTPS CERT] Deploying certificate and private key."
    if [ -z ${HTTPS_CERT+x} ]
    then
        echo "HTTPS/TLS Certificate not specified for this run."
        echo " Set a CI/CD Variable of type 'file' and named HTTPS_CERT"
        echo " containing the certificate and the chain without the root"
        echo " certificate and redeploy if this is unexpected."
        echo " Note that only the SSL-termination proxy (nginx) speaks HTTPS."
        return 0
    fi
    if [ -z ${HTTPS_KEY+x} ]
    then
        echo "HTTPS/TLS Certificate not specified for this run."
        echo " Set a CI/CD Variable of type 'file' and named HTTPS_KEY"
        echo " containing the certificate and redeploy if this is unexpected."
        echo " Note that only the SSL-termination proxy (nginx) speaks HTTPS."
        return 0
    fi

    if [ ! -d "$_target_dir" ]
    then
        echo "[ERROR]"
        echo "target directory ($_target_dir) does not exist."
        exit 1
    fi

    if [ "$_cert_dir_name" = "" ]
    then
        echo "[ERROR]"
        echo "Cert dir name must not be empty."
        exit 1
    fi

    if [ ! -f "$HTTPS_CERT" ]
    then
        echo "[ERROR]"
        echo "certifcate ($HTTPS_CERT) does not exist."
        exit 1
    fi
    if [ ! -f "$HTTPS_KEY" ]
    then
        echo "[ERROR]"
        echo "private key ($HTTPS_KEY) does not exist."
        exit 1
    fi

    _CERT="$(openssl x509 -in "$HTTPS_CERT" -text -noout)"
    echo "$_CERT"
    # Host name covered by certificate?
    if [ -z ${HTTPS_ALLOW_INVALID+x} ] && [[ $_CERT != *"$NGINX_SERVER_NAME"* ]]
    then
      echo "[ERROR]"
      echo "Certificate is not valid for $NGINX_SERVER_NAME."
      echo "  Either supply a valid certificate through HTTPS_CERT, correct"
      echo "  NGINX_SERVER_NAME, or set HTTPS_ALLOW_INVALID in"
      echo "  https://git.itz.uni-halle.de/elearning/ilias/ilias-docker/-/settings/ci_cd"
      echo "  section 'Variables'"
      exit 1
    fi
    # Chain included?
    _NUMBER_OF_CERTS="$(grep -c "END CERTIFICATE" "$HTTPS_CERT")"
    if [ "$_NUMBER_OF_CERTS" -lt "2" ]; then
      echo "[ERROR]"
      echo "The certificate HTTPS_CERT at $HTTPS_CERT must contain the certifcate"
      echo "chain, the host-specific cert on top, the root certificate can and should"
      echo "be omitted."
      echo "Expected multiple 'END CERTIFICATE' but got only $_NUMBER_OF_CERTS"
      exit 1
    fi
    PUBKEY_FROM_CERT="$(openssl x509 -in "$HTTPS_CERT" -pubkey -noout)"
    PUBKEY_FROM_KEY="$(openssl rsa -in "$HTTPS_KEY" -pubout)"
    if [ "$PUBKEY_FROM_CERT" != "$PUBKEY_FROM_KEY" ]
    then
        echo "private key ($HTTPS_KEY) and certificate ($HTTPS_CERT) do not match."
    fi
    # Still valid for 1h?
    if [ -z ${HTTPS_ALLOW_INVALID+x} ] && ! openssl x509 -checkend 3600 -noout -in "$HTTPS_CERT"
    then
      echo "[ERROR]"
      echo "Certificate $HTTPS_CERT (HTTPS_CERT) has expired or will do so within 1 hour!"
      echo "(or is invalid/not found)"
      exit 1
    fi
    # Still valid for 1m?
    if ! openssl x509 -checkend 2592000 -noout -in "$HTTPS_CERT"
    then
      echo "[WARN]"
      echo "Certificate $HTTPS_CERT (HTTPS_CERT) will expire within 1 month!"
    fi

    echo "[HTTPS CERT] Checks passed."

    CERT_DIR="$_target_dir/$_cert_dir_name"
    # shellcheck disable=SC2174
    mkdir -pm 750 "$CERT_DIR"
    cp -a "$HTTPS_CERT" "$CERT_DIR/ilias.chain.pem"
    cp -a "$HTTPS_KEY" "$CERT_DIR/ilias.key"
    chmod 640 "$CERT_DIR/ilias.chain.pem"
    chmod 000 "$CERT_DIR/ilias.key"
    rm -f "$HTTPS_CERT" "$HTTPS_KEY"

    ln -sfn "$CERT_DIR" "$_target_dir/certs-latest"
    ln -sfn "$CERT_DIR" "./https-cert"

    echo "Done updating $CERT_DIR."
}
	# This was used to deploy Certificates during CI deployments from GitLab CI
	# You need files at HTTPS_KEY and HTTPS_CERT (easily done with GitLab Variables of type file)
	# HTTPS_CERT is expected to contain a chain


	Task::deploy_cert () {

	: @desc "Deploy certificate from GitLab runner to its designated position"
	: @param target_dir="$HOME/ilias"
	: @param cert_dir_name="certs-$(date +'%Y-%m-%d_%H-%M-%S%z')"

	echo "[HTTPS CERT] Deploying certificate and private key."
	if [ -z ${HTTPS_CERT+x} ]
	then
	echo "HTTPS/TLS Certificate not specified for this run."
	echo " Set a CI/CD Variable of type 'file' and named HTTPS_CERT"
	echo " containing the certificate and the chain without the root"
	echo " certificate and redeploy if this is unexpected."
	echo " Note that only the SSL-termination proxy (nginx) speaks HTTPS."
	return 0
	fi
	if [ -z ${HTTPS_KEY+x} ]
	then
	echo "HTTPS/TLS Certificate not specified for this run."
	echo " Set a CI/CD Variable of type 'file' and named HTTPS_KEY"
	echo " containing the certificate and redeploy if this is unexpected."
	echo " Note that only the SSL-termination proxy (nginx) speaks HTTPS."
	return 0
	fi

	if [ ! -d "$_target_dir" ]
	then
	echo "[ERROR]"
	echo "target directory ($_target_dir) does not exist."
	exit 1
	fi

	if [ "$_cert_dir_name" = "" ]
	then
	echo "[ERROR]"
	echo "Cert dir name must not be empty."
	exit 1
	fi

	if [ ! -f "$HTTPS_CERT" ]
	then
	echo "[ERROR]"
	echo "certifcate ($HTTPS_CERT) does not exist."
	exit 1
	fi
	if [ ! -f "$HTTPS_KEY" ]
	then
	echo "[ERROR]"
	echo "private key ($HTTPS_KEY) does not exist."
	exit 1
	fi

	_CERT="$(openssl x509 -in "$HTTPS_CERT" -text -noout)"
	echo "$_CERT"
	# Host name covered by certificate?
	if [ -z ${HTTPS_ALLOW_INVALID+x} ] && [[ $_CERT != "$NGINX_SERVER_NAME" ]]
	then
	echo "[ERROR]"
	echo "Certificate is not valid for $NGINX_SERVER_NAME."
	echo " Either supply a valid certificate through HTTPS_CERT, correct"
	echo " NGINX_SERVER_NAME, or set HTTPS_ALLOW_INVALID in"
	echo " https://git.itz.uni-halle.de/elearning/ilias/ilias-docker/-/settings/ci_cd"
	echo " section 'Variables'"
	exit 1
	fi
	# Chain included?
	_NUMBER_OF_CERTS="$(grep -c "END CERTIFICATE" "$HTTPS_CERT")"
	if [ "$_NUMBER_OF_CERTS" -lt "2" ]; then
	echo "[ERROR]"
	echo "The certificate HTTPS_CERT at $HTTPS_CERT must contain the certifcate"
	echo "chain, the host-specific cert on top, the root certificate can and should"
	echo "be omitted."
	echo "Expected multiple 'END CERTIFICATE' but got only $_NUMBER_OF_CERTS"
	exit 1
	fi
	PUBKEY_FROM_CERT="$(openssl x509 -in "$HTTPS_CERT" -pubkey -noout)"
	PUBKEY_FROM_KEY="$(openssl rsa -in "$HTTPS_KEY" -pubout)"
	if [ "$PUBKEY_FROM_CERT" != "$PUBKEY_FROM_KEY" ]
	then
	echo "private key ($HTTPS_KEY) and certificate ($HTTPS_CERT) do not match."
	fi
	# Still valid for 1h?
	if [ -z ${HTTPS_ALLOW_INVALID+x} ] && ! openssl x509 -checkend 3600 -noout -in "$HTTPS_CERT"
	then
	echo "[ERROR]"
	echo "Certificate $HTTPS_CERT (HTTPS_CERT) has expired or will do so within 1 hour!"
	echo "(or is invalid/not found)"
	exit 1
	fi
	# Still valid for 1m?
	if ! openssl x509 -checkend 2592000 -noout -in "$HTTPS_CERT"
	then
	echo "[WARN]"
	echo "Certificate $HTTPS_CERT (HTTPS_CERT) will expire within 1 month!"
	fi

	echo "[HTTPS CERT] Checks passed."

	CERT_DIR="$_target_dir/$_cert_dir_name"
	# shellcheck disable=SC2174
	mkdir -pm 750 "$CERT_DIR"
	cp -a "$HTTPS_CERT" "$CERT_DIR/ilias.chain.pem"
	cp -a "$HTTPS_KEY" "$CERT_DIR/ilias.key"
	chmod 640 "$CERT_DIR/ilias.chain.pem"
	chmod 000 "$CERT_DIR/ilias.key"
	rm -f "$HTTPS_CERT" "$HTTPS_KEY"

	ln -sfn "$CERT_DIR" "$_target_dir/certs-latest"
	ln -sfn "$CERT_DIR" "./https-cert"

	echo "Done updating $CERT_DIR."
	}