From f7c8eed701531a269ef55fa9212ec650d72e9da2 Mon Sep 17 00:00:00 2001
From: mdivecky <matej@divecky.com>
Date: Thu, 26 Oct 2023 12:36:19 +0200
Subject: [PATCH] First ssl attempt, unfinished

---
 .gitignore                |  4 +-
 README.md                 |  2 +
 n-ssl.py                  | 92 +++++++++++++++++++++++++++++++++++++++
 templates/nginx-site.conf | 21 +++++++--
 templates/ssl.conf        |  4 ++
 5 files changed, 119 insertions(+), 4 deletions(-)
 create mode 100644 n-ssl.py
 create mode 100644 templates/ssl.conf

diff --git a/.gitignore b/.gitignore
index 74622dd..f77e93e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,6 @@
 *.pyc
 __pycache__
 .vscode
-clusters.json
\ No newline at end of file
+clusters.json
+/nginx
+/autossl
\ No newline at end of file
diff --git a/README.md b/README.md
index ef21e53..66b91ff 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,8 @@
 
 # TODO
 * Add a way to generate autoincrementing config ID
+* document dhparam.pem generation
+ 
 
 # Contributions
 Please use `black` formatter. 
diff --git a/n-ssl.py b/n-ssl.py
new file mode 100644
index 0000000..ba94e04
--- /dev/null
+++ b/n-ssl.py
@@ -0,0 +1,92 @@
+import os
+import subprocess
+import re
+
+# NGINX_DIR="/etc/nginx"
+# DOMAINS_TXT = "/etc/autossl/domains.txt"
+# DEHYDRATED_LOC = "/etc/autossl/dehydrated.sh"
+
+NGINX_DIR = "./nginx"
+DOMAINS_TXT = "./autossl/domains.txt"
+DEHYDRATED_LOC = "./autossl/dehydrated.sh"
+
+REMOTE = "10.55.55.55"  # make a .env variable or something like that. It will be different on each server
+
+
+def create_domfile():
+    # Get nginx config files with "# AUTOSSL" tag, parse IDs and domains and create domains.txt file for Dehydrated
+    sites_path = NGINX_DIR + "/sites"
+    # It's probably not the best to use grep here, but it's really fast unlike reading files in Python directly. But what can go wrong? (lol)
+    grep_out = subprocess.run(
+        ["grep", "-Rh", "AUTOSSL", sites_path], capture_output=True, text=True
+    )
+    if grep_out.returncode == 0:
+        DOMAIN_LINES = []
+        for line in grep_out.stdout.splitlines():
+            id = re.findall(r"\d+", line)[-1]
+            domains = re.findall(r"(?<=server_name )(.*)(?=;)", line)[0]
+            DOMAIN_LINES.append(domains + " > " + str(id))
+
+        if len(DOMAIN_LINES) > 0:
+            with open(DOMAINS_TXT, "w") as fp:
+                for line in DOMAIN_LINES:
+                    # write each item on a new line
+                    fp.write("%s\n" % line)
+        else:
+            print("No data to write to domains.txt. \n Aborting")
+            exit()
+    else:
+        print("Finding #AUTOSSL comments in nginx configs failed.")
+        exit()
+
+
+def request_cert():
+    print("Requesting certificate")
+    dehydrated_run = subprocess.run(
+        [DEHYDRATED_LOC, "-c"], capture_output=True, text=True
+    )
+    if dehydrated_run.returncode != 0:
+        print("Something went wrong with dehydrated.sh")
+        print(dehydrated_run.stdout)
+    else:
+        print(
+            "Certificates are successfully dehydrated. (It went OK and cert is now generated)"
+        )
+
+
+def reload_local_nginx():
+    nginx_check = subprocess.run(["nginx", "-t"], capture_output=True, text=True)
+    if nginx_check.returncode != 0:
+        print("nginx config is not valid! Aborting")
+        print(nginx_check.stdout)
+        exit()
+
+    nginx_reload = subprocess.run(
+        ["systemctl", "reload", "nginx.service"], capture_output=True, text=True
+    )
+    if nginx_reload.returncode != 0:
+        print("Nginx reload returned non-zero status code")
+        print(nginx_reload.stdout)
+        exit()
+
+
+def remote_replication(remote):
+    # Do RSYNC to second server
+    return True
+
+
+def remote_reload(remote):
+    # Check and reload nginx on second server
+    return True
+
+
+def main():
+    # create_domfile()
+    request_cert()
+    reload_local_nginx()
+    remote_replication(REMOTE)
+    remote_reload(REMOTE)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/templates/nginx-site.conf b/templates/nginx-site.conf
index 2451854..c933e85 100644
--- a/templates/nginx-site.conf
+++ b/templates/nginx-site.conf
@@ -10,11 +10,11 @@ upstream up_{{ id }} {
 server {
     server_name{% for domain in domains %} {{ domain }}{% endfor %}; # AUTOSSL > {{ id }}
 
-    listen      80;
-    listen      [::]:80;
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
 
     # ssl
-    include /etc/autossl/gen/{{ id }}.conf;
+    include /etc/nginx/ssl/{{ id }}.conf;
 
     # logging
     include include/logging-nolog.conf;	# Change to "logging-debug" if needed
@@ -31,4 +31,19 @@ server {
 	include include/proxy-headers.conf;
     }
 
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name{% for domain in domains %} {{ domain }}{% endfor %};
+
+    location ^~ /.well-known/acme-challenge {
+        alias /var/www/dehydrated;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
\ No newline at end of file
diff --git a/templates/ssl.conf b/templates/ssl.conf
new file mode 100644
index 0000000..8a680ce
--- /dev/null
+++ b/templates/ssl.conf
@@ -0,0 +1,4 @@
+ssl_certificate /etc/autossl/certs/{{ id }}/fullchain.pem;
+ssl_certificate_key /etc/autossl/certs/{{ id }}/privkey.pem;
+include include/ssl_defaults.conf;
+ssl_dhparam /etc/autossl/ssl-dhparams.pem;
\ No newline at end of file