now with dnsec

2026-01-19 13:10:13 +01:00 · 2026-01-19 13:10:13 +01:00 · fb22e9cab4
commit fb22e9cab4
parent b006c8f809
118 changed files with 8306 additions and 2337 deletions
--- a/scripts/tlsa-monitor.sh
+++ b/scripts/tlsa-monitor.sh
@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Monitor certificate file and update TLSA records when it changes.
+# This script checks the certificate modification time and updates TLSA if changed.
+
+set -e
+
+# Configuration.
+certFile="/var/deploy/mailcow/data/assets/ssl/cert.pem"
+stateFile="/var/deploy/scripts/.tlsa-state"
+updateScript="/var/deploy/scripts/update-tlsa.sh"
+
+# Check if certificate file exists.
+if [ ! -f "$certFile" ]; then
+  echo "Certificate file not found: $certFile"
+  exit 1
+fi
+
+# Get certificate modification time and hash.
+currentMtime=$(stat -c %Y "$certFile" 2>/dev/null || stat -f %m "$certFile" 2>/dev/null)
+currentHash=$(openssl x509 -in "$certFile" -noout -fingerprint -sha256 | cut -d= -f2 | tr -d ':')
+
+# Read previous state.
+if [ -f "$stateFile" ]; then
+  # shellcheck source=/dev/null
+  source "$stateFile"
+else
+  previousMtime=0
+  previousHash=""
+fi
+
+# Check if certificate has changed.
+if [ "$currentMtime" != "$previousMtime" ] || [ "$currentHash" != "$previousHash" ]; then
+  echo "Certificate changed detected. Updating TLSA records..."
+
+  # Run update script.
+  if [ -x "$updateScript" ]; then
+    "$updateScript"
+  else
+    echo "ERROR: Update script not found or not executable: $updateScript"
+    exit 1
+  fi
+
+  # Save new state.
+  cat > "$stateFile" <<EOF
+previousMtime=$currentMtime
+previousHash=$currentHash
+EOF
+
+  echo "TLSA records updated successfully"
+else
+  echo "No certificate changes detected"
+fi