From ce071bcc7b32b2a12c45166e8a55084e6ab1645d Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 7 May 2017 12:55:02 +0100
Subject: [PATCH] Use letsencrypt cert for mumble

---
 src/freedombone-app-matrix |  7 ++---
 src/freedombone-app-mumble | 53 +++++++++++++++++++++++++++++++++-----
 src/freedombone-utils-web  | 32 +++++++++++++----------
 3 files changed, 66 insertions(+), 26 deletions(-)

diff --git a/src/freedombone-app-matrix b/src/freedombone-app-matrix
index 21577207..6a226d44 100755
--- a/src/freedombone-app-matrix
+++ b/src/freedombone-app-matrix
@@ -613,13 +613,10 @@ function install_matrix {
             if [ -f /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam ]; then
                 rm /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam
             fi
-            echo $'Obtaining certificate for the main domain'
+            echo $'Obtaining certificate for the matrix domain'
             function_check create_site_certificate
             create_site_certificate ${MATRIX_DOMAIN_NAME} 'yes'
-
-            if [[ $ONION_ONLY == "no" ]]; then
-                chmod 755 /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam
-            fi
+            chmod 755 /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam
 
             if [ -f /etc/ssl/certs/${MATRIX_DOMAIN_NAME}.crt ]; then
                 echo $'Incorrect certificate generated'
diff --git a/src/freedombone-app-mumble b/src/freedombone-app-mumble
index e71b1e8e..446dff97 100755
--- a/src/freedombone-app-mumble
+++ b/src/freedombone-app-mumble
@@ -65,7 +65,9 @@ function reconfigure_mumble {
 }
 
 function upgrade_mumble {
-    echo -n ''
+    if [ -d /etc/letsencrypt ]; then
+        usermod -a -G ssl-cert mumble-server
+    fi
 }
 
 function backup_local_mumble {
@@ -200,11 +202,39 @@ function install_mumble {
         fi
     fi
 
+    if [[ ${ONION_ONLY} == 'no' ]]; then
+        if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then
+            mkdir /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
+        fi
+        if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+            if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt ]; then
+                rm /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt
+            fi
+            if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam ]; then
+                rm /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam
+            fi
+            echo $'Obtaining certificate for the main domain'
+            function_check create_site_certificate
+            create_site_certificate ${DEFAULT_DOMAIN_NAME} 'yes'
+            chmod 755 /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam
+
+            if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt ]; then
+                echo $'Incorrect certificate generated'
+                exit 78352
+            fi
+        fi
+        chgrp -R ssl-cert /etc/letsencrypt
+        chmod -R g=rX /etc/letsencrypt
+    fi
+
+
     # Make an ssl cert for the server
-    if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then
-        ${PROJECT_NAME}-addcert -h mumble --dhkey $DH_KEYLENGTH
-        function_check check_certificates
-        check_certificates mumble
+    if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+        if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then
+            ${PROJECT_NAME}-addcert -h mumble --dhkey $DH_KEYLENGTH
+            function_check check_certificates
+            check_certificates mumble
+        fi
     fi
 
     # Check that the cert was created
@@ -241,8 +271,13 @@ function install_mumble {
         echo 'allowping=False' >> /etc/mumble-server.ini
     fi
     sed -i 's|allowping=.*|allowping=False|g' /etc/mumble-server.ini
-    sed -i 's|#sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini
-    sed -i 's|#sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini
+    if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+        sed -i 's|#sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini
+        sed -i 's|#sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini
+    else
+        sed -i "s|#sslCert=.*|sslCert=/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/mumble-server.ini
+        sed -i "s|#sslKey=.*|sslKey=/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/mumble-server.ini
+    fi
     sed -i 's|#certrequired=.*|certrequired=True|g' /etc/mumble-server.ini
     sed -i 's|users=100|users=10|g' /etc/mumble-server.ini
     sed -i 's|#channelnestinglimit=10|channelnestinglimit=10|g' /etc/mumble-server.ini
@@ -258,6 +293,10 @@ function install_mumble {
     # turn off logs by default
     sed -i 's|logfile=.*|logfile=/dev/null|g' /etc/mumble-server.ini
 
+    if [ -d /etc/letsencrypt ]; then
+        usermod -a -G ssl-cert mumble-server
+    fi
+
     update_default_domain
     systemctl restart mumble-server
 
diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web
index 297cb2c0..fb7e1f75 100755
--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -706,13 +706,30 @@ function update_default_domain {
                 fi
             fi
 
+            if [ -f /etc/mumble-server.ini ]; then
+                if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+                    if ! grep -q "mumble.pem" /etc/mumble-server.ini; then
+                        sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini
+                        sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini
+                        systemctl restart mumble
+                    fi
+                else
+                    if ! grep -q "${DEFAULT_DOMAIN_NAME}.pem" /etc/mumble-server.ini; then
+                        usermod -a -G ssl-cert mumble-server
+                        sed -i "s|sslCert=.*|sslCert=/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/mumble-server.ini
+                        sed -i "s|sslKey=.*|sslKey=/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/mumble-server.ini
+                        systemctl restart mumble
+                    fi
+                fi
+            fi
+
             if [ ! -d /etc/prosody/certs ]; then
                 mkdir /etc/prosody/certs
             fi
-
             cp /etc/ssl/private/xmpp* /etc/prosody/certs
             cp /etc/ssl/certs/xmpp* /etc/prosody/certs
             if [ /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+                usermod -a -G ssl-cert prosody
                 sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua
                 sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
 
@@ -742,19 +759,6 @@ function update_default_domain {
             systemctl reload prosody
         fi
 
-        if [ -d /var/lib/mumble-server ]; then
-            if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then
-                cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /var/lib/mumble-server/mumble.pem
-                cp /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam /var/lib/mumble-server/mumble.dhparam
-                cp /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key /var/lib/mumble-server/mumble.key
-                chown -R mumble-server:mumble-server /var/lib/mumble-server
-                chmod -R 700 /var/lib/mumble-server/*.pem
-                chmod -R 700 /var/lib/mumble-server/*.key
-                chmod -R 700 /var/lib/mumble-server/*.dhparam
-                systemctl restart mumble-server
-            fi
-        fi
-
         if [ -d /home/znc/.znc ]; then
             echo $'znc found'
             if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then