Merge branch 'master' of github.com:kirsle/.dotfiles

2016-01-07 13:06:45 -08:00 · 2016-01-07 13:06:45 -08:00 · 9a02de694e
commit 9a02de694e
parent 546b4cfacb 7dd943edbe
2 changed files with 121 additions and 2 deletions
--- a/home/bin/fedora-setup
+++ b/home/bin/fedora-setup
@ -35,6 +35,8 @@ Themes:
 http://sh.kirsle.net/
 """

+import hashlib
+import os
 import subprocess

 class Application(object):
@ -52,8 +54,19 @@ class Application(object):
            self.shell("sudo dnf install --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm")

        # Microsoft core fonts and Emoji support.
-        if not self.test("rpm -q msttcore-fonts"):
-            self.shell("sudo dnf install http://rpm.kirsle.net/any/rpm/msttcore-fonts-2.0-3.noarch.rpm")
+        if not self.test("rpm -q msttcore-fonts") or True:
+            # The fonts aren't signed, so verify their checksum.
+            self.shell("wget -O /tmp/msttcore-fonts.rpm https://rpm.kirsle.net/any/rpm/msttcore-fonts-2.0-3.noarch.rpm")
+            expect_sum = "a20ecca993827d10bb51118a0cfdf8a1e65f161a78361bee865a138ca5a4f43f"
+            if self.sha256sum("/tmp/msttcore-fonts.rpm") != expect_sum:
+                print("!!! WARNING !!!")
+                print("The SHA256 hash of msttcore-fonts doesn't match what I expected!")
+                print("Expected: {}".format(expect_sum))
+                print("     Got: {}".format(self.sha256sum("/tmp/msttcore-fonts.rpm")))
+                input("Press any key to continue. . .")
+            else:
+                self.shell("sudo dnf install /tmp/msttcore-fonts.rpm")
+            os.unlink("/tmp/msttcore-fonts.rpm")
        self.install("gdouros-symbola-fonts")

        # Themes
@ -108,6 +121,13 @@ class Application(object):
        except subprocess.CalledProcessError:
            return False

+    def sha256sum(self, file):
+        """Get the SHA256 checksum of a file."""
+        m = hashlib.sha256()
+        with open(file, 'rb') as fh:
+            m.update(fh.read())
+        return m.hexdigest()
+
 if __name__ == "__main__":
    app = Application()
    app.main()
--- a/home/bin/renew-certs.py
+++ b/home/bin/renew-certs.py
@ -0,0 +1,99 @@
+#!/usr/bin/env python3
+
+# Cron script to renew LetsEncrypt certificates.
+#
+# --Kirsle
+# https://sh.kirsle.net/
+
+import os
+import subprocess
+import time
+
+################################################################################
+# Configuration Section Begins                                                 #
+################################################################################
+
+# Let's Encrypt directories
+LE_APPDIR = "/opt/letsencrypt"       # Where `letsencrypt-auto` lives
+LE_CERTS  = "/etc/letsencrypt/live"  # Where live certificates go
+
+# Common arguments to letsencrypt-auto
+COMMON = ["./letsencrypt-auto", "certonly", "--renew",
+          "--webroot", "-w", "/var/www/html"]
+
+# Domains and their subdomains; one array element per certificate, with each
+# array element being a list of domains to include in the same cert.
+CERTS = [
+    [ "www.kirsle.net", "kirsle.net", "www.kirsle.com", "kirsle.com",
+      "www.kirsle.org", "kirsle.org", "sh.kirsle.net", "rpm.kirsle.net",
+      "minecraft.kirsle.net", "mc.kirsle.net", "rophako.kirsle.net" ],
+    [ "noah.is", "www.noah.is", "petherbridge.org", "www.petherbridge.org",
+      "noah.petherbridge.org", "noahpetherbridge.com",
+      "www.noahpetherbridge.com" ],
+    [ "rivescript.com", "www.rivescript.com", "static.rivescript.com" ],
+    [ "siikir.com", "www.siikir.com" ],
+    [ "collegegent.com", "www.collegegent.com" ],
+]
+
+# Minimum lifetime for certificate before renewing it?
+LIFETIME = 60*60*24*30  # Once a month.
+
+# Command to run after finishing if certs were renewed.
+RESTART_COMMAND = ["service", "nginx", "reload"]
+
+################################################################################
+# End Configuration Section                                                    #
+################################################################################
+
+def main():
+    os.chdir(LE_APPDIR)
+
+    # If any certs were renewed, we'll schedule the restart command at the end.
+    any_renewed = False
+
+    # See which certificates are ready to be renewed.
+    print("Checking SSL certificates for renewal")
+    for cert in CERTS:
+        ready = False  # Ready to renew this one
+        primary = cert[0]
+
+        # Find its existing live certificate file.
+        home = os.path.join(LE_CERTS, primary)
+        chain = os.path.join(home, "cert.pem")
+
+        # When was it last modified?
+        if not os.path.isfile(chain):
+            print("NOTE: No existing cert file found for {} ({})".format(
+                primary,
+                chain,
+            ))
+            ready = True
+        else:
+            mtime = os.stat(chain).st_mtime
+            if time.time() - mtime > LIFETIME:
+                print("Cert for {} is old; scheduling it for renewal!"\
+                    .format(primary))
+                ready = True
+
+        # Proceed?
+        if ready:
+            print("Renewing certificate for {}...".format(primary))
+            command = []
+            command.extend(COMMON)
+
+            # Add all the domains.
+            for domain in cert:
+                command.extend(["-d", domain])
+
+            print("Exec: {}".format(" ".join(command)))
+            subprocess.call(command)
+            any_renewed = True
+
+    # If any certs were changed, restart the web server.
+    if any_renewed:
+        print("Restarting the web server: {}".format(" ".join(RESTART_COMMAND)))
+        subprocess.call(RESTART_COMMAND)
+
+if __name__ == "__main__":
+    main()
+