Kezdőlap Felfedezés Súgó
Bejelentkezés
irwanmohi
/
mailcow-dockerized
tükrözi: https://github.com/mailcow/mailcow-dockerized.git
Figyelés 1
Kedvenc 0
Másolás 0
Fájlok Problémák 0 Wiki
Branch: feat/mTLS-auth
Branch-ok Tag-ek
mailcow-dock...
/
data
/
Dockerfiles
/
phpfpm
/
docker-entrypoint.sh

docker-entrypoint.sh 8.7 KB
Állandó hivatkozás Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227 
  1. #!/bin/bash
    2. 

  2. 

  3. function array_by_comma { local IFS=","; echo "$*"; }
    4. 

  4. 

  5. # Wait for containers
    6. 

  6. while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
    7. 

  7.   echo "Waiting for SQL..."
    8. 

  8.   sleep 2
    9. 

  9. done
    10. 

  10. 

  11. # Do not attempt to write to slave
    12. 

  12. if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
    13. 

  13.   REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
    14. 

  14. else
    15. 

  15.   REDIS_CMDLINE="redis-cli -h redis -p 6379"
    16. 

  16. fi
    17. 

  17. 

  18. until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
    19. 

  19.   echo "Waiting for Redis..."
    20. 

  20.   sleep 2
    21. 

  21. done
    22. 

  22. 

  23. # Check mysql_upgrade (master and slave)
    24. 

  24. CONTAINER_ID=
    25. 

  25. until [[ ! -z "${CONTAINER_ID}" ]] && [[ "${CONTAINER_ID}" =~ ^[[:alnum:]]*$ ]]; do
    26. 

  26.   CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
    27. 

  27.   sleep 2
    28. 

  28. done
    29. 

  29. echo "MySQL @ ${CONTAINER_ID}"
    30. 

  30. SQL_LOOP_C=0
    31. 

  31. SQL_CHANGED=0
    32. 

  32. until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
    33. 

  33.   if [ ${SQL_LOOP_C} -gt 4 ]; then
    34. 

  34.     echo "Tried to upgrade MySQL and failed, giving up after ${SQL_LOOP_C} retries and starting container (oops, not good)"
    35. 

  35.     break
    36. 

  36.   fi
    37. 

  37.   SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
    38. 

  38.   SQL_UPGRADE_STATUS=$(echo ${SQL_FULL_UPGRADE_RETURN} | jq -r .type)
    39. 

  39.   SQL_LOOP_C=$((SQL_LOOP_C+1))
    40. 

  40.   echo "SQL upgrade iteration #${SQL_LOOP_C}"
    41. 

  41.   if [[ ${SQL_UPGRADE_STATUS} == 'warning' ]]; then
    42. 

  42.     SQL_CHANGED=1
    43. 

  43.     echo "MySQL applied an upgrade, debug output:"
    44. 

  44.     echo ${SQL_FULL_UPGRADE_RETURN}
    45. 

  45.     sleep 3
    46. 

  46.     while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
    47. 

  47.       echo "Waiting for SQL to return, please wait"
    48. 

  48.       sleep 2
    49. 

  49.     done
    50. 

  50.     continue
    51. 

  51.   elif [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; then
    52. 

  52.     echo "MySQL is up-to-date - debug output:"
    53. 

  53.     echo ${SQL_FULL_UPGRADE_RETURN}
    54. 

  54.   else
    55. 

  55.     echo "No valid reponse for mysql_upgrade was received, debug output:"
    56. 

  56.     echo ${SQL_FULL_UPGRADE_RETURN}
    57. 

  57.   fi
    58. 

  58. done
    59. 

  59. 

  60. # doing post-installation stuff, if SQL was upgraded (master and slave)
    61. 

  61. if [ ${SQL_CHANGED} -eq 1 ]; then
    62. 

  62.   POSTFIX=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
    63. 

  63.   if [[ -z "${POSTFIX}" ]] || ! [[ "${POSTFIX}" =~ ^[[:alnum:]]*$ ]]; then
    64. 

  64.     echo "Could not determine Postfix container ID, skipping Postfix restart."
    65. 

  65.   else
    66. 

  66.     echo "Restarting Postfix"
    67. 

  67.     curl -X POST --silent --insecure https://dockerapi/containers/${POSTFIX}/restart | jq -r '.msg'
    68. 

  68.     echo "Sleeping 5 seconds..."
    69. 

  69.     sleep 5
    70. 

  70.   fi
    71. 

  71. fi
    72. 

  72. 

  73. # Check mysql tz import (master and slave)
    74. 

  74. TZ_CHECK=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
    75. 

  75. if [[ -z ${TZ_CHECK} ]] || [[ "${TZ_CHECK}" == "NULL" ]]; then
    76. 

  76.   SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
    77. 

  77.   echo "MySQL mysql_tzinfo_to_sql - debug output:"
    78. 

  78.   echo ${SQL_FULL_TZINFO_IMPORT_RETURN}
    79. 

  79. fi
    80. 

  80. 

  81. if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
    82. 

  82.   echo "We are master, preparing..."
    83. 

  83.   # Set a default release format
    84. 

  84.   if [[ -z $(${REDIS_CMDLINE} --raw GET Q_RELEASE_FORMAT) ]]; then
    85. 

  85.     ${REDIS_CMDLINE} --raw SET Q_RELEASE_FORMAT raw
    86. 

  86.   fi
    87. 

  87. 

  88.   # Set max age of q items - if unset
    89. 

  89.   if [[ -z $(${REDIS_CMDLINE} --raw GET Q_MAX_AGE) ]]; then
    90. 

  90.     ${REDIS_CMDLINE} --raw SET Q_MAX_AGE 365
    91. 

  91.   fi
    92. 

  92. 

  93.   # Set default password policy - if unset
    94. 

  94.   if [[ -z $(${REDIS_CMDLINE} --raw HGET PASSWD_POLICY length) ]]; then
    95. 

  95.     ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY length 6
    96. 

  96.     ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY chars 0
    97. 

  97.     ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY special_chars 0
    98. 

  98.     ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY lowerupper 0
    99. 

  99.     ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY numbers 0
    100. 

  100.   fi
    101. 

  101. 

  102.   # Trigger db init
    103. 

  103.   echo "Running DB init..."
    104. 

  104.   php -c /usr/local/etc/php -f /web/inc/init_db.inc.php
    105. 

  105. 

  106.   # Recreating domain map
    107. 

  107.   echo "Rebuilding domain map in Redis..."
    108. 

  108.   declare -a DOMAIN_ARR
    109. 

  109.     ${REDIS_CMDLINE} DEL DOMAIN_MAP > /dev/null
    110. 

  110.   while read line
    111. 

  111.   do
    112. 

  112.     DOMAIN_ARR+=("$line")
    113. 

  113.   done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
    114. 

  114.   while read line
    115. 

  115.   do
    116. 

  116.     DOMAIN_ARR+=("$line")
    117. 

  117.   done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
    118. 

  118. 

  119.   if [[ ! -z ${DOMAIN_ARR} ]]; then
    120. 

  120.   for domain in "${DOMAIN_ARR[@]}"; do
    121. 

  121.     ${REDIS_CMDLINE} HSET DOMAIN_MAP ${domain} 1 > /dev/null
    122. 

  122.   done
    123. 

  123.   fi
    124. 

  124. 

  125.   # Set API options if env vars are not empty
    126. 

  126.   if [[ ${API_ALLOW_FROM} != "invalid" ]] && [[ ! -z ${API_ALLOW_FROM} ]]; then
    127. 

  127.     IFS=',' read -r -a API_ALLOW_FROM_ARR <<< "${API_ALLOW_FROM}"
    128. 

  128.     declare -a VALIDATED_API_ALLOW_FROM_ARR
    129. 

  129.     REGEX_IP6='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$'
    130. 

  130.     REGEX_IP4='^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+(/([0-9]|[1-2][0-9]|3[0-2]))?$'
    131. 

  131.     for IP in "${API_ALLOW_FROM_ARR[@]}"; do
    132. 

  132.       if [[ ${IP} =~ ${REGEX_IP6} ]] || [[ ${IP} =~ ${REGEX_IP4} ]]; then
    133. 

  133.         VALIDATED_API_ALLOW_FROM_ARR+=("${IP}")
    134. 

  134.       fi
    135. 

  135.     done
    136. 

  136.     VALIDATED_IPS=$(array_by_comma ${VALIDATED_API_ALLOW_FROM_ARR[*]})
    137. 

  137.     if [[ ! -z ${VALIDATED_IPS} ]]; then
    138. 

  138.       if [[ ${API_KEY} != "invalid" ]] && [[ ! -z ${API_KEY} ]]; then
    139. 

  139.         mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
    140. 

  140. DELETE FROM api WHERE access = 'rw';
    141. 

  141. INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY}", "1", "${VALIDATED_IPS}", "rw");
    142. 

  142. EOF
    143. 

  143.       fi
    144. 

  144.       if [[ ${API_KEY_READ_ONLY} != "invalid" ]] && [[ ! -z ${API_KEY_READ_ONLY} ]]; then
    145. 

  145.         mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
    146. 

  146. DELETE FROM api WHERE access = 'ro';
    147. 

  147. INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY_READ_ONLY}", "1", "${VALIDATED_IPS}", "ro");
    148. 

  148. EOF
    149. 

  149.       fi
    150. 

  150.     fi
    151. 

  151.   fi
    152. 

  152. 

  153.   # Create events (master only, STATUS for event on slave will be SLAVESIDE_DISABLED)
    154. 

  154.   mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
    155. 

  155. DROP EVENT IF EXISTS clean_spamalias;
    156. 

  156. DELIMITER //
    157. 

  157. CREATE EVENT clean_spamalias
    158. 

  158. ON SCHEDULE EVERY 1 DAY DO
    159. 

  159. BEGIN
    160. 

  160.   DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
    161. 

  161. END;
    162. 

  162. //
    163. 

  163. DELIMITER ;
    164. 

  164. DROP EVENT IF EXISTS clean_oauth2;
    165. 

  165. DELIMITER //
    166. 

  166. CREATE EVENT clean_oauth2
    167. 

  167. ON SCHEDULE EVERY 1 DAY DO
    168. 

  168. BEGIN
    169. 

  169.   DELETE FROM oauth_refresh_tokens WHERE expires < NOW();
    170. 

  170.   DELETE FROM oauth_access_tokens WHERE expires < NOW();
    171. 

  171.   DELETE FROM oauth_authorization_codes WHERE expires < NOW();
    172. 

  172. END;
    173. 

  173. //
    174. 

  174. DELIMITER ;
    175. 

  175. DROP EVENT IF EXISTS clean_sasl_log;
    176. 

  176. DELIMITER //
    177. 

  177. CREATE EVENT clean_sasl_log
    178. 

  178. ON SCHEDULE EVERY 1 DAY DO
    179. 

  179. BEGIN
    180. 

  180.   DELETE sasl_log.* FROM sasl_log
    181. 

  181.     LEFT JOIN (
    182. 

  182.       SELECT username, service, MAX(datetime) AS lastdate
    183. 

  183.       FROM sasl_log
    184. 

  184.       GROUP BY username, service
    185. 

  185.     ) AS last ON sasl_log.username = last.username AND sasl_log.service = last.service
    186. 

  186.     WHERE datetime < DATE_SUB(NOW(), INTERVAL 31 DAY) AND datetime < lastdate;
    187. 

  187.   DELETE FROM sasl_log
    188. 

  188.     WHERE username NOT IN (SELECT username FROM mailbox) AND
    189. 

  189.     datetime < DATE_SUB(NOW(), INTERVAL 31 DAY);
    190. 

  190. END;
    191. 

  191. //
    192. 

  192. DELIMITER ;
    193. 

  193. EOF
    194. 

  194. fi
    195. 

  195. 

  196. # Create dummy for custom overrides of mailcow style
    197. 

  197. [[ ! -f /web/css/build/0081-custom-mailcow.css ]] && echo '/* Autogenerated by mailcow */' > /web/css/build/0081-custom-mailcow.css
    198. 

  198. 

  199. # Fix permissions for global filters
    200. 

  200. chown -R 82:82 /global_sieve/*
    201. 

  201. 

  202. # Fix permissions on twig cache folder
    203. 

  203. chown -R 82:82 /web/templates/cache
    204. 

  204. # Clear cache
    205. 

  205. find /web/templates/cache/* -not -name '.gitkeep' -delete
    206. 

  206. 

  207. # list client ca of all domains for
    208. 

  208. CA_LIST="/etc/nginx/conf.d/client_cas.crt"
    209. 

  209. # Clear the output file
    210. 

  210. > "$CA_LIST"
    211. 

  211. # Execute the query and append each value to the output file
    212. 

  212. mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT ssl_client_ca FROM domain;" | while read -r ca; do
    213. 

  213.     echo "$ca" >> "$CA_LIST"
    214. 

  214. done
    215. 

  215. echo "SSL client CAs have been appended to $CA_LIST"
    216. 

  216. 

  217. 

  218. # Run hooks
    219. 

  219. for file in /hooks/*; do
    220. 

  220.   if [ -x "${file}" ]; then
    221. 

  221.     echo "Running hook ${file}"
    222. 

  222.     "${file}"
    223. 

  223.   fi
    224. 

  224. done
    225. 

  225. 

  226. exec "$@"
    227. 

  227.