feat(pikvm): Move cert files from /tmp

We now have acme.sh copy cert files into a directory that's writable,
specifically into '/tmp', this happens outside the scope of this
script purely within acme.sh. Most mounts remain mounted read-only so
we amend this script to make the '/' mount point read-writable and move
cert files into their correct location before making the '/' mount
point read-only again.

.gitignore

@@ -0,0 +1 @@
+.idea

freepbx_reload.sh

@@ -5,8 +5,9 @@ fwconsole certificates --import
 fwconsole certificates --updateall
 
 for certfile in pem key crt; do
-    rsync -av --itemize-changes {'/etc/asterisk/keys/'"${fqdn}",'/etc/httpd/pki/webserver'}'.'"${certfile}"
+    rsync -av --itemize-changes {'/etc/asterisk/keys/'"${fqdn}",'/etc/apache2/pki/webserver'}'.'"${certfile}"
 done
 
-fwconsole reload
-systemctl reload httpd
+apachectl configtest &>/dev/null && \
+    fwconsole reload && \
+    systemctl try-reload-or-restart apache2.service

haproxy_reload.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+declare haproxy_container="${1:?}"
+if systemctl --quiet is-active docker.service; then
+    if [[ "$( docker container inspect -f '{{.State.Running}}' "${haproxy_container}" 2> /dev/null )" == "true" ]]; then
+        docker exec -t "${haproxy_container}" haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg && \
+        docker kill --signal SIGHUP "${haproxy_container}"
+    fi
+fi

mysql_reload.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+declare mysql_container="${1:?}"
+if systemctl --quiet is-active docker.service; then
+    if [[ "$( docker container inspect -f '{{.State.Running}}' "${mysql_container}" 2> /dev/null )" == "true" ]]; then
+        if docker exec -t "${mysql_container}" bash -c 'mysqld --validate-config' &>/dev/null; then
+            docker restart "$(docker ps -qaf name="${mysql_container}")"
+        else
+            printf -- '%s\n' \
+                'MySQL config of container '"'${mysql_container}'"' does not validate.' \
+                'See: docker exec -t '"'${mysql_container}'"' bash -c '"'"'mysqld --validate-config'"'"'.' \
+                'We will leave the container running as-is.'
+        fi
+    fi
+fi

nginx_systemd_reload.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+nginx -t || exit 1
+if systemctl --quiet is-active nginx.service; then
+    systemctl try-reload-or-restart nginx.service || exit 1
+fi

one_container_restart

@@ -0,0 +1,7 @@
+#!/bin/bash
+declare container_name="${1:?}"
+if systemctl --quiet is-active docker.service; then
+    if [[ "$( docker container inspect -f '{{.State.Running}}' "${container_name}" 2> /dev/null )" == "true" ]]; then
+        docker restart "${container_name}"
+    fi
+fi

pikvm_reload.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
+rw
 cert_location='/etc/kvmd/nginx/ssl'
 for cert_file in 'server.crt' 'server.key'; do
+    mv --force --verbose '/tmp/'"${cert_file}" "${cert_location%/}"'/'
     chmod -v '0444' "${cert_location%/}"'/'"${cert_file}"
 done
 systemctl restart kvmd-nginx.service

zabbix_db_reload.sh

@@ -1,11 +1,13 @@
 #!/bin/bash
-cert_name="${1:?}"
-compose_ctx="${2:?}"
+compose_ctx="${1:?}"
 
-chown -v '70:70' '/opt/docker-data/zabbixserver-'"${compose_ctx}"'/postgres/config/cert/'{'ca.cer',"${cert_name}"'.'{'cer','key'}}
-chmod -v '0600' '/opt/docker-data/zabbixserver-'"${compose_ctx}"'/postgres/config/cert/'{'ca.cer',"${cert_name}"'.'{'cer','key'}}
+chown -v '70:70' '/opt/docker-data/zabbixserver-'"${compose_ctx}"'/postgres/config/cert/'{'.ZBX_DB_CA_FILE','.ZBX_DB_CERT_FILE','.ZBX_DB_KEY_FILE'}
+chmod -v '0600' '/opt/docker-data/zabbixserver-'"${compose_ctx}"'/postgres/config/cert/'{'.ZBX_DB_CA_FILE','.ZBX_DB_CERT_FILE','.ZBX_DB_KEY_FILE'}
 if systemctl --quiet is-active docker.service; then
     if [ "$( docker container inspect -f '{{.State.Running}}' 'zabbixserver-postgres-'"${compose_ctx}" )" = "true" ]; then
         docker exec -t 'zabbixserver-postgres-'"${compose_ctx}" sh -c 'pg_ctl reload -s'
     fi
+    if [ "$( docker container inspect -f '{{.State.Running}}' 'zabbixserver-zabbixserver-'"${compose_ctx}" )" = "true" ]; then
+        docker exec -t 'zabbixserver-zabbixserver-'"${compose_ctx}" sh -c 'zabbix_server --runtime-control config_cache_reload'
+    fi
 fi

zabbix_web_reload.sh

@@ -3,7 +3,8 @@ global_nginx_container_name="${1:?}"
 compose_ctx="${2:?}"
 reverse_fqdn_cert_id="${3:?}"
 
-rsync -av '/opt/docker-data/nginx/'"${global_nginx_container_name}"'/conf/certs/'"${reverse_fqdn_cert_id}"{'_fullchain.cer','.key'} '/opt/docker-data/zabbixserver-'"${compose_ctx}"'/zabbixwebnginx/config/cert/'
+rsync -av '/opt/docker-data/'"${global_nginx_container_name}"'/nginx/conf/certs/'"${reverse_fqdn_cert_id}"'.key' '/opt/docker-data/zabbixserver-'"${compose_ctx}"'/zabbixwebnginx/config/cert/ssl.key'
+rsync -av '/opt/docker-data/'"${global_nginx_container_name}"'/nginx/conf/certs/'"${reverse_fqdn_cert_id}"'_fullchain.cer' '/opt/docker-data/zabbixserver-'"${compose_ctx}"'/zabbixwebnginx/config/cert/ssl.crt'
 chown -v -R '101:101' '/opt/docker-data/zabbixserver-loft/zabbixwebnginx/config/cert'
 if systemctl --quiet is-active docker.service; then
     if [ "$( docker container inspect -f '{{.State.Running}}' "${global_nginx_container_name}" 2> /dev/null )" = "true" ]; then