manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for

management/daemon.py

@@ -66,6 +66,13 @@ def dns_get_ds_records():
 	except Exception as e:
 		return (str(e), 500)
 
+# WEB
+
+@app.route('/web/update', methods=['POST'])
+def web_update():
+	from web_update import do_web_update
+	return do_web_update(env)
+
 # System
 
 @app.route('/system/updates')

management/dns_update.py

@@ -6,7 +6,7 @@ import os, os.path, urllib.parse, datetime, re, hashlib
 import rtyaml
 
 from mailconfig import get_mail_domains
-from utils import shell, load_env_vars_from_file
+from utils import shell, load_env_vars_from_file, safe_domain_name
 
 def get_dns_domains(env):
 	# What domains should we serve DNS for?
@@ -30,7 +30,7 @@ def get_dns_domains(env):
 	# Make a nice and safe filename for each domain.
 	zonefiles = []
 	for domain in domains:
-		zonefiles.append([domain, urllib.parse.quote(domain, safe='') + ".txt"])
+		zonefiles.append([domain, safe_domain_name(domain) + ".txt"])
 
 	return zonefiles
 	

management/utils.py

@@ -11,6 +11,11 @@ def load_env_vars_from_file(fn):
     for line in open(fn): env.setdefault(*line.strip().split("=", 1))
     return env
 
+def safe_domain_name(name):
+    # Sanitize a domain name so it is safe to use as a file name on disk.
+    import urllib.parse
+    return urllib.parse.quote(name, safe='')
+
 def exclusive_process(name):
     # Ensure that a process named `name` does not execute multiple
     # times concurrently.

management/web_update.py

@@ -0,0 +1,95 @@
+# Creates an nginx configuration file so we serve HTTP/HTTPS on all
+# domains for which a mail account has been set up.
+########################################################################
+
+import os, os.path
+
+from mailconfig import get_mail_domains
+from utils import shell, safe_domain_name
+
+def get_web_domains(env):
+	# What domains should we serve HTTP/HTTPS for?
+	domains = set()
+
+	# Add all domain names in use by email users and mail aliases.
+	domains |= get_mail_domains(env)
+
+	# Ensure the PUBLIC_HOSTNAME is in the list.
+	domains.add(env['PUBLIC_HOSTNAME'])
+
+	# Sort the list. Put PUBLIC_HOSTNAME first so it becomes the
+	# default server (nginx's default_server).
+	domains = sorted(domains, key = lambda domain : (domain != env["PUBLIC_HOSTNAME"], list(reversed(domain.split(".")))) )
+
+	return domains
+	
+
+def do_web_update(env):
+	# Build an nginx configuration file.
+	nginx_conf = ""
+	template = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read()
+	for domain in get_web_domains(env):
+		nginx_conf += make_domain_config(domain, template, env)
+
+	# Save the file.
+	with open("/etc/nginx/conf.d/local.conf", "w") as f:
+		f.write(nginx_conf)
+
+	# Nick nginx.
+	shell('check_call', ["/usr/sbin/service", "nginx", "restart"])
+
+	return "OK"
+
+def make_domain_config(domain, template, env):
+	# How will we configure this domain.
+
+	# Where will its root directory be for static files? Try STORAGE_ROOT/web/domain_name
+	# if it exists, but fall back to STORAGE_ROOT/web/default.
+	for test_domain in (domain, 'default'):
+		root = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(test_domain))
+		if os.path.exists(root): break
+
+	# What SSL private key will we use? Allow the user to override this, but
+	# in many cases using the same private key for all domains would be fine.
+	# Don't allow the user to override the key for PUBLIC_HOSTNAME because
+	# that's what's in the main file.
+	ssl_key = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_private_key.pem')
+	alt_key = os.path.join(env["STORAGE_ROOT"], 'ssl/domains/%s_private_key.pem' % safe_domain_name(domain))
+	if domain != env['PUBLIC_HOSTNAME'] and os.path.exists(alt_key):
+		ssl_key = alt_key
+
+	# What SSL certificate will we use? This has to be differnet for each
+	# domain name. The certificate is already generated for PUBLIC_HOSTNAME.
+	# For other domains, generate a self-signed certificate if one doesn't
+	# already exist. See setup/mail.sh for documentation.
+	if domain == env['PUBLIC_HOSTNAME']:
+		ssl_certificate = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_certificate.pem')
+	else:
+		ssl_certificate = os.path.join(env["STORAGE_ROOT"], 'ssl/domains/%s_certifiate.pem' % safe_domain_name(domain))
+		os.makedirs(os.path.dirname(ssl_certificate), exist_ok=True)
+		if not os.path.exists(ssl_certificate):
+			# Generate a new self-signed certificate using the same private key that we already have.
+
+			# Start with a CSR.
+			csr = os.path.join(env["STORAGE_ROOT"], 'ssl/domains/%s_cert_sign_req.csr' % safe_domain_name(domain))
+			shell("check_call", [
+				"openssl", "req", "-new",
+				"-key", ssl_key,
+				"-out",  csr,
+				"-subj", "/C=%s/ST=/L=/O=/CN=%s" % (env["CSR_COUNTRY"], domain)])
+
+			# And then make the certificate.
+			shell("check_call", [
+				"openssl", "x509", "-req",
+				"-days", "365",
+				"-in", csr,
+				"-signkey", ssl_key,
+				"-out", ssl_certificate])
+
+	# Replace substitution strings in the template & return.
+	nginx_conf = template
+	nginx_conf = nginx_conf.replace("$HOSTNAME", domain)
+	nginx_conf = nginx_conf.replace("$ROOT", root)
+	nginx_conf = nginx_conf.replace("$SSL_KEY", ssl_key)
+	nginx_conf = nginx_conf.replace("$SSL_CERTIFICATE", ssl_certificate)
+	return nginx_conf