From eb82cc37f66b13e4a8166f98e1a9d933e4469f16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roni=20V=C3=A4yrynen?= <roni@vayrynen.info>
Date: Fri, 29 Jul 2022 14:21:32 +0300
Subject: [PATCH] feat: add Let's Encrypt support

---
 sample.xo-install.cfg | 10 ++++++++++
 xo-install.sh         | 40 ++++++++++++++++++++++++++++++++--------
 2 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/sample.xo-install.cfg b/sample.xo-install.cfg
index 9c83463..65ddf99 100644
--- a/sample.xo-install.cfg
+++ b/sample.xo-install.cfg
@@ -84,6 +84,16 @@ PRESERVE="3"
 # options: true/false
 #AUTOCERT="false"
 
+# Enable automatic Let's Encrypt certificate creation.
+# Setting this to true will configure HTTP and HTTPS listeners to ports 80/443 (overwrites PORT variable),
+# enables autocert, sets certificate paths if missing and adds http to https redirect.
+#LETSENCRYPT="false"
+# Let's Encrypt domain for which the certificate is generated.
+# Domain needs to be pointed towards XO server public ip-address and ports 80 and 443 allowed.
+#LETSENCRYPT_DOMAIN=""
+# Optional email address to receive notifications related to certificate
+#LETSENCRYPT_EMAIL=""
+
 # If set to true, this will install the rpm/deb repositories necessary for the Xen Orchestra install.
 # If set to false, these repositories will not be installed. Also automatic nodejs upgrade will be disabled.
 # Note that installation will fail if all needed packages aren't available from configured repositories. See README for list of packages.
diff --git a/xo-install.sh b/xo-install.sh
index c8536bb..5e5f2f9 100755
--- a/xo-install.sh
+++ b/xo-install.sh
@@ -41,6 +41,7 @@ PATH_TO_HTTPS_CERT="${PATH_TO_HTTPS_CERT:-""}"
 PATH_TO_HTTPS_KEY="${PATH_TO_HTTPS_KEY:-""}"
 PATH_TO_HOST_CA="${PATH_TO_HOST_CA:-""}"
 AUTOCERT="${AUTOCERT:-"false"}"
+LETSENCRYPT="${LETSENCRYPT:-"false"}"
 USESUDO="${USESUDO:-"false"}"
 GENSUDO="${GENSUDO:-"false"}"
 INSTALL_REPOS="${INSTALL_REPOS:-"true"}"
@@ -68,14 +69,6 @@ FAIL="[${COLOR_RED}fail${COLOR_N}]"
 INFO="[${COLOR_BLUE}info${COLOR_N}]"
 PROGRESS="[${COLOR_BLUE}..${COLOR_N}]"
 
-# Protocol to use for webserver. If both of the X.509 certificate paths are defined,
-# then assume that we want to enable HTTPS for the server.
-if [[ -n "$PATH_TO_HTTPS_CERT" ]] && [[ -n "$PATH_TO_HTTPS_KEY" ]]; then
-    HTTPS=true
-else
-    HTTPS=false
-fi
-
 # create logpath if doesn't exist
 if [[ ! -d "$LOGPATH" ]]; then
     mkdir -p "$LOGPATH"
@@ -794,6 +787,16 @@ function InstallXO {
                 # shellcheck disable=SC1117
                 runcmd "sed -i \"s%# autoCert = false%autoCert = true%\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml"
             fi
+            if [[ "$LETSENCRYPT" == "true" ]]; then
+                runcmd "sed -i \"s%# \[\[http.listen\]\]%\[\[http.listen\]\]%\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml"
+                runcmd "sed -i \"s%# port = 443%port = 443%\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml"
+                runcmd "sed -i \"s%^# redirectToHttps = true%redirectToHttps = true%\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml"
+                runcmd "sed -i \"/^autoCert =.*/a acmeCa = 'letsencrypt/production'\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml"
+                runcmd "sed -i \"/^autoCert = .*/a acmeDomain = '$LETSENCRYPT_DOMAIN'\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml"
+                if [[ -n "$LETSENCRYPT_EMAIL" ]]; then
+                    runcmd "sed -i \"/^autoCert =.*/a acmeEmail = '$LETSENCRYPT_EMAIL'\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml"
+                fi
+            fi
             sleep 2
         fi
         if [[ "$USESUDO" == "true" ]] && [[ "$XOUSER" != "root" ]]; then
@@ -1538,6 +1541,27 @@ function StartUpScreen {
 
 }
 
+# Protocol to use for webserver. If both of the X.509 certificate paths are defined,
+# then assume that we want to enable HTTPS for the server.
+if [[ -n "$PATH_TO_HTTPS_CERT" ]] && [[ -n "$PATH_TO_HTTPS_KEY" ]]; then
+    HTTPS=true
+else
+    HTTPS=false
+fi
+
+# Override port to 80, set https true and autocert to true if letsencrypt
+if [[ "$LETSENCRYPT" == "true" ]]; then
+    if [[ -z "$LETSENCRYPT_DOMAIN" ]]; then
+        printfail "LETSENCRYPT_DOMAIN needs to be set when using Let's Encrypt"
+        exit 1
+    fi
+    PORT="80"
+    HTTPS="true"
+    AUTOCERT="true"
+    PATH_TO_HTTPS_CERT="${PATH_TO_HTTPS_CERT:-"./certificate.pem"}"
+    PATH_TO_HTTPS_KEY="${PATH_TO_HTTPS_KEY:-"./key.pem"}"
+fi
+
 # if no arguments given, we assume interactive mode.
 # set here because some of the following checks either prompt user input or not.
 if [[ $# == "0" ]]; then