add Debian 12 bookworm install support, add Mailman3 option for mod_macro

bin/vhost-enable.sh

@@ -31,6 +31,7 @@ help()
   echo "                vhost-enable.sh -m VHostSubdomainHTTPS -d staging.example.com"
   echo "                vhost-enable.sh -m VHostSubdomainHTTPSVarnish -d staging.example.com"
   echo "                vhost-enable.sh -m VMailHTTPS -d mail.example.com"
+  echo "                vhost-enable.sh -m Mailman3HTTPS -d lists.example.com"
   echo "                vhost-enable.sh -m RedirectHTTP -d example.com -o https://www.example.org"
   echo "                vhost-enable.sh -m RedirectHTTPS -d example.com -o https://www.example.org"
   echo "                vhost-enable.sh -m VHostAliasHTTP -d example.com -o example.org"
@@ -54,6 +55,8 @@ fi
 if [[ ! -n $macro ]]; then
   if [[ "$domain" =~ ^mail.* ]]; then
     macro=VMailHTTPS
+  elif [[ "$domain" =~ ^lists.* ]]; then
+    macro=Mailman3HTTPS
   elif [[ -f "/etc/ssl/letsencrypt/$domain.pem" ]]; then
     macro=VHostHTTPS
   else

etc/apache2/mods-available/macro.conf

@@ -7,6 +7,7 @@
 # *only use one of the VHost options above at at time*
 #
 # VMailHTTPS for webmail at mail. subdomain assumes & requires https w/ valid cert
+# Mailman3HTTPS for mailman3 lists at lists. subdomain assumes & requires https w/ valid cert
 #
 # RedirectHTTP for http only
 # RedirectHTTPS for http & https
@@ -203,7 +204,7 @@
   </VirtualHost>
 </Macro>
 
-# Webmail - HTTP Port 80 Redirects to HTTPS Port 443
+# Webmail - HTTP Port 80 Redirects to HTTPS Port 443. Expects mail. subdomain
 <Macro VMailHTTPS $vhost>
   <VirtualHost *:80>
     ServerName    $vhost
@@ -221,6 +222,26 @@
   </VirtualHost>
 </Macro>
 
+# Mailman3 - HTTP Port 80 Redirects to HTTPS Port 443. Expects lists. subdomain
+<Macro Mailman3HTTPS $vhost>
+  <VirtualHost *:80>
+    ServerName    $vhost
+    <Location "/">
+      <If "%{REQUEST_URI} !~ m#^/.well-known/acme-challenge/#">
+        Redirect / https://$vhost
+      </If>
+    </Location>
+  </VirtualHost>
+  <VirtualHost *:443>
+    ServerName    $vhost
+    DocumentRoot  /srv/www/html
+    Include /etc/mailman3/apache.conf
+    RedirectMatch ^/$ /mailman3
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/letsencrypt/$vhost.pem
+  </VirtualHost>
+</Macro>
+
 <Macro RedirectHTTP $vhost $redirect>
   <VirtualHost *:80>
     ServerName  $vhost

etc/apache2/mods-available/ssl.conf

@@ -1,85 +0,0 @@
-<IfModule mod_ssl.c>
-
-	# Pseudo Random Number Generator (PRNG):
-	# Configure one or more sources to seed the PRNG of the SSL library.
-	# The seed data should be of good random quality.
-	# WARNING! On some platforms /dev/random blocks if not enough entropy
-	# is available. This means you then cannot use the /dev/random device
-	# because it would lead to very long connection times (as long as
-	# it requires to make more entropy available). But usually those
-	# platforms additionally provide a /dev/urandom device which doesn't
-	# block. So, if available, use this one instead. Read the mod_ssl User
-	# Manual for more details.
-	#
-	SSLRandomSeed startup builtin
-	SSLRandomSeed startup file:/dev/urandom 512
-	SSLRandomSeed connect builtin
-	SSLRandomSeed connect file:/dev/urandom 512
-
-	##
-	##  SSL Global Context
-	##
-	##  All SSL configuration in this context applies both to
-	##  the main server and all SSL-enabled virtual hosts.
-	##
-
-	#
-	#   Some MIME-types for downloading Certificates and CRLs
-	#
-	AddType application/x-x509-ca-cert .crt
-	AddType application/x-pkcs7-crl	.crl
-
-	#   Pass Phrase Dialog:
-	#   Configure the pass phrase gathering process.
-	#   The filtering dialog program (`builtin' is a internal
-	#   terminal dialog) has to provide the pass phrase on stdout.
-	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
-
-	#   Inter-Process Session Cache:
-	#   Configure the SSL Session Cache: First the mechanism 
-	#   to use and second the expiring timeout (in seconds).
-	#   (The mechanism dbm has known memory leaks and should not be used).
-	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
-	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
-	SSLSessionCacheTimeout  300
-
-	#   Semaphore:
-	#   Configure the path to the mutual exclusion semaphore the
-	#   SSL engine uses internally for inter-process synchronization. 
-	#   (Disabled by default, the global Mutex directive consolidates by default
-	#   this)
-	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
-
-
-	#   SSL Cipher Suite:
-	#   List the ciphers that the client is permitted to negotiate. See the
-	#   ciphers(1) man page from the openssl package for list of all available
-	#   options.
-	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:!aNULL
-
-	# SSL server cipher order preference:
-	# Use server priorities for cipher algorithm choice.
-	# Clients may prefer lower grade encryption.  You should enable this
-	# option if you want to enforce stronger encryption, and can afford
-	# the CPU cost, and did not override SSLCipherSuite in a way that puts
-	# insecure ciphers first.
-	# Default: Off
-	#SSLHonorCipherOrder on
-
-	#   The protocols to enable.
-	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
-	#   SSL v2  is no longer supported
-	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
-	#   Allow insecure renegotiation with clients which do not yet support the
-	#   secure renegotiation protocol. Default: Off
-	#SSLInsecureRenegotiation on
-
-	#   Whether to forbid non-SNI clients to access name based virtual hosts.
-	#   Default: Off
-	#SSLStrictSNIVHostCheck On
-
-</IfModule>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

etc/apache2/sites-available/001-default-ssl.conf

@@ -13,5 +13,6 @@
     <Directory /usr/lib/cgi-bin>
       SSLOptions +StdEnvVars
     </Directory>
+    #Include /etc/mailman3/apache.conf
   </VirtualHost>
 </IfModule>

install.sh

@@ -5,13 +5,11 @@ if [ "${EUID}" -ne 0 ]; then
   exit
 fi
 
-# check for Ubuntu 20.04
-if ! grep -q "Ubuntu 22.04" /etc/issue; then
-  echo "This installer is only tested on Ubuntu 22.04. If you are on a"
-  echo "different version of Ubuntu or a Debian/Debian based distro"
-  echo "and want to try running this installer open this script and"
-  echo "comment out the exit command below this line and re-run."
-  exit
+# check for Ubuntu 22.04 (jammy) or Debian 12 (bookworm)
+os_codename=`lsb_release -cs`
+if [ $os_codename != jammy ] && [ $os_codename != bookworm ]; then
+  echo "This installer only runs on Ubuntu 22.04 (jammy) or Debian 12 (Bookworm), bailing out."
+  exit 1
 fi
 
 # check if install is already in place
@@ -20,14 +18,12 @@ if [ -f "/usr/local/bin/vhost.sh" ]; then
   exit
 fi
 
-# check for existing web server software installs
+# check for existing Let's Encrypt install
 if [ -d "/etc/apache2/" ] || [ -d "/etc/php/" ] || [ -d "/etc/varnish/" ]; then
   echo
   echo "WARNING: Apache, Varnish and/or PHP are already installed."
-  echo "This installer will overwrite existing configurations."
-  echo -e "You have five seconds to execute ctrl-c to cancel this install.\a"
-  echo
-  sleep 5
+  echo "You must purge any existing Apache, PHP & Varnish installs before running this."
+  exit 1
 fi
 
 # check for dpkg lock
@@ -98,6 +94,7 @@ a2enconf php$phpVersion-fpm phpMyAdmin
 cp etc/apache2/mods-available/* /etc/apache2/mods-available/
 chmod 644 /etc/apache2/mods-available/*.conf
 chown root:root /etc/apache2/mods-available/*.conf
+sed -i "s|SSLProtocol.*|SSLProtocol TLSv1.2|g" /etc/apache2/mods-available/ssl.conf
 # set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain.
 sed -i "s|example.com|$vhostdomain|g" /etc/apache2/mods-available/macro.conf
 # a2enmod proxy_fcgi rewrite headers expires ssl http2 remoteip macro
@@ -280,5 +277,5 @@ fi
 echo
 echo "To enable the default https host install letsencrypt-tools and then run:"
 echo "letsencrypt-certonly.sh -d $fqdn"
-echo "a2ensite 000-default-ssl.conf"
+echo "a2ensite 001-default-ssl.conf"
 echo "systemctl reload apache2"