diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-28 22:14:59 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-28 22:14:59 -0400 |
| commit | 7eb111136453d0e8d8451d7dd85ba9892318f294 (patch) | |
| tree | b743ed4dba823a5e44b81670453cd5365697caa8 | |
| parent | 6566745769b86f19d5d3b54f7de7f0c89a103b23 (diff) | |
| download | infrastructure-7eb111136453d0e8d8451d7dd85ba9892318f294.tar.gz | |
acme/nginx/asterisk fixes
| -rw-r--r-- | files/usr/local/etc/asterisk/logger.conf.asterisk_server | 4 | ||||
| -rw-r--r-- | files/usr/local/etc/asterisk/pjsip.conf.asterisk_server | 2 | ||||
| -rw-r--r-- | files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server | 3 | ||||
| -rw-r--r-- | files/usr/local/etc/asterisk/rtp.conf.asterisk_server | 4 | ||||
| -rw-r--r-- | files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server | 42 | ||||
| -rw-r--r-- | files/usr/local/etc/nginx/nginx.conf.common | 2 | ||||
| -rw-r--r-- | files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver | 2 | ||||
| -rw-r--r-- | files/usr/local/etc/postfix/main.cf.smtp_server | 4 | ||||
| -rw-r--r-- | files/usr/local/etc/unbound/unbound.conf.idm_server | 2 | ||||
| -rw-r--r-- | scripts/common/10-vars | 2 | ||||
| -rw-r--r-- | scripts/hostclass/asterisk_server | 8 | ||||
| -rw-r--r-- | scripts/hostclass/authoritative_nameserver | 4 | ||||
| -rw-r--r-- | scripts/hostclass/public_webserver | 8 | ||||
| -rw-r--r-- | scripts/os/freebsd/20-termcap | 1 | ||||
| -rw-r--r-- | scripts/os/freebsd/60-acme | 60 | ||||
| -rw-r--r-- | vars/hostclass/desktop | 2 | ||||
| -rw-r--r-- | vars/os/freebsd | 2 |
17 files changed, 106 insertions, 46 deletions
diff --git a/files/usr/local/etc/asterisk/logger.conf.asterisk_server b/files/usr/local/etc/asterisk/logger.conf.asterisk_server index 3bf2a53..d2a5a7d 100644 --- a/files/usr/local/etc/asterisk/logger.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/logger.conf.asterisk_server @@ -1,3 +1,3 @@ [logfiles] -console => notice,warning,error -syslog.daemon => notice,warning,error,security,verbose1 +console => notice,warning,error,verbose1 +syslog.daemon => notice,warning,error,verbose1 diff --git a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server index 0f83a81..dd10763 100644 --- a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server @@ -20,7 +20,7 @@ bind = 0.0.0.0:5061 method = tlsv1_2 cert_file = ${asterisk_public_tls_cert} priv_key_file = ${asterisk_public_tls_key} -ca_list_file = ${ca_root_nss_bundle} +ca_list_path = ${system_cadir_path} verify_client = no verify_server = yes allow_reload = yes diff --git a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server index 1de448f..8d01aa5 100644 --- a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server @@ -40,8 +40,10 @@ aor/remove_existing = yes endpoint/allow = !all,g722,ulaw endpoint/from_domain = ${asterisk_sip_domain} endpoint/subscribe_context = subscribe +endpoint/transport = transport-tcp $(for ext in ${asterisk_exts:-}; do + eval "ext_proto=\${asterisk_ext_${ext}_proto:-'tcp'}" eval "ext_context=\${asterisk_ext_${ext}_context}" eval "ext_password=\${asterisk_ext_${ext}_password}" eval "ext_max_contacts=\${asterisk_ext_${ext}_max_contacts:-1}" @@ -62,4 +64,5 @@ aor/max_contacts = ${ext_max_contacts} aor/qualify_frequency = ${ext_qualify_freq} aor/qualify_timeout = ${ext_qualify_timeout} endpoint/direct_media = ${ext_direct_media} +endpoint/transport = transport-${ext_proto} "; done) diff --git a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server index d16d1f0..31d1797 100644 --- a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server @@ -1,3 +1,3 @@ [general] -rtpstart=${asterisk_rtp_start_port} -rtpend=${asterisk_rtp_end_port} +rtpstart=${asterisk_rtp_port_start} +rtpend=${asterisk_rtp_port_end} diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server index 8d0433f..4340192 100644 --- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server @@ -34,6 +34,17 @@ apply Service "dns" { assign where "idm-servers" in host.groups } +apply Service for (zone in host.vars.zones) { + check_command = "dns" + vars.dns_lookup = zone + name = "dns-" + zone + display_name = zone + vars.dns_server = "\$address\$" + vars.dns_wtime = ${icinga_response_time_warn} + vars.dns_ctime = ${icinga_response_time_crit} + assign where "nameservers" in host.groups +} + apply Service "resolver" { check_command = "dns" vars.dns_lookup = "www.google.com" @@ -278,7 +289,6 @@ apply Service "https" { vars.http_warn_time = ${icinga_response_time_warn} vars.http_critical_time = ${icinga_response_time_crit} assign where ("pkg-repositories" in host.groups - || "web-servers" in host.groups || "xmpp-servers" in host.groups || "znc-servers" in host.groups || "bitwarden-servers" in host.groups) @@ -316,7 +326,7 @@ apply Service "https-cert" { vars.http_vhost = "\$address\$" vars.http_ssl = true vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} - assign where ("invidious-servers" in host.groups + assign where (("invidious-servers" in host.groups || "nfs-servers" in host.groups || "pkg-repositories" in host.groups || "unifi-controllers" in host.groups @@ -327,5 +337,33 @@ apply Service "https-cert" { || "dav-servers" in host.groups || "smtp-servers" in host.groups || "icinga-servers" in host.groups + || "web-servers" in host.groups || "ttrss-servers" in host.groups) + && !host.vars.https_vhosts) +} + +// Expect HTTPS 200 +apply Service for (vhost in host.vars.https_vhosts) { + check_command = "http" + name = vhost + "-cert" + display_name = vhost + " certificate" + vars.http_vhost = vhost + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_sni = true + vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} +} + +// Certificate validity +apply Service for (vhost in host.vars.https_vhosts) { + check_command = "http" + name = vhost + display_name = vhost + vars.http_vhost = vhost + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_sni = true + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} } diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common index 98ff9f9..d340735 100644 --- a/files/usr/local/etc/nginx/nginx.conf.common +++ b/files/usr/local/etc/nginx/nginx.conf.common @@ -33,7 +33,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; -$(if [ "${nginx_public:-}" = true ]; then <<EOF +$(if [ "${nginx_public:-}" = true ]; then cat <<EOF ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_dhparam ${dhparams_path}; diff --git a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver index b6d1e11..0a3b224 100644 --- a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver +++ b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver @@ -1,7 +1,7 @@ server: server-count: ${nsd_threads} log-only-syslog: yes - verbosity: 1 + verbosity: 2 hide-version: yes minimal-responses: yes refuse-any: yes diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server index 1f42202..155c18c 100644 --- a/files/usr/local/etc/postfix/main.cf.smtp_server +++ b/files/usr/local/etc/postfix/main.cf.smtp_server @@ -67,12 +67,12 @@ smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_helo_required = yes -smtp_tls_CApath = ${system_cacert_path} +smtp_tls_CApath = ${system_cadir_path} smtp_tls_security_level = may smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache smtp_tls_loglevel = 1 -lmtp_tls_CApath = ${system_cacert_path} +lmtp_tls_CAfile = ${site_cacert_path} lmtp_tls_security_level = encrypt lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache smtp_tls_loglevel = 1 diff --git a/files/usr/local/etc/unbound/unbound.conf.idm_server b/files/usr/local/etc/unbound/unbound.conf.idm_server index 762fe09..8af2c61 100644 --- a/files/usr/local/etc/unbound/unbound.conf.idm_server +++ b/files/usr/local/etc/unbound/unbound.conf.idm_server @@ -53,7 +53,7 @@ $([ -z "$unbound_local_zones" ] || printf ' local-zone: "%s" typetransparent\n' private-domain: "${domain}" $([ -z "$unbound_local_zones" ] || printf ' private-domain: "%s"\n' $unbound_local_zones) -$([ -z "$unbound_local_data" ] || printf ' local-data: "%s"\n' $unbound_local_data) +$([ -z "$unbound_local_data" ] || echo "$unbound_local_data" | while read -r data; do [ -n "$data" ] && printf ' local-data: "%s"\n' "$data"; done) $(echo "$unbound_blocklists" | while read -r name _url; do [ -n "$name" ] && printf "rpz:\n name: %s\n zonefile: ${unbound_blocklist_dir}/%s.zone\n" "$name" "$name"; done) diff --git a/scripts/common/10-vars b/scripts/common/10-vars index 361bb7b..a82dd44 100644 --- a/scripts/common/10-vars +++ b/scripts/common/10-vars @@ -4,7 +4,7 @@ if [ "${idm_bootstrap:-}" = true ]; then resolvers=$bootstrap_resolvers pkg_host=$pkg_host_ip else - : ${resolvers:="$(echo "$idm_server_list" | awk '{print $3}')"} + : ${resolvers:="$(echo "$idm_server_list" | awk '{printf "%s ",$3}')"} : ${pkg_host:="pkg.${domain}"} fi diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server index fe10f51..dcd2675 100644 --- a/scripts/hostclass/asterisk_server +++ b/scripts/hostclass/asterisk_server @@ -54,23 +54,23 @@ install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_ install_file -m 0644 \ "${asterisk_conf_dir}/extensions.conf" \ "${asterisk_conf_dir}/logger.conf" \ - "${asterisk_conf_dir}/queues.conf" \ "${asterisk_conf_dir}/voicemail.conf" install_template -m 0644 \ "${asterisk_conf_dir}/voicemail.conf" \ "${asterisk_conf_dir}/pjsip.conf" \ + "${asterisk_conf_dir}/queues.conf" \ "${asterisk_conf_dir}/rtp.conf" -install_template -m 0640 \ +install_template -m 0640 -g "$asterisk_user" \ "${asterisk_conf_dir}/pjsip_wizard.conf" # Acquire public TLS certificate. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -c "$asterisk_public_tls_cert" \ - -k "$asterisk_public_tls_key" \ + -g "$asterisk_user" \ -r 'sudo service asterisk reload' \ + asterisk \ "$asterisk_public_fqdn" # Enable and start asterisk. diff --git a/scripts/hostclass/authoritative_nameserver b/scripts/hostclass/authoritative_nameserver index 69a7dde..0b7e73f 100644 --- a/scripts/hostclass/authoritative_nameserver +++ b/scripts/hostclass/authoritative_nameserver @@ -18,8 +18,8 @@ install_template -m 0644 /usr/local/etc/nsd/nsd.conf # Copy zone files. for zone in $nsd_zones; do - eval "zone_name=\${nsd_${zone}_zone}" - install_file -m 0644 "${nsd_conf_dir}/${zone_name}.zone" + eval "_domain=\${nsd_${zone}_domain}" + install_file -m 0644 "${nsd_conf_dir}/${_domain}.zone" done # Enable and start nsd. diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver index 721cbfc..3877313 100644 --- a/scripts/hostclass/public_webserver +++ b/scripts/hostclass/public_webserver @@ -27,14 +27,12 @@ service nginx restart # Acquire public TLS certificates. install_template -m 0600 /usr/local/etc/sudoers.d/acme -for cert in $acme_certs; do - eval "acme_domains=\${acme_${cert}_domains}" +for certname in $acme_certs; do + eval "acme_domains=\${acme_${certname}_domains}" acme_install_certificate \ - -C "${acme_cert_dir}/${cert}.ca.crt" \ - -c "${acme_cert_dir}/${cert}.crt" \ - -k "${acme_cert_dir}/${cert}.key" \ -g "$nginx_user" \ -r 'sudo service nginx reload' \ + "$certname" \ $acme_domains done diff --git a/scripts/os/freebsd/20-termcap b/scripts/os/freebsd/20-termcap index ea5a1b5..ff10d44 100644 --- a/scripts/os/freebsd/20-termcap +++ b/scripts/os/freebsd/20-termcap @@ -2,6 +2,7 @@ # Fix xterm-256color termcap # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280679 +mkdir -p /usr/local/share/site-terminfo cat <<'EOF' | tic -o /usr/local/share/site-terminfo - xterm-256color|xterm with 256 colors, am, bce, ccc, km, mc5i, mir, msgr, npc, xenl, diff --git a/scripts/os/freebsd/60-acme b/scripts/os/freebsd/60-acme index 94b832d..61a9454 100644 --- a/scripts/os/freebsd/60-acme +++ b/scripts/os/freebsd/60-acme @@ -29,36 +29,39 @@ if [ "${nginx_public:-}" = true ] && ! [ -f "$dhparams_path" ]; then openssl dhparam -out "$dhparams_path" 2048 fi +if [ "${acme_standalone:-}" != true ]; then + install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot" +fi + acme_install_certificate(){ _aic_group=0 - _aic_cert_path= - _aic_key_path= - _aic_ca_path= _aic_reload_cmd= + _aic_name= + _aic_domain= - while getopts C:c:g:k:r: _aic_opt; do + while getopts g:r: _aic_opt; do case $_aic_opt in - C) _aic_ca_path=$OPTARG ;; - c) _aic_cert_path=$OPTARG ;; g) _aic_group=$OPTARG ;; - k) _aic_key_path=$OPTARG ;; r) _aic_reload_cmd=$OPTARG ;; esac done - shift $((OPTIND - 1)) - _aic_name=$1 - # Acquire the certificate via HTTP ACME challenge. + _aic_name=$1; shift + _aic_key_path="${acme_cert_dir}/${_aic_name}.key" + _aic_cert_path="${acme_cert_dir}/${_aic_name}.crt" + _aic_ca_path="${acme_cert_dir}/${_aic_name}.ca.crt" + + _aic_firstdomain=$1 _aic_domain_args='' for _aic_domain; do _aic_domain_args="${_aic_domain_args} -d ${_aic_domain}" done - if [ -n "${acme_standalone:-}" ]; then - su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? + # Acquire the certificate via HTTP ACME challenge. + if [ "${acme_standalone:-}" = true ]; then + su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httpport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? else - install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot" su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? fi @@ -77,9 +80,9 @@ acme_install_certificate(){ fi if [ -n "$_aic_reload_cmd" ]; then - su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${aic_ca_path} --reloadcmd '${_aic_reload_cmd}'" + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} --reloadcmd '${_aic_reload_cmd}'" else - su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${aic_ca_path} " + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} " fi } @@ -91,14 +94,29 @@ acme_setup_proxy(){ # Configure SSHD for acmeproxy. install_template -m 0644 /usr/local/etc/ssh/sshd_config.d/acmeproxy.conf - service sshd reload + service openssh reload # Acquire ACME certificates for client SFTP. for domain in $acmeproxy_domains; do - acme_install_certificate \ - -c "${acmeproxy_home}/certs/${domain}.crt" \ - -k "${acmeproxy_home}/certs/${domain}.key" \ - -g "${acmeproxy_client_gid:-${acmeproxy_client_group}}" \ - $domain + su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} -d ${domain}" && _asp_rc=$? || _asp_rc=$? + + case $_asp_rc in + 0) ;; # New cert was issued. + 2) ;; # Cert was unchanged. + *) die "failed to issue ACME certificate for ${domain}" ;; + esac + + _asp_cert="${acmeproxy_home}/certs/${domain}.crt" + _asp_key="${acmeproxy_home}/certs/${domain}.key" + _asp_group="${acmeproxy_client_gid:-${acmeproxy_client_group}}" + + if [ -f "$_asp_key" ]; then + chmod 640 "$_asp_key" + chown "${acme_user}:${_asp_group}" "$_asp_key" + else + install -o "$acme_user" -g "$_asp_group" -m 0640 /dev/null "$_asp_key" + fi + + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${domain} --key-file ${_asp_key} --fullchain-file ${_asp_cert}" done } diff --git a/vars/hostclass/desktop b/vars/hostclass/desktop index 4d97d4e..e92a8ac 100644 --- a/vars/hostclass/desktop +++ b/vars/hostclass/desktop @@ -30,6 +30,7 @@ ffmpeg firefox git gnupg +hs-pandoc inconsolata-ttf krb5 libreoffice @@ -41,6 +42,7 @@ noto-emoji password-store postgresql16-client pulseaudio +python py${python_version}-pip rsync signal-desktop diff --git a/vars/os/freebsd b/vars/os/freebsd index dfdcc5f..90367bf 100644 --- a/vars/os/freebsd +++ b/vars/os/freebsd @@ -24,7 +24,7 @@ python_version=311 saslauthd_runtime_dir=/var/run/saslauthd saslauthd_user=cyrus site_cacert_path=/usr/local/etc/ssl/certs/ca.crt -system_cacert_path=/etc/ssl/certs +system_cadir_path=/etc/ssl/certs ssh_host_key_dir=/var/db/ssh xdg_override_dir=/usr/local/share-override |