diff options
author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-28 22:14:59 -0400 |
---|---|---|
committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-28 22:14:59 -0400 |
commit | 7eb111136453d0e8d8451d7dd85ba9892318f294 (patch) | |
tree | b743ed4dba823a5e44b81670453cd5365697caa8 /scripts | |
parent | 6566745769b86f19d5d3b54f7de7f0c89a103b23 (diff) | |
download | infrastructure-7eb111136453d0e8d8451d7dd85ba9892318f294.tar.gz |
acme/nginx/asterisk fixes
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/common/10-vars | 2 | ||||
-rw-r--r-- | scripts/hostclass/asterisk_server | 8 | ||||
-rw-r--r-- | scripts/hostclass/authoritative_nameserver | 4 | ||||
-rw-r--r-- | scripts/hostclass/public_webserver | 8 | ||||
-rw-r--r-- | scripts/os/freebsd/20-termcap | 1 | ||||
-rw-r--r-- | scripts/os/freebsd/60-acme | 60 |
6 files changed, 50 insertions, 33 deletions
diff --git a/scripts/common/10-vars b/scripts/common/10-vars index 361bb7b..a82dd44 100644 --- a/scripts/common/10-vars +++ b/scripts/common/10-vars @@ -4,7 +4,7 @@ if [ "${idm_bootstrap:-}" = true ]; then resolvers=$bootstrap_resolvers pkg_host=$pkg_host_ip else - : ${resolvers:="$(echo "$idm_server_list" | awk '{print $3}')"} + : ${resolvers:="$(echo "$idm_server_list" | awk '{printf "%s ",$3}')"} : ${pkg_host:="pkg.${domain}"} fi diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server index fe10f51..dcd2675 100644 --- a/scripts/hostclass/asterisk_server +++ b/scripts/hostclass/asterisk_server @@ -54,23 +54,23 @@ install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_ install_file -m 0644 \ "${asterisk_conf_dir}/extensions.conf" \ "${asterisk_conf_dir}/logger.conf" \ - "${asterisk_conf_dir}/queues.conf" \ "${asterisk_conf_dir}/voicemail.conf" install_template -m 0644 \ "${asterisk_conf_dir}/voicemail.conf" \ "${asterisk_conf_dir}/pjsip.conf" \ + "${asterisk_conf_dir}/queues.conf" \ "${asterisk_conf_dir}/rtp.conf" -install_template -m 0640 \ +install_template -m 0640 -g "$asterisk_user" \ "${asterisk_conf_dir}/pjsip_wizard.conf" # Acquire public TLS certificate. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -c "$asterisk_public_tls_cert" \ - -k "$asterisk_public_tls_key" \ + -g "$asterisk_user" \ -r 'sudo service asterisk reload' \ + asterisk \ "$asterisk_public_fqdn" # Enable and start asterisk. diff --git a/scripts/hostclass/authoritative_nameserver b/scripts/hostclass/authoritative_nameserver index 69a7dde..0b7e73f 100644 --- a/scripts/hostclass/authoritative_nameserver +++ b/scripts/hostclass/authoritative_nameserver @@ -18,8 +18,8 @@ install_template -m 0644 /usr/local/etc/nsd/nsd.conf # Copy zone files. for zone in $nsd_zones; do - eval "zone_name=\${nsd_${zone}_zone}" - install_file -m 0644 "${nsd_conf_dir}/${zone_name}.zone" + eval "_domain=\${nsd_${zone}_domain}" + install_file -m 0644 "${nsd_conf_dir}/${_domain}.zone" done # Enable and start nsd. diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver index 721cbfc..3877313 100644 --- a/scripts/hostclass/public_webserver +++ b/scripts/hostclass/public_webserver @@ -27,14 +27,12 @@ service nginx restart # Acquire public TLS certificates. install_template -m 0600 /usr/local/etc/sudoers.d/acme -for cert in $acme_certs; do - eval "acme_domains=\${acme_${cert}_domains}" +for certname in $acme_certs; do + eval "acme_domains=\${acme_${certname}_domains}" acme_install_certificate \ - -C "${acme_cert_dir}/${cert}.ca.crt" \ - -c "${acme_cert_dir}/${cert}.crt" \ - -k "${acme_cert_dir}/${cert}.key" \ -g "$nginx_user" \ -r 'sudo service nginx reload' \ + "$certname" \ $acme_domains done diff --git a/scripts/os/freebsd/20-termcap b/scripts/os/freebsd/20-termcap index ea5a1b5..ff10d44 100644 --- a/scripts/os/freebsd/20-termcap +++ b/scripts/os/freebsd/20-termcap @@ -2,6 +2,7 @@ # Fix xterm-256color termcap # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280679 +mkdir -p /usr/local/share/site-terminfo cat <<'EOF' | tic -o /usr/local/share/site-terminfo - xterm-256color|xterm with 256 colors, am, bce, ccc, km, mc5i, mir, msgr, npc, xenl, diff --git a/scripts/os/freebsd/60-acme b/scripts/os/freebsd/60-acme index 94b832d..61a9454 100644 --- a/scripts/os/freebsd/60-acme +++ b/scripts/os/freebsd/60-acme @@ -29,36 +29,39 @@ if [ "${nginx_public:-}" = true ] && ! [ -f "$dhparams_path" ]; then openssl dhparam -out "$dhparams_path" 2048 fi +if [ "${acme_standalone:-}" != true ]; then + install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot" +fi + acme_install_certificate(){ _aic_group=0 - _aic_cert_path= - _aic_key_path= - _aic_ca_path= _aic_reload_cmd= + _aic_name= + _aic_domain= - while getopts C:c:g:k:r: _aic_opt; do + while getopts g:r: _aic_opt; do case $_aic_opt in - C) _aic_ca_path=$OPTARG ;; - c) _aic_cert_path=$OPTARG ;; g) _aic_group=$OPTARG ;; - k) _aic_key_path=$OPTARG ;; r) _aic_reload_cmd=$OPTARG ;; esac done - shift $((OPTIND - 1)) - _aic_name=$1 - # Acquire the certificate via HTTP ACME challenge. + _aic_name=$1; shift + _aic_key_path="${acme_cert_dir}/${_aic_name}.key" + _aic_cert_path="${acme_cert_dir}/${_aic_name}.crt" + _aic_ca_path="${acme_cert_dir}/${_aic_name}.ca.crt" + + _aic_firstdomain=$1 _aic_domain_args='' for _aic_domain; do _aic_domain_args="${_aic_domain_args} -d ${_aic_domain}" done - if [ -n "${acme_standalone:-}" ]; then - su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? + # Acquire the certificate via HTTP ACME challenge. + if [ "${acme_standalone:-}" = true ]; then + su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httpport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? else - install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot" su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? fi @@ -77,9 +80,9 @@ acme_install_certificate(){ fi if [ -n "$_aic_reload_cmd" ]; then - su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${aic_ca_path} --reloadcmd '${_aic_reload_cmd}'" + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} --reloadcmd '${_aic_reload_cmd}'" else - su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${aic_ca_path} " + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} " fi } @@ -91,14 +94,29 @@ acme_setup_proxy(){ # Configure SSHD for acmeproxy. install_template -m 0644 /usr/local/etc/ssh/sshd_config.d/acmeproxy.conf - service sshd reload + service openssh reload # Acquire ACME certificates for client SFTP. for domain in $acmeproxy_domains; do - acme_install_certificate \ - -c "${acmeproxy_home}/certs/${domain}.crt" \ - -k "${acmeproxy_home}/certs/${domain}.key" \ - -g "${acmeproxy_client_gid:-${acmeproxy_client_group}}" \ - $domain + su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} -d ${domain}" && _asp_rc=$? || _asp_rc=$? + + case $_asp_rc in + 0) ;; # New cert was issued. + 2) ;; # Cert was unchanged. + *) die "failed to issue ACME certificate for ${domain}" ;; + esac + + _asp_cert="${acmeproxy_home}/certs/${domain}.crt" + _asp_key="${acmeproxy_home}/certs/${domain}.key" + _asp_group="${acmeproxy_client_gid:-${acmeproxy_client_group}}" + + if [ -f "$_asp_key" ]; then + chmod 640 "$_asp_key" + chown "${acme_user}:${_asp_group}" "$_asp_key" + else + install -o "$acme_user" -g "$_asp_group" -m 0640 /dev/null "$_asp_key" + fi + + su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${domain} --key-file ${_asp_key} --fullchain-file ${_asp_cert}" done } |