diff options
Diffstat (limited to 'files/usr/local/etc')
9 files changed, 53 insertions, 12 deletions
diff --git a/files/usr/local/etc/asterisk/logger.conf.asterisk_server b/files/usr/local/etc/asterisk/logger.conf.asterisk_server index 3bf2a53..d2a5a7d 100644 --- a/files/usr/local/etc/asterisk/logger.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/logger.conf.asterisk_server @@ -1,3 +1,3 @@ [logfiles] -console => notice,warning,error -syslog.daemon => notice,warning,error,security,verbose1 +console => notice,warning,error,verbose1 +syslog.daemon => notice,warning,error,verbose1 diff --git a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server index 0f83a81..dd10763 100644 --- a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server @@ -20,7 +20,7 @@ bind = 0.0.0.0:5061 method = tlsv1_2 cert_file = ${asterisk_public_tls_cert} priv_key_file = ${asterisk_public_tls_key} -ca_list_file = ${ca_root_nss_bundle} +ca_list_path = ${system_cadir_path} verify_client = no verify_server = yes allow_reload = yes diff --git a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server index 1de448f..8d01aa5 100644 --- a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server @@ -40,8 +40,10 @@ aor/remove_existing = yes endpoint/allow = !all,g722,ulaw endpoint/from_domain = ${asterisk_sip_domain} endpoint/subscribe_context = subscribe +endpoint/transport = transport-tcp $(for ext in ${asterisk_exts:-}; do + eval "ext_proto=\${asterisk_ext_${ext}_proto:-'tcp'}" eval "ext_context=\${asterisk_ext_${ext}_context}" eval "ext_password=\${asterisk_ext_${ext}_password}" eval "ext_max_contacts=\${asterisk_ext_${ext}_max_contacts:-1}" @@ -62,4 +64,5 @@ aor/max_contacts = ${ext_max_contacts} aor/qualify_frequency = ${ext_qualify_freq} aor/qualify_timeout = ${ext_qualify_timeout} endpoint/direct_media = ${ext_direct_media} +endpoint/transport = transport-${ext_proto} "; done) diff --git a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server index d16d1f0..31d1797 100644 --- a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server @@ -1,3 +1,3 @@ [general] -rtpstart=${asterisk_rtp_start_port} -rtpend=${asterisk_rtp_end_port} +rtpstart=${asterisk_rtp_port_start} +rtpend=${asterisk_rtp_port_end} diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server index 8d0433f..4340192 100644 --- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server @@ -34,6 +34,17 @@ apply Service "dns" { assign where "idm-servers" in host.groups } +apply Service for (zone in host.vars.zones) { + check_command = "dns" + vars.dns_lookup = zone + name = "dns-" + zone + display_name = zone + vars.dns_server = "\$address\$" + vars.dns_wtime = ${icinga_response_time_warn} + vars.dns_ctime = ${icinga_response_time_crit} + assign where "nameservers" in host.groups +} + apply Service "resolver" { check_command = "dns" vars.dns_lookup = "www.google.com" @@ -278,7 +289,6 @@ apply Service "https" { vars.http_warn_time = ${icinga_response_time_warn} vars.http_critical_time = ${icinga_response_time_crit} assign where ("pkg-repositories" in host.groups - || "web-servers" in host.groups || "xmpp-servers" in host.groups || "znc-servers" in host.groups || "bitwarden-servers" in host.groups) @@ -316,7 +326,7 @@ apply Service "https-cert" { vars.http_vhost = "\$address\$" vars.http_ssl = true vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} - assign where ("invidious-servers" in host.groups + assign where (("invidious-servers" in host.groups || "nfs-servers" in host.groups || "pkg-repositories" in host.groups || "unifi-controllers" in host.groups @@ -327,5 +337,33 @@ apply Service "https-cert" { || "dav-servers" in host.groups || "smtp-servers" in host.groups || "icinga-servers" in host.groups + || "web-servers" in host.groups || "ttrss-servers" in host.groups) + && !host.vars.https_vhosts) +} + +// Expect HTTPS 200 +apply Service for (vhost in host.vars.https_vhosts) { + check_command = "http" + name = vhost + "-cert" + display_name = vhost + " certificate" + vars.http_vhost = vhost + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_sni = true + vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} +} + +// Certificate validity +apply Service for (vhost in host.vars.https_vhosts) { + check_command = "http" + name = vhost + display_name = vhost + vars.http_vhost = vhost + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_sni = true + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} } diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common index 98ff9f9..d340735 100644 --- a/files/usr/local/etc/nginx/nginx.conf.common +++ b/files/usr/local/etc/nginx/nginx.conf.common @@ -33,7 +33,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; -$(if [ "${nginx_public:-}" = true ]; then <<EOF +$(if [ "${nginx_public:-}" = true ]; then cat <<EOF ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_dhparam ${dhparams_path}; diff --git a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver index b6d1e11..0a3b224 100644 --- a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver +++ b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver @@ -1,7 +1,7 @@ server: server-count: ${nsd_threads} log-only-syslog: yes - verbosity: 1 + verbosity: 2 hide-version: yes minimal-responses: yes refuse-any: yes diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server index 1f42202..155c18c 100644 --- a/files/usr/local/etc/postfix/main.cf.smtp_server +++ b/files/usr/local/etc/postfix/main.cf.smtp_server @@ -67,12 +67,12 @@ smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_helo_required = yes -smtp_tls_CApath = ${system_cacert_path} +smtp_tls_CApath = ${system_cadir_path} smtp_tls_security_level = may smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache smtp_tls_loglevel = 1 -lmtp_tls_CApath = ${system_cacert_path} +lmtp_tls_CAfile = ${site_cacert_path} lmtp_tls_security_level = encrypt lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache smtp_tls_loglevel = 1 diff --git a/files/usr/local/etc/unbound/unbound.conf.idm_server b/files/usr/local/etc/unbound/unbound.conf.idm_server index 762fe09..8af2c61 100644 --- a/files/usr/local/etc/unbound/unbound.conf.idm_server +++ b/files/usr/local/etc/unbound/unbound.conf.idm_server @@ -53,7 +53,7 @@ $([ -z "$unbound_local_zones" ] || printf ' local-zone: "%s" typetransparent\n' private-domain: "${domain}" $([ -z "$unbound_local_zones" ] || printf ' private-domain: "%s"\n' $unbound_local_zones) -$([ -z "$unbound_local_data" ] || printf ' local-data: "%s"\n' $unbound_local_data) +$([ -z "$unbound_local_data" ] || echo "$unbound_local_data" | while read -r data; do [ -n "$data" ] && printf ' local-data: "%s"\n' "$data"; done) $(echo "$unbound_blocklists" | while read -r name _url; do [ -n "$name" ] && printf "rpz:\n name: %s\n zonefile: ${unbound_blocklist_dir}/%s.zone\n" "$name" "$name"; done) |