From 7eb111136453d0e8d8451d7dd85ba9892318f294 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Mon, 28 Oct 2024 22:14:59 -0400
Subject: acme/nginx/asterisk fixes

---
 .../local/etc/asterisk/logger.conf.asterisk_server |  4 +-
 .../local/etc/asterisk/pjsip.conf.asterisk_server  |  2 +-
 .../etc/asterisk/pjsip_wizard.conf.asterisk_server |  3 ++
 .../local/etc/asterisk/rtp.conf.asterisk_server    |  4 +-
 .../etc/icinga2/conf.d/services.conf.icinga_server | 42 ++++++++++++++-
 files/usr/local/etc/nginx/nginx.conf.common        |  2 +-
 .../etc/nsd/nsd.conf.authoritative_nameserver      |  2 +-
 files/usr/local/etc/postfix/main.cf.smtp_server    |  4 +-
 .../usr/local/etc/unbound/unbound.conf.idm_server  |  2 +-
 scripts/common/10-vars                             |  2 +-
 scripts/hostclass/asterisk_server                  |  8 +--
 scripts/hostclass/authoritative_nameserver         |  4 +-
 scripts/hostclass/public_webserver                 |  8 ++-
 scripts/os/freebsd/20-termcap                      |  1 +
 scripts/os/freebsd/60-acme                         | 60 ++++++++++++++--------
 vars/hostclass/desktop                             |  2 +
 vars/os/freebsd                                    |  2 +-
 17 files changed, 106 insertions(+), 46 deletions(-)

diff --git a/files/usr/local/etc/asterisk/logger.conf.asterisk_server b/files/usr/local/etc/asterisk/logger.conf.asterisk_server
index 3bf2a53..d2a5a7d 100644
--- a/files/usr/local/etc/asterisk/logger.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/logger.conf.asterisk_server
@@ -1,3 +1,3 @@
 [logfiles]
-console => notice,warning,error
-syslog.daemon => notice,warning,error,security,verbose1
+console => notice,warning,error,verbose1
+syslog.daemon => notice,warning,error,verbose1
diff --git a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
index 0f83a81..dd10763 100644
--- a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
@@ -20,7 +20,7 @@ bind          = 0.0.0.0:5061
 method        = tlsv1_2
 cert_file     = ${asterisk_public_tls_cert}
 priv_key_file = ${asterisk_public_tls_key}
-ca_list_file  = ${ca_root_nss_bundle}
+ca_list_path  = ${system_cadir_path}
 verify_client = no
 verify_server = yes
 allow_reload  = yes
diff --git a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
index 1de448f..8d01aa5 100644
--- a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
@@ -40,8 +40,10 @@ aor/remove_existing        = yes
 endpoint/allow             = !all,g722,ulaw
 endpoint/from_domain       = ${asterisk_sip_domain}
 endpoint/subscribe_context = subscribe
+endpoint/transport = transport-tcp
 
 $(for ext in ${asterisk_exts:-}; do
+  eval "ext_proto=\${asterisk_ext_${ext}_proto:-'tcp'}"
   eval "ext_context=\${asterisk_ext_${ext}_context}"
   eval "ext_password=\${asterisk_ext_${ext}_password}"
   eval "ext_max_contacts=\${asterisk_ext_${ext}_max_contacts:-1}"
@@ -62,4 +64,5 @@ aor/max_contacts      = ${ext_max_contacts}
 aor/qualify_frequency = ${ext_qualify_freq}
 aor/qualify_timeout   = ${ext_qualify_timeout}
 endpoint/direct_media = ${ext_direct_media}
+endpoint/transport    = transport-${ext_proto}
 "; done)
diff --git a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
index d16d1f0..31d1797 100644
--- a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
@@ -1,3 +1,3 @@
 [general]
-rtpstart=${asterisk_rtp_start_port}
-rtpend=${asterisk_rtp_end_port}
+rtpstart=${asterisk_rtp_port_start}
+rtpend=${asterisk_rtp_port_end}
diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
index 8d0433f..4340192 100644
--- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
+++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
@@ -34,6 +34,17 @@ apply Service "dns" {
   assign where "idm-servers" in host.groups
 }
 
+apply Service for (zone in host.vars.zones) {
+  check_command = "dns"
+  vars.dns_lookup = zone
+  name = "dns-" + zone
+  display_name = zone
+  vars.dns_server = "\$address\$"
+  vars.dns_wtime = ${icinga_response_time_warn}
+  vars.dns_ctime = ${icinga_response_time_crit}
+  assign where "nameservers" in host.groups
+}
+
 apply Service "resolver" {
   check_command = "dns"
   vars.dns_lookup = "www.google.com"
@@ -278,7 +289,6 @@ apply Service "https" {
   vars.http_warn_time = ${icinga_response_time_warn}
   vars.http_critical_time = ${icinga_response_time_crit}
   assign where ("pkg-repositories"  in host.groups
-             || "web-servers"       in host.groups
              || "xmpp-servers"      in host.groups
              || "znc-servers"       in host.groups
              || "bitwarden-servers" in host.groups)
@@ -316,7 +326,7 @@ apply Service "https-cert" {
   vars.http_vhost = "\$address\$"
   vars.http_ssl = true
   vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit}
-  assign where ("invidious-servers" in host.groups
+  assign where (("invidious-servers" in host.groups
              || "nfs-servers"       in host.groups
              || "pkg-repositories"  in host.groups
              || "unifi-controllers" in host.groups
@@ -327,5 +337,33 @@ apply Service "https-cert" {
              || "dav-servers"       in host.groups
              || "smtp-servers"      in host.groups
              || "icinga-servers"    in host.groups
+             || "web-servers"       in host.groups
              || "ttrss-servers"     in host.groups)
+             && !host.vars.https_vhosts)
+}
+
+// Expect HTTPS 200
+apply Service for (vhost in host.vars.https_vhosts) {
+  check_command = "http"
+  name = vhost + "-cert"
+  display_name = vhost + " certificate"
+  vars.http_vhost = vhost
+  vars.http_expect = "HTTP/1.1 200 OK"
+  vars.http_ssl = true
+  vars.http_sni = true
+  vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit}
+}
+
+// Certificate validity
+apply Service for (vhost in host.vars.https_vhosts) {
+  check_command = "http"
+  name = vhost
+  display_name = vhost
+  vars.http_vhost = vhost
+  vars.http_expect = "HTTP/1.1 200 OK"
+  vars.http_ssl = true
+  vars.http_sni = true
+  vars.http_expect = "HTTP/1.1 200 OK"
+  vars.http_warn_time = ${icinga_response_time_warn}
+  vars.http_critical_time = ${icinga_response_time_crit}
 }
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index 98ff9f9..d340735 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -33,7 +33,7 @@ http {
   ssl_session_timeout        1d;
   ssl_session_cache          shared:SSL:10m;
   ssl_session_tickets        off;
-$(if [ "${nginx_public:-}" = true ]; then <<EOF
+$(if [ "${nginx_public:-}" = true ]; then cat <<EOF
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
   ssl_dhparam ${dhparams_path};
diff --git a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
index b6d1e11..0a3b224 100644
--- a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
+++ b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
@@ -1,7 +1,7 @@
 server:
   server-count: ${nsd_threads}
   log-only-syslog: yes
-  verbosity: 1
+  verbosity: 2
   hide-version: yes
   minimal-responses: yes
   refuse-any: yes
diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server
index 1f42202..155c18c 100644
--- a/files/usr/local/etc/postfix/main.cf.smtp_server
+++ b/files/usr/local/etc/postfix/main.cf.smtp_server
@@ -67,12 +67,12 @@ smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 smtpd_helo_required             = yes
 
-smtp_tls_CApath                 = ${system_cacert_path}
+smtp_tls_CApath                 = ${system_cadir_path}
 smtp_tls_security_level         = may
 smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache
 smtp_tls_loglevel               = 1
 
-lmtp_tls_CApath                 = ${system_cacert_path}
+lmtp_tls_CAfile                 = ${site_cacert_path}
 lmtp_tls_security_level         = encrypt
 lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache
 smtp_tls_loglevel               = 1
diff --git a/files/usr/local/etc/unbound/unbound.conf.idm_server b/files/usr/local/etc/unbound/unbound.conf.idm_server
index 762fe09..8af2c61 100644
--- a/files/usr/local/etc/unbound/unbound.conf.idm_server
+++ b/files/usr/local/etc/unbound/unbound.conf.idm_server
@@ -53,7 +53,7 @@ $([ -z "$unbound_local_zones" ] || printf '  local-zone: "%s" typetransparent\n'
   private-domain: "${domain}"
 $([ -z "$unbound_local_zones" ] || printf '  private-domain: "%s"\n' $unbound_local_zones)
 
-$([ -z "$unbound_local_data" ] || printf '  local-data: "%s"\n' $unbound_local_data)
+$([ -z "$unbound_local_data" ] || echo "$unbound_local_data" | while read -r data; do [ -n "$data" ] && printf '  local-data: "%s"\n' "$data"; done)
 
 $(echo "$unbound_blocklists" | while read -r name _url; do
     [ -n "$name" ] && printf "rpz:\n  name: %s\n  zonefile: ${unbound_blocklist_dir}/%s.zone\n" "$name" "$name"; done)
diff --git a/scripts/common/10-vars b/scripts/common/10-vars
index 361bb7b..a82dd44 100644
--- a/scripts/common/10-vars
+++ b/scripts/common/10-vars
@@ -4,7 +4,7 @@ if [ "${idm_bootstrap:-}" = true ]; then
   resolvers=$bootstrap_resolvers
   pkg_host=$pkg_host_ip
 else
-  : ${resolvers:="$(echo "$idm_server_list" | awk '{print $3}')"}
+  : ${resolvers:="$(echo "$idm_server_list" | awk '{printf "%s ",$3}')"}
   : ${pkg_host:="pkg.${domain}"}
 fi
 
diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server
index fe10f51..dcd2675 100644
--- a/scripts/hostclass/asterisk_server
+++ b/scripts/hostclass/asterisk_server
@@ -54,23 +54,23 @@ install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_
 install_file -m 0644 \
   "${asterisk_conf_dir}/extensions.conf" \
   "${asterisk_conf_dir}/logger.conf" \
-  "${asterisk_conf_dir}/queues.conf" \
   "${asterisk_conf_dir}/voicemail.conf"
 
 install_template -m 0644 \
   "${asterisk_conf_dir}/voicemail.conf" \
   "${asterisk_conf_dir}/pjsip.conf" \
+  "${asterisk_conf_dir}/queues.conf" \
   "${asterisk_conf_dir}/rtp.conf"
 
-install_template -m 0640 \
+install_template -m 0640 -g "$asterisk_user" \
   "${asterisk_conf_dir}/pjsip_wizard.conf"
 
 # Acquire public TLS certificate.
 install_template -m 0600 /usr/local/etc/sudoers.d/acme
 acme_install_certificate \
-  -c "$asterisk_public_tls_cert" \
-  -k "$asterisk_public_tls_key" \
+  -g "$asterisk_user" \
   -r 'sudo service asterisk reload' \
+  asterisk \
   "$asterisk_public_fqdn"
 
 # Enable and start asterisk.
diff --git a/scripts/hostclass/authoritative_nameserver b/scripts/hostclass/authoritative_nameserver
index 69a7dde..0b7e73f 100644
--- a/scripts/hostclass/authoritative_nameserver
+++ b/scripts/hostclass/authoritative_nameserver
@@ -18,8 +18,8 @@ install_template -m 0644 /usr/local/etc/nsd/nsd.conf
 
 # Copy zone files.
 for zone in $nsd_zones; do
-  eval "zone_name=\${nsd_${zone}_zone}"
-  install_file -m 0644 "${nsd_conf_dir}/${zone_name}.zone"
+  eval "_domain=\${nsd_${zone}_domain}"
+  install_file -m 0644 "${nsd_conf_dir}/${_domain}.zone"
 done
 
 # Enable and start nsd.
diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver
index 721cbfc..3877313 100644
--- a/scripts/hostclass/public_webserver
+++ b/scripts/hostclass/public_webserver
@@ -27,14 +27,12 @@ service nginx restart
 
 # Acquire public TLS certificates.
 install_template -m 0600 /usr/local/etc/sudoers.d/acme
-for cert in $acme_certs; do
-  eval "acme_domains=\${acme_${cert}_domains}"
+for certname in $acme_certs; do
+  eval "acme_domains=\${acme_${certname}_domains}"
   acme_install_certificate \
-    -C "${acme_cert_dir}/${cert}.ca.crt" \
-    -c "${acme_cert_dir}/${cert}.crt" \
-    -k "${acme_cert_dir}/${cert}.key" \
     -g "$nginx_user" \
     -r 'sudo service nginx reload' \
+    "$certname" \
     $acme_domains
 done
 
diff --git a/scripts/os/freebsd/20-termcap b/scripts/os/freebsd/20-termcap
index ea5a1b5..ff10d44 100644
--- a/scripts/os/freebsd/20-termcap
+++ b/scripts/os/freebsd/20-termcap
@@ -2,6 +2,7 @@
 
 # Fix xterm-256color termcap
 # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280679
+mkdir -p /usr/local/share/site-terminfo
 cat <<'EOF' | tic -o /usr/local/share/site-terminfo -
 xterm-256color|xterm with 256 colors,
         am, bce, ccc, km, mc5i, mir, msgr, npc, xenl,
diff --git a/scripts/os/freebsd/60-acme b/scripts/os/freebsd/60-acme
index 94b832d..61a9454 100644
--- a/scripts/os/freebsd/60-acme
+++ b/scripts/os/freebsd/60-acme
@@ -29,36 +29,39 @@ if [ "${nginx_public:-}" = true ] && ! [ -f "$dhparams_path" ]; then
   openssl dhparam -out "$dhparams_path" 2048
 fi
 
+if [ "${acme_standalone:-}" != true ]; then
+  install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot"
+fi
+
 acme_install_certificate(){
   _aic_group=0
-  _aic_cert_path=
-  _aic_key_path=
-  _aic_ca_path=
   _aic_reload_cmd=
+  _aic_name=
+  _aic_domain=
 
-  while getopts C:c:g:k:r: _aic_opt; do
+  while getopts g:r: _aic_opt; do
     case $_aic_opt in
-      C) _aic_ca_path=$OPTARG ;;
-      c) _aic_cert_path=$OPTARG ;;
       g) _aic_group=$OPTARG ;;
-      k) _aic_key_path=$OPTARG ;;
       r) _aic_reload_cmd=$OPTARG ;;
     esac
   done
-
   shift $((OPTIND - 1))
-  _aic_name=$1
 
-  # Acquire the certificate via HTTP ACME challenge.
+  _aic_name=$1; shift
+  _aic_key_path="${acme_cert_dir}/${_aic_name}.key"
+  _aic_cert_path="${acme_cert_dir}/${_aic_name}.crt"
+  _aic_ca_path="${acme_cert_dir}/${_aic_name}.ca.crt"
+
+  _aic_firstdomain=$1
   _aic_domain_args=''
   for _aic_domain; do
     _aic_domain_args="${_aic_domain_args} -d ${_aic_domain}"
   done
 
-  if [ -n "${acme_standalone:-}" ]; then
-     su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$?
+  # Acquire the certificate via HTTP ACME challenge.
+  if [ "${acme_standalone:-}" = true ]; then
+     su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httpport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$?
   else
-    install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot"
     su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$?
   fi
 
@@ -77,9 +80,9 @@ acme_install_certificate(){
   fi
 
   if [ -n "$_aic_reload_cmd" ]; then
-    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${aic_ca_path} --reloadcmd '${_aic_reload_cmd}'"
+    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} --reloadcmd '${_aic_reload_cmd}'"
   else
-    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${aic_ca_path} "
+    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} "
   fi
 }
 
@@ -91,14 +94,29 @@ acme_setup_proxy(){
 
   # Configure SSHD for acmeproxy.
   install_template -m 0644 /usr/local/etc/ssh/sshd_config.d/acmeproxy.conf
-  service sshd reload
+  service openssh reload
 
   # Acquire ACME certificates for client SFTP.
   for domain in $acmeproxy_domains; do
-    acme_install_certificate \
-      -c "${acmeproxy_home}/certs/${domain}.crt" \
-      -k "${acmeproxy_home}/certs/${domain}.key" \
-      -g "${acmeproxy_client_gid:-${acmeproxy_client_group}}" \
-      $domain
+    su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} -d ${domain}" && _asp_rc=$? || _asp_rc=$?
+
+    case $_asp_rc in
+      0) ;; # New cert was issued.
+      2) ;; # Cert was unchanged.
+      *) die "failed to issue ACME certificate for ${domain}" ;;
+    esac
+
+    _asp_cert="${acmeproxy_home}/certs/${domain}.crt"
+    _asp_key="${acmeproxy_home}/certs/${domain}.key"
+    _asp_group="${acmeproxy_client_gid:-${acmeproxy_client_group}}"
+
+    if [ -f "$_asp_key" ]; then
+      chmod 640 "$_asp_key"
+      chown "${acme_user}:${_asp_group}" "$_asp_key"
+    else
+      install -o "$acme_user" -g "$_asp_group" -m 0640 /dev/null "$_asp_key"
+    fi
+
+    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${domain} --key-file ${_asp_key} --fullchain-file ${_asp_cert}"
   done
 }
diff --git a/vars/hostclass/desktop b/vars/hostclass/desktop
index 4d97d4e..e92a8ac 100644
--- a/vars/hostclass/desktop
+++ b/vars/hostclass/desktop
@@ -30,6 +30,7 @@ ffmpeg
 firefox
 git
 gnupg
+hs-pandoc
 inconsolata-ttf
 krb5
 libreoffice
@@ -41,6 +42,7 @@ noto-emoji
 password-store
 postgresql16-client
 pulseaudio
+python
 py${python_version}-pip
 rsync
 signal-desktop
diff --git a/vars/os/freebsd b/vars/os/freebsd
index dfdcc5f..90367bf 100644
--- a/vars/os/freebsd
+++ b/vars/os/freebsd
@@ -24,7 +24,7 @@ python_version=311
 saslauthd_runtime_dir=/var/run/saslauthd
 saslauthd_user=cyrus
 site_cacert_path=/usr/local/etc/ssl/certs/ca.crt
-system_cacert_path=/etc/ssl/certs
+system_cadir_path=/etc/ssl/certs
 ssh_host_key_dir=/var/db/ssh
 xdg_override_dir=/usr/local/share-override
 
-- 
cgit v1.2.3