From 7eb111136453d0e8d8451d7dd85ba9892318f294 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Mon, 28 Oct 2024 22:14:59 -0400
Subject: acme/nginx/asterisk fixes

---
 .../local/etc/asterisk/logger.conf.asterisk_server |  4 +--
 .../local/etc/asterisk/pjsip.conf.asterisk_server  |  2 +-
 .../etc/asterisk/pjsip_wizard.conf.asterisk_server |  3 ++
 .../local/etc/asterisk/rtp.conf.asterisk_server    |  4 +--
 .../etc/icinga2/conf.d/services.conf.icinga_server | 42 ++++++++++++++++++++--
 files/usr/local/etc/nginx/nginx.conf.common        |  2 +-
 .../etc/nsd/nsd.conf.authoritative_nameserver      |  2 +-
 files/usr/local/etc/postfix/main.cf.smtp_server    |  4 +--
 .../usr/local/etc/unbound/unbound.conf.idm_server  |  2 +-
 9 files changed, 53 insertions(+), 12 deletions(-)

(limited to 'files')

diff --git a/files/usr/local/etc/asterisk/logger.conf.asterisk_server b/files/usr/local/etc/asterisk/logger.conf.asterisk_server
index 3bf2a53..d2a5a7d 100644
--- a/files/usr/local/etc/asterisk/logger.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/logger.conf.asterisk_server
@@ -1,3 +1,3 @@
 [logfiles]
-console => notice,warning,error
-syslog.daemon => notice,warning,error,security,verbose1
+console => notice,warning,error,verbose1
+syslog.daemon => notice,warning,error,verbose1
diff --git a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
index 0f83a81..dd10763 100644
--- a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
@@ -20,7 +20,7 @@ bind          = 0.0.0.0:5061
 method        = tlsv1_2
 cert_file     = ${asterisk_public_tls_cert}
 priv_key_file = ${asterisk_public_tls_key}
-ca_list_file  = ${ca_root_nss_bundle}
+ca_list_path  = ${system_cadir_path}
 verify_client = no
 verify_server = yes
 allow_reload  = yes
diff --git a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
index 1de448f..8d01aa5 100644
--- a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
@@ -40,8 +40,10 @@ aor/remove_existing        = yes
 endpoint/allow             = !all,g722,ulaw
 endpoint/from_domain       = ${asterisk_sip_domain}
 endpoint/subscribe_context = subscribe
+endpoint/transport = transport-tcp
 
 $(for ext in ${asterisk_exts:-}; do
+  eval "ext_proto=\${asterisk_ext_${ext}_proto:-'tcp'}"
   eval "ext_context=\${asterisk_ext_${ext}_context}"
   eval "ext_password=\${asterisk_ext_${ext}_password}"
   eval "ext_max_contacts=\${asterisk_ext_${ext}_max_contacts:-1}"
@@ -62,4 +64,5 @@ aor/max_contacts      = ${ext_max_contacts}
 aor/qualify_frequency = ${ext_qualify_freq}
 aor/qualify_timeout   = ${ext_qualify_timeout}
 endpoint/direct_media = ${ext_direct_media}
+endpoint/transport    = transport-${ext_proto}
 "; done)
diff --git a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
index d16d1f0..31d1797 100644
--- a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
+++ b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
@@ -1,3 +1,3 @@
 [general]
-rtpstart=${asterisk_rtp_start_port}
-rtpend=${asterisk_rtp_end_port}
+rtpstart=${asterisk_rtp_port_start}
+rtpend=${asterisk_rtp_port_end}
diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
index 8d0433f..4340192 100644
--- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
+++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
@@ -34,6 +34,17 @@ apply Service "dns" {
   assign where "idm-servers" in host.groups
 }
 
+apply Service for (zone in host.vars.zones) {
+  check_command = "dns"
+  vars.dns_lookup = zone
+  name = "dns-" + zone
+  display_name = zone
+  vars.dns_server = "\$address\$"
+  vars.dns_wtime = ${icinga_response_time_warn}
+  vars.dns_ctime = ${icinga_response_time_crit}
+  assign where "nameservers" in host.groups
+}
+
 apply Service "resolver" {
   check_command = "dns"
   vars.dns_lookup = "www.google.com"
@@ -278,7 +289,6 @@ apply Service "https" {
   vars.http_warn_time = ${icinga_response_time_warn}
   vars.http_critical_time = ${icinga_response_time_crit}
   assign where ("pkg-repositories"  in host.groups
-             || "web-servers"       in host.groups
              || "xmpp-servers"      in host.groups
              || "znc-servers"       in host.groups
              || "bitwarden-servers" in host.groups)
@@ -316,7 +326,7 @@ apply Service "https-cert" {
   vars.http_vhost = "\$address\$"
   vars.http_ssl = true
   vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit}
-  assign where ("invidious-servers" in host.groups
+  assign where (("invidious-servers" in host.groups
              || "nfs-servers"       in host.groups
              || "pkg-repositories"  in host.groups
              || "unifi-controllers" in host.groups
@@ -327,5 +337,33 @@ apply Service "https-cert" {
              || "dav-servers"       in host.groups
              || "smtp-servers"      in host.groups
              || "icinga-servers"    in host.groups
+             || "web-servers"       in host.groups
              || "ttrss-servers"     in host.groups)
+             && !host.vars.https_vhosts)
+}
+
+// Expect HTTPS 200
+apply Service for (vhost in host.vars.https_vhosts) {
+  check_command = "http"
+  name = vhost + "-cert"
+  display_name = vhost + " certificate"
+  vars.http_vhost = vhost
+  vars.http_expect = "HTTP/1.1 200 OK"
+  vars.http_ssl = true
+  vars.http_sni = true
+  vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit}
+}
+
+// Certificate validity
+apply Service for (vhost in host.vars.https_vhosts) {
+  check_command = "http"
+  name = vhost
+  display_name = vhost
+  vars.http_vhost = vhost
+  vars.http_expect = "HTTP/1.1 200 OK"
+  vars.http_ssl = true
+  vars.http_sni = true
+  vars.http_expect = "HTTP/1.1 200 OK"
+  vars.http_warn_time = ${icinga_response_time_warn}
+  vars.http_critical_time = ${icinga_response_time_crit}
 }
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index 98ff9f9..d340735 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -33,7 +33,7 @@ http {
   ssl_session_timeout        1d;
   ssl_session_cache          shared:SSL:10m;
   ssl_session_tickets        off;
-$(if [ "${nginx_public:-}" = true ]; then <<EOF
+$(if [ "${nginx_public:-}" = true ]; then cat <<EOF
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
   ssl_dhparam ${dhparams_path};
diff --git a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
index b6d1e11..0a3b224 100644
--- a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
+++ b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
@@ -1,7 +1,7 @@
 server:
   server-count: ${nsd_threads}
   log-only-syslog: yes
-  verbosity: 1
+  verbosity: 2
   hide-version: yes
   minimal-responses: yes
   refuse-any: yes
diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server
index 1f42202..155c18c 100644
--- a/files/usr/local/etc/postfix/main.cf.smtp_server
+++ b/files/usr/local/etc/postfix/main.cf.smtp_server
@@ -67,12 +67,12 @@ smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 smtpd_helo_required             = yes
 
-smtp_tls_CApath                 = ${system_cacert_path}
+smtp_tls_CApath                 = ${system_cadir_path}
 smtp_tls_security_level         = may
 smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache
 smtp_tls_loglevel               = 1
 
-lmtp_tls_CApath                 = ${system_cacert_path}
+lmtp_tls_CAfile                 = ${site_cacert_path}
 lmtp_tls_security_level         = encrypt
 lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache
 smtp_tls_loglevel               = 1
diff --git a/files/usr/local/etc/unbound/unbound.conf.idm_server b/files/usr/local/etc/unbound/unbound.conf.idm_server
index 762fe09..8af2c61 100644
--- a/files/usr/local/etc/unbound/unbound.conf.idm_server
+++ b/files/usr/local/etc/unbound/unbound.conf.idm_server
@@ -53,7 +53,7 @@ $([ -z "$unbound_local_zones" ] || printf '  local-zone: "%s" typetransparent\n'
   private-domain: "${domain}"
 $([ -z "$unbound_local_zones" ] || printf '  private-domain: "%s"\n' $unbound_local_zones)
 
-$([ -z "$unbound_local_data" ] || printf '  local-data: "%s"\n' $unbound_local_data)
+$([ -z "$unbound_local_data" ] || echo "$unbound_local_data" | while read -r data; do [ -n "$data" ] && printf '  local-data: "%s"\n' "$data"; done)
 
 $(echo "$unbound_blocklists" | while read -r name _url; do
     [ -n "$name" ] && printf "rpz:\n  name: %s\n  zonefile: ${unbound_blocklist_dir}/%s.zone\n" "$name" "$name"; done)
-- 
cgit v1.2.3