From 7eb111136453d0e8d8451d7dd85ba9892318f294 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Mon, 28 Oct 2024 22:14:59 -0400 Subject: acme/nginx/asterisk fixes --- .../local/etc/asterisk/logger.conf.asterisk_server | 4 +-- .../local/etc/asterisk/pjsip.conf.asterisk_server | 2 +- .../etc/asterisk/pjsip_wizard.conf.asterisk_server | 3 ++ .../local/etc/asterisk/rtp.conf.asterisk_server | 4 +-- .../etc/icinga2/conf.d/services.conf.icinga_server | 42 ++++++++++++++++++++-- files/usr/local/etc/nginx/nginx.conf.common | 2 +- .../etc/nsd/nsd.conf.authoritative_nameserver | 2 +- files/usr/local/etc/postfix/main.cf.smtp_server | 4 +-- .../usr/local/etc/unbound/unbound.conf.idm_server | 2 +- 9 files changed, 53 insertions(+), 12 deletions(-) (limited to 'files') diff --git a/files/usr/local/etc/asterisk/logger.conf.asterisk_server b/files/usr/local/etc/asterisk/logger.conf.asterisk_server index 3bf2a53..d2a5a7d 100644 --- a/files/usr/local/etc/asterisk/logger.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/logger.conf.asterisk_server @@ -1,3 +1,3 @@ [logfiles] -console => notice,warning,error -syslog.daemon => notice,warning,error,security,verbose1 +console => notice,warning,error,verbose1 +syslog.daemon => notice,warning,error,verbose1 diff --git a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server index 0f83a81..dd10763 100644 --- a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server @@ -20,7 +20,7 @@ bind = 0.0.0.0:5061 method = tlsv1_2 cert_file = ${asterisk_public_tls_cert} priv_key_file = ${asterisk_public_tls_key} -ca_list_file = ${ca_root_nss_bundle} +ca_list_path = ${system_cadir_path} verify_client = no verify_server = yes allow_reload = yes diff --git a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server index 1de448f..8d01aa5 100644 --- a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server @@ -40,8 +40,10 @@ aor/remove_existing = yes endpoint/allow = !all,g722,ulaw endpoint/from_domain = ${asterisk_sip_domain} endpoint/subscribe_context = subscribe +endpoint/transport = transport-tcp $(for ext in ${asterisk_exts:-}; do + eval "ext_proto=\${asterisk_ext_${ext}_proto:-'tcp'}" eval "ext_context=\${asterisk_ext_${ext}_context}" eval "ext_password=\${asterisk_ext_${ext}_password}" eval "ext_max_contacts=\${asterisk_ext_${ext}_max_contacts:-1}" @@ -62,4 +64,5 @@ aor/max_contacts = ${ext_max_contacts} aor/qualify_frequency = ${ext_qualify_freq} aor/qualify_timeout = ${ext_qualify_timeout} endpoint/direct_media = ${ext_direct_media} +endpoint/transport = transport-${ext_proto} "; done) diff --git a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server index d16d1f0..31d1797 100644 --- a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server @@ -1,3 +1,3 @@ [general] -rtpstart=${asterisk_rtp_start_port} -rtpend=${asterisk_rtp_end_port} +rtpstart=${asterisk_rtp_port_start} +rtpend=${asterisk_rtp_port_end} diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server index 8d0433f..4340192 100644 --- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server @@ -34,6 +34,17 @@ apply Service "dns" { assign where "idm-servers" in host.groups } +apply Service for (zone in host.vars.zones) { + check_command = "dns" + vars.dns_lookup = zone + name = "dns-" + zone + display_name = zone + vars.dns_server = "\$address\$" + vars.dns_wtime = ${icinga_response_time_warn} + vars.dns_ctime = ${icinga_response_time_crit} + assign where "nameservers" in host.groups +} + apply Service "resolver" { check_command = "dns" vars.dns_lookup = "www.google.com" @@ -278,7 +289,6 @@ apply Service "https" { vars.http_warn_time = ${icinga_response_time_warn} vars.http_critical_time = ${icinga_response_time_crit} assign where ("pkg-repositories" in host.groups - || "web-servers" in host.groups || "xmpp-servers" in host.groups || "znc-servers" in host.groups || "bitwarden-servers" in host.groups) @@ -316,7 +326,7 @@ apply Service "https-cert" { vars.http_vhost = "\$address\$" vars.http_ssl = true vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} - assign where ("invidious-servers" in host.groups + assign where (("invidious-servers" in host.groups || "nfs-servers" in host.groups || "pkg-repositories" in host.groups || "unifi-controllers" in host.groups @@ -327,5 +337,33 @@ apply Service "https-cert" { || "dav-servers" in host.groups || "smtp-servers" in host.groups || "icinga-servers" in host.groups + || "web-servers" in host.groups || "ttrss-servers" in host.groups) + && !host.vars.https_vhosts) +} + +// Expect HTTPS 200 +apply Service for (vhost in host.vars.https_vhosts) { + check_command = "http" + name = vhost + "-cert" + display_name = vhost + " certificate" + vars.http_vhost = vhost + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_sni = true + vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} +} + +// Certificate validity +apply Service for (vhost in host.vars.https_vhosts) { + check_command = "http" + name = vhost + display_name = vhost + vars.http_vhost = vhost + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_sni = true + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} } diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common index 98ff9f9..d340735 100644 --- a/files/usr/local/etc/nginx/nginx.conf.common +++ b/files/usr/local/etc/nginx/nginx.conf.common @@ -33,7 +33,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; -$(if [ "${nginx_public:-}" = true ]; then <