From 06de93d4bc1d9412a44a9289ee92604ea191ad22 Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Tue, 16 Sep 2025 18:12:27 +0000 Subject: [PATCH] Update configurations for dehydrated deployment. --- .gitattributesdb | 14 +-- etc/.gitignore | 3 + etc/apache2/httpd.conf | 16 ++- .../sites.d/core.slackware.uk.net.conf | 6 +- etc/certificates/.gitignore | 3 - etc/dehydrated/.gitignore | 1 + etc/dehydrated/hooks/default | 99 +++++++++++-------- 7 files changed, 78 insertions(+), 64 deletions(-) delete mode 100644 etc/certificates/.gitignore create mode 100644 etc/dehydrated/.gitignore diff --git a/.gitattributesdb b/.gitattributesdb index 4fab823..5ed18c8 100644 --- a/.gitattributesdb +++ b/.gitattributesdb @@ -7,11 +7,10 @@ LmdpdGhvb2tzL3Bvc3QtbWVyZ2U= 1757519106 1757519106 root:root 0755 - - LmdpdGhvb2tzL3ByZS1jb21taXQ= 1757519106 1757519106 root:root 0755 - - LmdpdGlnbm9yZQ== 1757789404 1757593248 root:root 0644 - - LmdpdG1vZHVsZXM= 1757607701 1757607701 root:root 0644 - - -ZXRjLy5naXRpZ25vcmU= 1757874149 1757611781 root:root 0644 - - +ZXRjLy5naXRpZ25vcmU= 1758046301 1757611781 root:root 0644 - - ZXRjL2FwYWNoZTIvLmdpdGlnbm9yZQ== 1757775950 1757775932 root:root 0644 - - -ZXRjL2FwYWNoZTIvaHR0cGQuY29uZg== 1757785734 1757785514 root:root 0644 - - -ZXRjL2FwYWNoZTIvc2l0ZXMuZC9jb3JlLnNsYWNrd2FyZS51ay5uZXQuY29uZg== 1757786703 1757785113 root:root 0644 - - -ZXRjL2NlcnRpZmljYXRlcy8uZ2l0aWdub3Jl 1758036869 1758036066 root:root 0644 - - +ZXRjL2FwYWNoZTIvaHR0cGQuY29uZg== 1758045891 1757785514 root:root 0644 - - +ZXRjL2FwYWNoZTIvc2l0ZXMuZC9jb3JlLnNsYWNrd2FyZS51ay5uZXQuY29uZg== 1758045929 1757785113 root:root 0644 - - ZXRjL2NvbmYuZC8uZ2l0aWdub3Jl 1757609410 1757609410 root:root 0644 - - ZXRjL2NvbmYuZC9ib290bWlzYw== 1757591865 1757591865 root:root 0644 - - ZXRjL2NvbmYuZC9ub2RlLWV4cG9ydGVy 1757592526 1757592526 root:root 0644 - - @@ -19,15 +18,16 @@ ZXRjL2NvbmYuZC9zYW1iYQ== 1757592912 1757592912 root:root 0644 - - ZXRjL2NvbmYuZC9zc2hk 1757593051 1757593051 root:root 0644 - - ZXRjL2NvbmYuZC90ZXJyYWZvcm0taHR0cC1iYWNrZW5k 1757771663 1757595391 root:root 0644 - - ZXRjL2Nyb250YWJzL3Jvb3Q= 1757593504 1757593504 root:root 0600 - - +ZXRjL2RlaHlkcmF0ZWQvLmdpdGlnbm9yZQ== 1758038054 1758038054 root:root 0644 - - ZXRjL2RlaHlkcmF0ZWQvYWNjb3VudHMvLmdpdGlnbm9yZQ== 1757873230 1757873230 root:root 0644 - - ZXRjL2RlaHlkcmF0ZWQvYWNjb3VudHMvYUhSMGNITTZMeTloWTIxbExYWXdNaTVoY0drdWJHVjBjMlZ1WTNKNWNIUXViM0puTDJScGNtVmpkRzl5ZVFvLnRhci5ncGc= 1757873275 1757873275 root:root 0644 - - ZXRjL2RlaHlkcmF0ZWQvYXJjaGl2ZS8uZ2l0aWdub3Jl 1757874259 1757873451 root:root 0644 - - ZXRjL2RlaHlkcmF0ZWQvY2VydHMvLmdpdGlnbm9yZQ== 1757874303 1757873537 root:root 0644 - - -ZXRjL2RlaHlkcmF0ZWQvY29uZmln 1757863188 1757862077 root:root 0644 - - +ZXRjL2RlaHlkcmF0ZWQvY29uZmln 1758044465 1757862077 root:root 0644 - - ZXRjL2RlaHlkcmF0ZWQvZG9tYWlucw== 1757862328 1757862077 root:root 0644 - - ZXRjL2RlaHlkcmF0ZWQvZG9tYWlucy5kL19leGFtcGxlXw== 1757863238 1757862077 root:root 0644 - - ZXRjL2RlaHlkcmF0ZWQvZG9tYWlucy5kL2NvcmUuc2xhY2t3YXJlLnVrLm5ldA== 1757863250 1757863250 root:root 0644 - - -ZXRjL2RlaHlkcmF0ZWQvaG9va3MvZGVmYXVsdA== 1758036605 1757862077 root:root 0755 - - +ZXRjL2RlaHlkcmF0ZWQvaG9va3MvZGVmYXVsdA== 1758045829 1757862077 root:root 0755 - - ZXRjL2dyb3Vw 1757873802 1757869538 root:root 0644 - - ZXRjL2hvc3RuYW1l 1757594311 1757594311 root:root 0644 - - ZXRjL2hvc3Rz 1757594362 1757594362 root:root 0644 - - @@ -41,7 +41,7 @@ ZXRjL3Bhc3N3ZA== 1757873724 1757869538 root:root 0644 - - ZXRjL3BlcmlvZGljL2RhaWx5L2Nyb25qb2ItZGVoeWRyYXRlZA== 1757708520 1757708520 root:root 0777 - - ZXRjL3BlcmlvZGljL2RhaWx5L2Nyb25qb2ItdXBkYXRlLXBhY2thZ2VzLWxpc3Q= 1757708520 1757708520 root:root 0777 - - ZXRjL3BlcmlvZGljL2RhaWx5L2Nyb25qb2Itd2Fybi1naXQtc3RhdHVz 1757708520 1757708520 root:root 0777 - - -ZXRjL3BrZ2xpc3Q= 1757955745 1757609913 root:root 0644 - - +ZXRjL3BrZ2xpc3Q= 1758041087 1757609913 root:root 0644 - - ZXRjL3Jlc29sdi5jb25m 1757611605 1757611605 root:root 0644 - - ZXRjL3J1bmxldmVscy9ib290Ly5naXRpZ25vcmU= 1757769666 1757598667 root:root 0644 - - ZXRjL3J1bmxldmVscy9ib290L3JzeXNsb2c= 1757708520 1757708520 root:root 0777 - - diff --git a/etc/.gitignore b/etc/.gitignore index 13a3860..e7aea1e 100644 --- a/etc/.gitignore +++ b/etc/.gitignore @@ -3,6 +3,7 @@ /apk/ /bash/ /busybox-paths.d/ +/certificates/ /doas.conf /doas.d/ /environment @@ -15,6 +16,8 @@ /issue /lbu/ /logrotate.d/ +/lynx.cfg +/lynx.lss /mail.rc /mdev.conf /modprobe.d/ diff --git a/etc/apache2/httpd.conf b/etc/apache2/httpd.conf index 0635e0c..86d9c6f 100644 --- a/etc/apache2/httpd.conf +++ b/etc/apache2/httpd.conf @@ -15,8 +15,8 @@ LoadModule unixd_module /usr/lib/apache2/mod_unixd.so LoadModule http2_module /usr/lib/apache2/mod_http2.so # SSL. -#LoadModule ssl_module /usr/lib/apache2/mod_ssl.so -#LoadModule socache_shmcb_module /usr/lib/apache2/mod_socache_shmcb.so +LoadModule ssl_module /usr/lib/apache2/mod_ssl.so +LoadModule socache_shmcb_module /usr/lib/apache2/mod_socache_shmcb.so # SSI. LoadModule include_module /usr/lib/apache2/mod_include.so @@ -151,9 +151,7 @@ MimeMagicFile /etc/apache2/magic # Lets Encrypt validation. - - Alias /.well-known/acme-challenge/ /srv/dehydrated/ - +Alias /.well-known/acme-challenge/ /srv/dehydrated/ # Access control. @@ -167,19 +165,19 @@ MimeMagicFile /etc/apache2/magic Require all denied - + Options None AllowOverride None Require all granted - + Options None AllowOverride None Require all granted - + Options Includes MultiViews SymLinksIfOwnerMatch AllowOverride AuthConfig FileInfo Indexes Limit @@ -208,7 +206,7 @@ MimeMagicFile /etc/apache2/magic - + Options ExecCGI Includes MultiViews SymLinksIfOwnerMatch AllowOverride AuthConfig FileInfo Limit diff --git a/etc/apache2/sites.d/core.slackware.uk.net.conf b/etc/apache2/sites.d/core.slackware.uk.net.conf index e1861da..7c46493 100644 --- a/etc/apache2/sites.d/core.slackware.uk.net.conf +++ b/etc/apache2/sites.d/core.slackware.uk.net.conf @@ -12,9 +12,9 @@ ServerName core.slackware.uk.net - SSLCertificateFile /etc/certificates/core.slackware.uk.net-cert.pem - SSLCertificateKeyFile /etc/certificates/core.slackware.uk.net-key.pem - SSLCertificateChainFile /etc/certificates/core.slackware.uk.net-chain.pem + SSLCertificateFile /etc/certificates/core.slackware.uk.net_cert.pem + SSLCertificateKeyFile /etc/certificates/core.slackware.uk.net_key.pem + SSLCertificateChainFile /etc/certificates/core.slackware.uk.net_chain.pem SetEnvIf REQUEST_URI ^/robots\.txt$ no_log SetEnvIf REQUEST_URI ^/favicon\.ico$ no_log diff --git a/etc/certificates/.gitignore b/etc/certificates/.gitignore deleted file mode 100644 index 93c4d15..0000000 --- a/etc/certificates/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -/* -!/.* -!/*.gpg diff --git a/etc/dehydrated/.gitignore b/etc/dehydrated/.gitignore new file mode 100644 index 0000000..ac15403 --- /dev/null +++ b/etc/dehydrated/.gitignore @@ -0,0 +1 @@ +/chains/ diff --git a/etc/dehydrated/hooks/default b/etc/dehydrated/hooks/default index 9b63c37..2c94e31 100755 --- a/etc/dehydrated/hooks/default +++ b/etc/dehydrated/hooks/default @@ -11,7 +11,7 @@ CERTSDIR="/etc/certificates" FACILITY="local3" TAG="dehydrated" # Where from/to to send emails. -EMAIL_FROM="Systems' Administrator " +EMAIL_FROM="\"Server: ${HOSTNAME%%.*}\" " EMAIL_TO=("Systems' Administrator ") # Get the system ID. @@ -48,12 +48,12 @@ notify() { # Service configurations (used at startup/shutdown). services() { - local DAEMON ERR=0 LOG_PREFIX="Dehydrated configuration" PIDFILE RCFILE + local DAEMON ERR=0 LOG_PREFIX="Dehydrated configuration" PIDFILE RCFILE SANITY="$1" # Select the service configuration based on the distribution. # RCFILE_ is required for any service. # Either DAEMON_ or PIDFILE_, or both is required for any service. - if [[ "$ID" == "slackware" ]]; then + if [[ "$SYSTEM_ID" == "slackware" ]]; then # HTTP daemon selection. if [[ -x "/etc/rc.d/rc.httpd" ]]; then RCFILE_HTTPD="/etc/rc.d/rc.httpd" @@ -76,7 +76,7 @@ services() { DAEMON_SMTPD="exim" PIDFILE_SMTPD="/run/exim.pid" fi - elif [[ "$ID" == "void" ]]; then + elif [[ "$SYSTEM_ID" == "void" ]]; then # HTTP daemon selection. # thttpd on Void doesn't have a directly callable rc script, so can't be supported. if [[ -x "/usr/sbin/apachectl" ]]; then @@ -84,7 +84,7 @@ services() { DAEMON_HTTPD="httpd" PIDFILE_HTTPD="/run/httpd/httpd.pid" fi - elif [[ "$ID" == "alpine" ]]; then + elif [[ "$SYSTEM_ID" == "alpine" ]]; then # HTTP daemon selection. if [[ -x "/etc/init.d/apache2" ]]; then RCFILE_HTTPD="/etc/init.d/apache2" @@ -97,22 +97,24 @@ services() { fi # Samba daemon selection. if [[ -x "/etc/init.d/samba" ]]; then - SAMBA_RCFILE="/etc/init.d/samba" - SAMBA_SERVICENAME="samba" - SAMBA_PIDFILE="/run/samba.pid" +# FIXME: +# RCFILE_SAMBA="/etc/init.d/samba" + DAEMON_SAMBA="samba" + PIDFILE_SAMBA="/run/samba.pid" fi fi # Sanity check settings. - [[ -z "$RCFILE_HTTPD" ]] && notify "warning" "No configuration settings for an HTTP daemon - no start/restart of HTTP daemon is possible -- check configuration" - for RCFILE in "${!RCFILE_@}"; do - DAEMON="DAEMON_${RCFILE#RCFILE_}" - PIDFILE="PIDFILE_${RCFILE#RCFILE_}" - [[ -n "${!RCFILE}" ]] && [[ -z "${!DAEMON}" ]] && [[ -z "${!PIDFILE}" ]] && [[ ! -v "SERVICES_ERROR_REPORTED" ]] && notify "error" "'$RCFILE' is set, but neither '$DAEMON' nor '$PIDFILE' is set - at least one setting is required -- aborting" && ERR=1 - done + ((SANITY == 1)) && { + [[ -z "$RCFILE_HTTPD" ]] && notify "warning" "No configuration settings for an HTTP daemon - no start/restart of HTTP daemon is possible -- check configuration" + for RCFILE in "${!RCFILE_@}"; do + DAEMON="DAEMON_${RCFILE#RCFILE_}" + PIDFILE="PIDFILE_${RCFILE#RCFILE_}" + [[ -n "${!RCFILE}" ]] && [[ -z "${!DAEMON}" ]] && [[ -z "${!PIDFILE}" ]] && notify "error" "'$RCFILE' is set, but neither '$DAEMON' nor '$PIDFILE' is set - at least one setting is required -- aborting" && ERR=1 + done + } - # Don't report configuration errors more than once. - ((ERR == 1)) && SERVICES_ERROR_REPORTED=1 && return 1 + ((ERR == 1)) && return 1 return 0 } @@ -198,22 +200,24 @@ deploy_cert() { # The first time through this will create the files readable by root only, but better to err on the side of caution. # Subsequent runs will retain whatever permissions were set by the admin after the first run. - umask 066 - # shellcheck disable=SC2015 - cat "$CERTFILE" >"$CERTSDIR/${DOMAIN}_cert.pem" && cat "$KEYFILE" >"$CERTSDIR/${DOMAIN}_key.pem" && cat "$CHAINFILE" >"$CERTSDIR/${DOMAIN}_chain.pem" && cat "$FULLCHAINFILE" >"$CERTSDIR/${DOMAIN}_fullchain.pem" || { - notify "error" "Failed to copy certificates/key to '$CERTSDIR' during '$DOMAIN' certificate deployment" + cmp "$CERTFILE" "$CERTSDIR/${DOMAIN}_cert.pem" >/dev/null 2>&1 || { + umask 066 + # shellcheck disable=SC2015 + cat "$CERTFILE" >"$CERTSDIR/${DOMAIN}_cert.pem" && cat "$KEYFILE" >"$CERTSDIR/${DOMAIN}_key.pem" && cat "$CHAINFILE" >"$CERTSDIR/${DOMAIN}_chain.pem" && cat "$FULLCHAINFILE" >"$CERTSDIR/${DOMAIN}_fullchain.pem" || { + notify "error" "Failed to copy certificates/key to '$CERTSDIR' during '$DOMAIN' certificate deployment" + # Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew. + return 0 + } + } + + # Set a marker (used in the exit_hook function) to signal that services should be reloaded at the end of deployments. + touch /run/dehydrated-reload-marker || { + notify "warning" "Failed to create reload marker during '$DOMAIN' certificate deployment - reloading services manually may be required -- check server" # Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew. return 0 } } - # Set a marker (used in the exit_hook function) to signal that services should be reloaded at the end of deployments. - touch /run/dehydrated-reload-marker || { - notify "warning" "Failed to create reload marker during '$DOMAIN' certificate deployment - reloading services manually may be required -- check server" - # Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew. - return 0 - } - # Notify the sysadmin of the sucessful renewal. notify "information" "Sucessful renewal and deployment of certificate/key for '$DOMAIN'" @@ -314,12 +318,22 @@ startup_hook() { local LOG_PREFIX="Dehydrated startup" - # Read services configuration. - services || return 1 + # Read services configuration (with sanity check) + services 1 || return 1 + + # Make sure the certificates directory exists. + [[ -n "$CERTSDIR" ]] && { + umask 022 + # shellcheck disable=SC2174 + mkdir -p -m 0755 "$CERTSDIR" 2>/dev/null || { + notify "error" "Failed to create certificate storage directory -- aborting" + return 1 + } + } # If an HTTP daemon rc script is available and the service is not already running, start it. [[ -n "$RCFILE_HTTPD" ]] && { - if ! pgrep -c ${PIDFILE_HTTPD:+-F "$PIDFILE_HTTPD"} "$DAEMON_HTTPD" >/dev/null 2>&1; then + pgrep -c ${PIDFILE_HTTPD:+-F "$PIDFILE_HTTPD"} "$DAEMON_HTTPD" >/dev/null 2>&1 || { "$RCFILE_HTTPD" start >/dev/null 2>&1 sleep 5 if pgrep -c ${PIDFILE_HTTPD:+-F "$PIDFILE_HTTPD"} "$DAEMON_HTTPD" >/dev/null 2>&1; then @@ -329,9 +343,7 @@ startup_hook() { notify "error" "Failure of '$RCFILE_HTTPD' to start HTTP daemon -- aborting" return 1 fi - else - notify "warning" "'$DAEMON_HTTPD' is already running - will not be shutdown at exit -- check server" - fi + } } # Add firewall rules to allow HTTP traffic so the nonce can be validated. @@ -353,24 +365,29 @@ exit_hook() { local DAEMON ERR=0 LOG_PREFIX="Dehydrated shutdown" PIDFILE RCFILE TIMEOUT=30 - # Read services configuration. - services || return 1 + # Read services configuration (without sanity check - this was already done at startup) + services 0 || return 1 # Delete firewall rules that was added to allow HTTP traffic. - { iptables -D dehydrated -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT && ip6tables -D dehydrated -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT && iptables -D INPUT -j dehydrated && ip6tables -D INPUT -j dehydrated && iptables -X dehydrated && ip6tables -X dehydrated; } >/dev/null 2>&1 || notify "warning" "Failed to remove firewall rules that were added to allow HTTP traffic -- check server" - + iptables -C INPUT -j dehydrated >/dev/null 2>&1 && iptables -D INPUT -j dehydrated >/dev/null 2>&1 + ip6tables -C INPUT -j dehydrated >/dev/null 2>&1 && ip6tables -D INPUT -j dehydrated >/dev/null 2>&1 + iptables -F dehydrated >/dev/null 2>&1 + ip6tables -F dehydrated >/dev/null 2>&1 + iptables -X dehydrated >/dev/null 2>&1 + ip6tables -X dehydrated >/dev/null 2>&1 + # If the reload marker was set, restart services. [[ -e /run/dehydrated-reload-marker ]] && { for RCFILE in "${!RCFILE_@}"; do DAEMON="DAEMON_${RCFILE#RCFILE_}" PIDFILE="PIDFILE_${RCFILE#RCFILE_}" # If the HTTP daemon is going to be shut down, there's no need to restart it. - [[ "$RCFILE" == "RCFILE_HTTPD" ]] && [[ ! -e /run/dehydrated-http-daemon-stop-marker ]] && continue + [[ "$RCFILE" == "RCFILE_HTTPD" ]] && [[ -e /run/dehydrated-http-daemon-stop-marker ]] && continue # Restart the service. "${!RCFILE}" restart >/dev/null 2>&1 || notify "warning" "Failed to restart service '${!DAEMON}' -- check server" sleep "$TIMEOUT" pgrep -c ${PIDFILE:+-F "${!PIDFILE}"} "${!DAEMON}" >/dev/null 2>&1 || { - notice "warning" "Service '${!DAEMON}' exited unexpectedly - trying to start again" + notify "warning" "Service '${!DAEMON}' exited unexpectedly - trying to start again" "${!RCFILE}" start >/dev/null 2>&1 || notify "warning" "Failed to start service '${!DAEMON}' -- check server" sleep "$TIMEOUT" pgrep -c ${PIDFILE:+-F "${!PIDFILE}"} "${!DAEMON}" >/dev/null 2>&1 || { @@ -415,7 +432,5 @@ if declare -pF "$HANDLER" >/dev/null 2>&1; then "$HANDLER" "$@" exit "$?" else - LOG_PREFIX="Dehydrated configuration" - notify "error" "Hook script called with undefined function name '$HANDLER' -- check configuration" - exit 1 + exit 0 fi